Hey guys.AI from Hack The Box was retired today and here is my write up about it. 

Quick Summary 

AI is a linux medium machine and the ip adress is is really fun machine. 

For the user path it is about wav file access on web server,use sql injection to get the credential from database and loggind into ssh. 

For priv Java Debug portoco Tomcat running as root and exploit it.So let’s get jump in. 


As always we start with nmap to scan for open port and services. 


root@ch4n:~# nmap -sC -sV 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 21:25 EST 

Nmap scan report for 

Host is up (0.25s latency). 

Not shown: 998 closed ports 


22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 

| ssh-hostkey: 

|   2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA) 

|   256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA) 

|_  256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519) 

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu)) 

|_http-server-header: Apache/2.4.29 (Ubuntu) 

|_http-title: Hello AI! 

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 

Nmap done: 1 IP address (1 host up) scanned in 103.42 seconds 


In our nmap scan there are two open ports.SSH is running on port 22 and http is running on port 80. 

Nothing was interesting on nmap let’s check the web page. 

Web Page 

After playing around on web page found the ai.php. 

It said drop you query using wav file. 

So in here we need to upload wav file. 

I wanna explain something about convertion of text to wav file in here. 

At first I used an online tool https://www.text2speech.org/ but it is not work for the long sentence. 

The AI can’t understand so I split the voice in audacity for the long sentence it is annoying to do. 

So I look for the better tools called flite. 

It mention about query in web page.I think about it may be voice sql injection.Actually I didn’t expect that but it was really fun. 

So I test like 


open single quote 


Turn to wav file 


flite -o open-single-quote.wav -t “open single quote” -voice rms 


here we got the sql injection error. 

Let’s pull the creds:-) 

I used some commas and spaces to speak slowly. 


root@ch4n:~/Desktop/htb/boxes/AI# flite -o user.wav -t “open single quote, union, select, username, from, users, comment, database” -voice rms 


here we got the username as 




Do the same thing for the password:-) 


root@ch4n:~/Desktop/htb/boxes/AI# flite -o pass.wav -t “open single quote, union, select, password, from, users, comment, database” -voice rms 


Here we got the password as 




I just login to ssh and grab the user flag 

Privilleges Escalation 

I just run the pspy and found the java debug file is running 


2019/11/10 17:52:03 CMD: UID=0    PID=14442  | /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp org.apache.catalina.startup.Bootstrap start 

2019/11/10 17:52:07 CMD: UID=1000 PID=14465  | sudo -u mrr3boot vi ./var/crash/_usr_bin_pkttyagent.4000000000.crash 

2019/11/10 17:52:07 CMD: UID=4000000000 PID=14466  | vi ./var/crash/_usr_bin_pkttyagent.4000000000.crash 


After googling about jdwp exploit,found the exploit and wonderful article 



After reading the exploit 

I run the exxploit and garb the root flag 

That’s it guys. 

Hope you enjoy my write up:-) 

Don’t forget to check other write up on my blog. 

<script src=”https://www.hackthebox.eu/badge/81292″></script>