基本信息
- https://app.hackthebox.com/machines/Blurry
- 10.10.11.19
端口扫描
22和80:
1 | nmap -sC -sV 10.10.11.19 |
80
直接访问ip是跳转到app子域名,加hosts:
1 | 10.10.11.19 app.blurry.htb |
是ClearML:
子域名扫描
可以发现其他几个子域名,api默认选项扫描会漏掉,因为响应400:
1 | ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://app.blurry.htb/" -H 'Host: FUZZ.blurry.htb' -fs 169 |
files
根目录只响应一个OK:
chat
是rocket chat:
随意注册登录,其中得到一些用户名:
ClearML
clearml这里只需要全名即可登录,从chat那里获取全名,进入clearml,然后创建API key测试运行:
(clearml-init验证key失败的话直接手动创建配置文件然后运行也可以)
1 | ~/clearml.conf |
shell
clearml相关漏洞:
- Machine Learning Operations: What You Need to Know Now | HiddenLayer
https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/
然后根据文章,上传恶意pickle,另外根据文章需要其他用户去get的时候才会出发,而系统上本身有一个定时运行的review会检测这个项目中review tag的Task并且去进行get,所以就是创建一个review标签的Task带恶意pickle,然后等待触发:
exp.py
1 | #!/usr/bin/python3 |
user flag
jippity用户桌面,另外可以获取ssh私钥方便后续操作:
提权信息
jippity可以sudo运行modules:
可以搜到:
- Weaponizing ML Models with Ransomware | HiddenLayer
https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/#Pickle-Code-Injection-POC
就是自己制作一个恶意model
提权 & root flag
自己制作一个model,然后运行,得到root:
shadow
1 | root:$y$j9T$HKjGxAyjzW3lmf/HmZafW0$fgkQykeZSlRYHzR8zHjMVQrRUzwM3xSvA0koPgt6TQ6:19770:0:99999:7::: |
exp.py
1 | import torch |
参考资料
- Machine Learning Operations: What You Need to Know Now | HiddenLayer
https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/ - Weaponizing ML Models with Ransomware | HiddenLayer
https://hiddenlayer.com/research/weaponizing-machine-learning-models-with-ransomware/#Pickle-Code-Injection-POC