header ads

Blurry Hack the Box Walkthrough

Ibrahim Isiaq Bolaji September 12, 2025

Welcome to another Hack the Box exercise. In this walkthrough, I showed how I pwned the Blurry machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel (https://www.youtube.com/@BoltechTechnologies1) and follow me on LinkedIn (https://www.linkedin.com/in/isiaq-ibrahim-468588156/) for more updates.


About the Machine

Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (`[CVE-2024-24590](https://nvd.nist.gov/vuln/detail/CVE-2024-24590) [CVE-2024-24595 (https://nvd.nist.gov/vuln/detail/CVE-2024-24595)`) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with `sudo` is discovered. The program loads arbitrary `PyTorch` models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, `fickling` is used to scan the dataset for insecure `pickle` files , prior to loading the model. Malicious code can be injected into a model, using `runpy` to bypass the `fickling` checks.

Blurry Hack the Box Walkthrough

The first step in solving this machine like I have always done in my previous writeup is to sign in into my Hack the Box account. I logged into my Hack the Box account inside the Firefox browser on my Kali Linux, then I downloaded the .ovpn file and renamed it to blurry.ovpn. Then I created a directory on my desktop called BlurryHTB and moved the blurry.ovpn file into it.

Next, I opened the terminal in the folder and ran the following command to establish a connection between my Linux terminal and Hack the Box server. Once the connection was successful, I opened my Kali Linux terminal and ran the following commands to connect my terminal with Hack the Box:

Tags:
Ibrahim Isiaq Bolaji

Posted by: Ibrahim Isiaq Bolaji

I am currently pursing a double master's degree program through the prestigious Erasmus Mundus Joint Master's Programme in Applied Cybersecurity between three consortium universities: Kadir Has University, Istanbul, Turkiye | Saints Cyril and Methodius University in Skopje, North Macedonia | SRH University of Applied Science, Berlin, Germany. Before beginning my master's program, I worked as a cybersecurity instructor at Aptech Education, Gwarinpa, FCT Abuja. Prior to that, I obtained my Bachelor of Technology (B.Tech) degree in Information and Communication Tech from Kebbi State University of Science and Technology, Aliero, Nigeria, where I graduated with a First Class Honours. Upon finishing my master's degree in August 2025, I will be awarded an MSc Applied Cybersecurity from Kadir Has University and an MSc Computer Science from Saints Cyril and Methodius University in Skopje. My area of research interests are in: Cloud Computing | Digital Forensics & Incident Response | Malware Analysis | Ethical Hacking | Reverse Engineering | Cyber Threat Intelligence | OSINT | Computer & Network Security | Security & Privacy | Penetration Testing | Wireless Communicat

Post a Comment

0 Comments