Ai HTB

Updated:November 4, 2021 am

User

Port scanning gives me two ports, 22,80. which both are well known to me.

http

I goto 80/http because I don’t have any credentials for port 22. On port 80 all I see is a web app which it’s purpose is to
read a .wav file and give me the text which is back from it. At this time I play with this a lot and find another file by directory bruteforce.

/intelligence.php gives me some hints on what my wave file can include so I get the output from the web app.

I play with this and when I send something like it's with the single quote I get an error, which indicates to me there is an sql injection.
I had a hard time send a working query to sql inject this.

tldr: All looked on a bunch of websites(https://text-to-speech-demo.ng.bluemix.net/, https://www.text2speech.org/) to get the finall query to work, also I used sox to get all the different .wav files together.

sql

After all the frustration I got the password by sending 1' union select password from users and to get the password I had to send 1' union select user from user in which I got an error which exposed the username.

I used the credentials to login to the box by using ssh

Username: Alexa
Password: H,Sq9t6}a<)?q93_

Root

jdwt

Running linenum.sh I see that user root, is running a weird command by using java, after a bit of research I find out it’s running jdwt(java debug wire protocol), I can use jdb --attach localhost:8000 after I port forward the port 8000 from the remote box to me, after I set a break point using stop in java.netServerSocket.accept and then I find out the port 8005 is exposed so I send a request there to trigger the breakpoint. I write a reverse shell to /tmp/ and then I execute print new java.lang.Runtime().exec("/bin/sh /tmp/root.sh") and get a shell as root.!