HTB | Artificial

Machine - https://app.hackthebox.com/machines/Artificial

IP - 10.129.97.24

NMAP

└─$ nmap -sC -sV -p 22,80 10.129.97.24 -Pn -oA nmap_port_details                                                                                           
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-22 12:22 IST
Nmap scan report for 10.129.97.24
Host is up (0.63s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
|   256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_  256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to <http://artificial.htb/>
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds

Port 80

Nothing interesting was there on Dirbuster

So let’s register and login

Foothold/shell

Shell as Gael

On clicking on requirements and Dockerfile

When trying to upload a file, it says we need to upload .h5 file

Hierarchical Data Format, or H5, is a file format that addresses this challenge by providing a flexible and efficient way to store and organize large amounts of data.

Upload H5 file

so in order to exploit this we have to create malicious file .h5

but first let’s make our docker

and run

Now we can create an exploit file ( refer this article)

Copy this to our Docker and run

Let’s copy the shell.h5 back to our machine

Auth as app

Let’s upload view prediction

and we have shell

We found users.db

we got below users

throwing them in CrackStation we get Gael’s password

and we are in as Gael

and we got user.txt

Privilege Escalation

Looks like something is hosting on port 5000 and 9898 locally

Let’s use local port forwarding for ssh

port 5000 is the website which we saw on port 80 externally

but port 9898 is something interesting

Port 9898

asking for username and password, Gael’s credentials did not work

Let’s look for the Backrest in the box

We found config.json, only the root can view the file

found some archives in /var/backups

Let’s unzip this

Now we can great config.json

Using ChatGPT, we get the following hash

Let’s use hashcat to decrypt

found password

let’s login to backtest website

and we are in

Since it is hosting locally we might be able to make the repo of /root

When clicking on the repo we can see that there s an option to run command

on using help we can see two interesting cmds backup and dump

Let’s try to backup root and read root.txt

When I try tp dump root it gives errors

when we run CMD with ID and file, it’s the file

PreviousHTB | NocturnalNextHTB | Angler

Last updated