https://maccioniandrea.com/categories/writeups/ Recent content in Writeups on Maccioni Andrea - Portfolio Hugo en Sun, 24 May 2026 00:00:00 +0000 https://maccioniandrea.com/posts/smarthire-writeup/ Sun, 24 May 2026 00:00:00 +0000 https://maccioniandrea.com/posts/smarthire-writeup/ <p><strong>Difficulty:</strong> Medium <strong>OS:</strong> Linux <strong>IP:</strong> 10.129.245.215</p> <hr> <h2 id="overview">Overview</h2> <p>SmartHire is a medium-difficulty Linux machine centred around an AI-powered hiring platform backed by <strong>MLflow</strong> for ML model management. The attack chain covers three distinct phases:</p> <ol> <li>Discovering a hidden MLflow instance via virtual host fuzzing and authenticating with default credentials</li> <li>Registering a malicious pickle model via the MLflow REST API to achieve RCE as <code>svcweb</code></li> <li>Escalating to root by hijacking a Python plugin loaded through a writable directory inside a NOPASSWD sudo script</li> </ol> <p>Key concepts: MLflow REST API abuse, Python pickle deserialization RCE, egress firewall bypass via internal curl exfiltration, <code>site.addsitedir()</code> <code>.pth</code> file hijack.</p> https://maccioniandrea.com/posts/htb-pingpong-writeup/ Sat, 23 May 2026 00:00:00 +0000 https://maccioniandrea.com/posts/htb-pingpong-writeup/ Complete HTB PingPong insane write-up involving ADCS, cross-forest abuse, gMSA, RBCD and privilege escalation.