mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 03:43:28 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2024-01-10-blurry.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

3.3 KiB
Raw Blame History

title date categories tags image
HTB - Blurry 2024-02-02 12:17:34 -0400
hackthebox
Blurry
HackTheBox
CVE-2024-24590
ClearML
pickle files
pth files
artifact
API
path lqip alt
/assets/img/post/blurry/Blurry.png data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA Hack the Box - Blurry.

Box Info

Name Blurry
Release Date 30 Mar, 2024
OS Linux
Rated Difficulty Medium

Enumeration

nmap -p- --open --min-rate 5000 -sS -vvv -n -Pn 10.10.11.19 -oG allports
nmap -sCV -p 22,80 10.10.11.19 -oN targeted

Image

echo " 10.10.11.19 app.blurry.htb" | sudo tee -a /etc/hosts

ClearML

Image

At this point, it is important to know what clear ML is and how it works. After much searching and gathering information, I found that we can connect through a Python package called clearml-agent and create an environment.

During the research process, I found that clearml has a CVE-2024-24590: Pickle Load on Artifact Get.

CVE-2024-24590

ClearML involves the inherent insecurity of pickle files. We discovered that an attacker could create a pickle file containing arbitrary code and upload it as an artifact to a project via the API. When a user calls the get method within the Artifact class to download and load a file into memory, the pickle file is deserialized on their system, running any arbitrary code it contains.

https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/#The-Vulns

Image

Create credentials

To do this, we need to create new credentials to connect through clearml-agent, and to set up, we use the 'init' option.

Image

We press enter on the options and boom, we're connected.

Image

So once connected, we'll proceed to exploit the vulnerability.

Image

<https://clear.ml/docs/latest/docs/guides/reporting/using_artifacts/

https://davidhamann.de/2020/04/05/exploiting-python-pickle/

Image

Privilege Escalation

Sudo -l

Once I had the reverse shell, I continued with my enumeration and found a vulnerability with 'sudo -l

Image

I dug into the files and found that when executing /usr/bin/evaluate_model, it ran the demo_model.pth, which in turn executed the .py file located in /models/{: .filepath}. So, I modified the .py file to obtain a reverse shell.

Image

https://www.revshells.com/

But be careful, it runs with 'sudo' as it doesn't require a password to execute it, so we'll obtain a privileged reverse shell.

sudo evaluate_model /models/demo_model.pth

Image

With netcat listening the port 9001

Image

Root

Image