Welcome to another Hack the Box exercise. In this walkthrough, I showed how I pwned the Blurry machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel (https://www.youtube.com/@BoltechTechnologies1) and follow me on LinkedIn (https://www.linkedin.com/in/isiaq-ibrahim-468588156/) for more updates.
About the Machine
Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (`[CVE-2024-24590](https://nvd.nist.gov/vuln/detail/CVE-2024-24590)` - `[CVE-2024-24595](https://nvd.nist.gov/vuln/detail/CVE-2024-24595)`) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with `sudo` is discovered. The program loads arbitrary `PyTorch` models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, `fickling` is used to scan the dataset for insecure `pickle` files , prior to loading the model. Malicious code can be injected into a model, using `runpy` to bypass the `fickling` checks.
The first step in solving this machine like I have always done in my previous writeup is to sign in into my Hack the Box account. I logged into my Hack the Box account inside the Firefox browser on my Kali Linux, then I downloaded the .ovpn file and renamed it to blurry.ovpn. Then I created a directory on my desktop called BlurryHTB and moved the blurry.ovpn file into it.
Next, I opened the terminal in the folder and ran the following command to establish a connection between my Linux terminal and Hack the Box server. Once the connection was successful, I opened my Kali Linux terminal and ran the following commands to connect my terminal with Hack the Box:
After successfully connecting my Kali Linux machine to HTB server, I navigated to the “Machine” tab and clicked on Blurry. My target machine was assigned an IP address of 10.10.11.19. The next step was performing enumeration using nmap to find all open ports on the target machine, therefore I used the following command to scan for open ports:
I found port 22/tcp with ssh service running at the port and port 80/tcp with http running at the port. This clearly shows we need a reverse shell to get hold of the machine and that the machine is a web application running on port 80.
I began reconnaissance using whatweb to identify technologies running on the target:
The whatweb tool is used in penetration testing to identify technologies used by websites — including web servers, CMS, frameworks, programming languages, and more. It's often one of the first recon tools used in CTFs to fingerprint web applications.
The response revealed an Nginx server redirecting traffic to a virtual host
app.blurry.htb, which served a web application titled ClearML. I added the host to my /etc/hosts file and accessed it in my browser for further analysis.
To edit /etc/hosts and map app.blurry.htb to the IP [10.10.11.19], I ran the following command in the terminal:
Then I add the following in the GNU interface:
After successfully mapping the IP address with the host name, I navigated to my browser and visit 10.10.11.19. This redirected me to the app.blurry.htb official website which has ClearML.
ClearML is an open-source platform designed to make developing and managing machine learning projects easier and more efficient. It automates many of the complex tasks involved in machine learning, such as tracking experiments, managing data, and deploying models.
After understanding what ClearML is, I started searching for vulnerabilities. I found multiple issues, but for the purpose of this blog, I will focus on the intended one which is CVE-2024–24590: Pickle Load on Artifact Get. Vulnerabilities associated to ClearML includes:
- CVE-2024–24590: Pickle Load on Artifact Get
- CVE-2024–24591: Path Traversal on File Download
- CVE-2024–24592: Improper Auth Leading to Arbitrary Read-Write Access
- CVE-2024–24593: Cross-Site Request Forgery in ClearML Server
- CVE-2024–24594: Web Server Renders User HTML Leading to XSS
- CVE-2024–24595: Credentials Stored in Plaintext in MongoDB Instance
The one that will allow us to get a reverse shell is the CVE-2024–24590: Pickle Load on Artifact Get
About the Vulnerability (CVE-2024–24590: Pickle Load on Artifact Get)
This vulnerability in ClearML happens when the software uses a feature called pickle to load data. Pickle can run any code hidden in the data it loads. If an attacker sends harmful data to ClearML, it can trick the system into running dangerous code. This could let the attacker take control of the system or steal information
Now, let us proceed with the machine. On the app.blurry.htb/login webpage, we are presented with an input text field "Full Name", you can enter anything and click Start. One thing that caught my attention was that their was no authentication on the webpage to verify the user (no register logic - just a simple click and you are in!)
After signing in, located the "Black Swan" project and you will find three tabs. Click on the "Experiment tab", there you will find several experiments that has been carried out.
You will need to create a new experiment by clicking on the "+ New Experiment" button. This will pop up a screen with an instruction on how to set up ClearML. Firstly, you will need to install ClearML by running the ClearML setup script:
1. Install ClearML by running the following script:
2. Run the ClearML setup script:
After generating and copying the credentials, I pasted them into the CLI, and ClearML was successfully configured:
These keys allowed me to interact with the ClearML API and potentially inspect user data, artifacts, or trigger internal server activity — opening the door to further enumeration and exploitation. Next, I added files.blurry.htb and api.blurry.htb in the /etc/hosts/ file by running the following command in the terminal:
After map the host names to the IP address, the next step is settings up a virtual environment. To prepare the environment for running Python-based tools and exploits, I installed virtualenv using pip:
This allowed me to create isolated Python environments for running custom scripts without affecting the system Python packages - helpful in managing dependencies and avoiding conflicts during exploitation.
To interact with the ClearML server on the target, I created a virtual Python environment and installed the ClearML Python client:
During clearml-init, I provided the API credentials and server URLs obtained from the ClearML web interface:
Once the credentials have been pasted, hit the enter key and it will verify the credentials and return an output if it's successful. This successfully configured my environment to interact with the ClearML backend, opening the door to automated queries, data exfiltration, or further exploitation via API endpoints.
To exploit ClearML’s insecure artifact deserialization, I crafted a malicious pickle payload designed to trigger a reverse shell upon unpickling.
I embedded this payload in a custom Python class with a __reduce__() method that executed arbitrary system commands:
I initialized a ClearML task and uploaded the object as an artifact:
On my attacker machine, I set up a listener with:
Shortly after, the target connected back, giving me a shell. I stabilized it using:
This exploit took advantage of ClearML’s unsafe deserialization of artifacts, resulting in full remote command execution on the target.
After running the exploit.py script, the ClearML server executed the malicious pickle artifact, giving me a reverse shell back as jippity@blurry. Once the shell was stabilized, I enumerated the user's home directory and found the user flag:
I then checked for sudo permissions:
This revealed that the user could execute /usr/bin/evaluate_model as root without a password for any .pth file in /models/. Knowing PyTorch model files can execute arbitrary code when deserialized, I exploited this by placing a malicious torch.py in /models/:
Hurray, I got the root flag
If you enjoy reading my writeup and would want to get notification as soon as I make a new writeup, do not forget to subscribe to my YouTube channel and follow me on my other social media accounts. Thank you.
Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1
Download my writeup here: https://drive.google.com/file/d/19hWEBgIpfsx-reOiMSZQpw3bOANGX-uZ/view?usp=sharing
Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/
Follow me on Twitter: https://x.com/BoltechNG
Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib
This walkthrough was first published on Medium on August 31st 2024. The walkthrough had 457 views and 195 reads on Medium and 1,300 views on YouTube.
0 Comments