---
title:  HTB - Blurry
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Blurry]
tags: [HackTheBox, CVE-2024-24590, ClearML, pickle files, pth files,artifact, API]
image:
  path: /assets/img/post/blurry/Blurry.png
  lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
  alt: Hack the Box - Blurry.
---

## Box Info

| Name                  | Blurry           | 
| :-------------------- | ---------------: |
| Release Date          | 30 Mar, 2024     |
| OS                    | Linux            |
| Rated Difficulty      | Medium           |

## **Enumeration**

```bash
nmap -p- --open --min-rate 5000 -sS -vvv -n -Pn 10.10.11.19 -oG allports
nmap -sCV -p 22,80 10.10.11.19 -oN targeted
```

![Image](/assets/img/post/blurry/0.png)

```bash
echo " 10.10.11.19 app.blurry.htb" | sudo tee -a /etc/hosts
```

## ClearML

![Image](/assets/img/post/blurry/1.png)

At this point, it is important to know what clear ML is and how it works.
After much searching and gathering information, I found that we can connect through a Python package called clearml-agent and create an environment.

During the research process, I found that clearml has a **`CVE-2024-24590: Pickle Load on Artifact Get`**.

## CVE-2024-24590

*ClearML involves the inherent insecurity of pickle files. We discovered that an attacker could create a pickle file containing arbitrary code and upload it as an artifact to a project via the API. When a user calls the get method within the Artifact class to download and load a file into memory, the pickle file is deserialized on their system, running any arbitrary code it contains.*

<https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/#The-Vulns>

![Image](/assets/img/post/blurry/3.png)

### Create credentials

To do this, we need to create new credentials to connect through clearml-agent, and to set up, we use the 'init' option.

![Image](/assets/img/post/blurry/4.png)

We press enter on the options and boom, we're connected.

![Image](/assets/img/post/blurry/5.png)

So once connected, we'll proceed to exploit the vulnerability.

![Image](/assets/img/post/blurry/6.png)

<https://clear.ml/docs/latest/docs/guides/reporting/using_artifacts/

<https://davidhamann.de/2020/04/05/exploiting-python-pickle/>

![Image](/assets/img/post/blurry/7.png)

## Privilege Escalation
### Sudo -l
Once **I had the reverse shell**, I continued with my enumeration and found a vulnerability with 'sudo -l

![Image](/assets/img/post/blurry/2.png)

I dug into the files and found that when executing /usr/bin/`evaluate_model`, it ran the `demo_model.pth`, which in turn executed the .py file located in `/models/`{: .filepath}. So, I modified the .py file to obtain a reverse shell.

![Image](/assets/img/post/blurry/8.png)

<https://www.revshells.com/>

But be careful, it runs with 'sudo' as it doesn't require a password to execute it, so we'll obtain a privileged reverse shell.

```bash
sudo evaluate_model /models/demo_model.pth
```

![Image](/assets/img/post/blurry/9.png)

With netcat listening the port 9001

![Image](/assets/img/post/blurry/10.png)

**`Root`**

![Image](/assets/img/post/blurry/11.png)