https://z3r0s6.github.io/tags/mlflow/Recent content in MlFlow on z3r0sHugoenMon, 18 May 2026 00:37:12 +0300https://z3r0s6.github.io/machines/smarthire/Mon, 18 May 2026 00:37:12 +0300https://z3r0s6.github.io/machines/smarthire/<h1 id="smarthire-htb-write-up"> SmartHire HTB Write-up <a class="heading-link" href="#smarthire-htb-write-up"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <p><img src="https://htb-mp-prod-public-storage.s3.eu-central-1.amazonaws.com/avatars/26260a4f7f1e95d188a99210fb2ae693.png" alt="SmartHire Logo"></p> <h2 id="executive-summary"> Executive Summary <a class="heading-link" href="#executive-summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>SmartHire was compromised in two stages:</p> <ol> <li> <p><strong>Initial access / user shell</strong> The SmartHire web application relied on an external MLflow instance to load a model by name during resume prediction. Because the MLflow registry was exposed and protected only by weak credentials (<code>admin:password</code>), it was possible to register a malicious <code>pyfunc</code> model under the exact name expected by the application. When the application later loaded that model during a prediction request, it deserialized attacker-controlled pickle content and executed a reverse shell as <code>svcweb</code>.</p>