Overview

SmartHire is an AI-powered training platform with an MLflow 2.14.1 model registry on a subdomain. Exploiting Vulnerability, I overwrite a registered model's pickle artifact via the MLflow REST API, triggering RCE through the predict endpoint. A .pth file in a writable plugin directory prepends it to sys.path, shadowing a core plugin to escalate to root.

Enumeration

start with a normal nmap scan

shell

nmap -sC -sV -vv -oN initial_scan 10.129.43.163
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-05-17 15:12 PDT
...

HTB: SmartHire

Overview

Enumeration

`Share`

`Subscribe to the newsletter`