https://old.frang4.tech/tags/python/ Recent content in Python on Hugo en-us Tue, 24 Jun 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/artificial/writeup/ Tue, 24 Jun 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/artificial/writeup/ <p><code>Artificial</code> is a Hack The Box machine from season 8</p> <h2 id="summary-how">Summary (How?)</h2> <p>Artificial is a machine with a web interface that allows to upload and execute TensorFlow .h5 model files. The initial foothold was obtained by embedding a reverse shell code inside a Lambda layer and exploiting the backend&rsquo;s behavior which loads these models without sandboxing. From there, we accessed the Flask app&rsquo;s source code, extracted database credentials, dumped the user table, cracked hashes using rockyou.txt, and obtained valid SSH credentials for user gael, leading to the user flag.</p> https://old.frang4.tech/posts/htb-machines/code/writeup/ Sat, 14 Jun 2025 03:38:50 -0300 https://old.frang4.tech/posts/htb-machines/code/writeup/ <p><code>Code</code> is a Hack The Box machine released on 22 Mar 2025</p> <h2 id="summary-how">Summary (How?)</h2> <p>We’re presented with a Python-based code editor exposed via a web application, allowing users to write, save, and execute Python scripts. However, execution is limited by a blacklist of restricted keywords, making direct command execution impossible at first glance. The first part of the challenge involves bypassing these restrictions to achieve Remote Code Execution (RCE).</p> <p>To do so, we leverage <strong>object-oriented introspection</strong> to enumerate loaded Python subclasses and locate the index of the <code>sys</code> module. With access to <code>sys.modules</code>, we enumerate all loaded modules and identify one that exposes a <code>call</code> function—specifically, <code>subprocess.call()</code>—which enables us to execute system commands and obtain a reverse shell.</p>