AI HTB
AI is a linux box dealing with voice recognition. In this writeup fuxsocy will show his way of solving it.

User

Port scanning gives me two ports, 22,80. which both are well known to me.

I goto 80/http because I don’t have any credentials for port 22. On port 80 all I see is a web app which it’s purpose is to read a .wav file and give me the text which is back from it. At this time I play with this a lot and find another file by directory bruteforce.

/intelligence.php gives me some hints on what my wave file can include so I get the output from the web app.

I play with this and when I send something like it's with the single quote I get an error, which indicates to me there is an sql injection. I had a hard time send a working query to sql inject this.

tldr: All looked on a bunch of websites(https://text-to-speech-demo.ng.bluemix.net/, https://www.text2speech.org/) to get the finall query to work, also I used sox to get all the different .wav files together.

After all the frustration I got the password by sending 1' union select password from users and to get the password I had to send 1' union select user from user in which I got an error which exposed the username.

I used the credentials to login to the box by using ssh

Username: Alexa
Password: H,Sq9t6}a<)?q93_

Root

Running linenum.sh I see that user root, is running a weird command by using java, after a bit of research I find out it’s running jdwt(java debug wire protocol), I can use jdb --attach localhost:8000 after I port forward the port 8000 from the remote box to me, after I set a break point using stop in java.netServerSocket.accept and then I find out the port 8005 is exposed so I send a request there to trigger the breakpoint. I write a reverse shell to /tmp/ and then I execute print new java.lang.Runtime().exec("/bin/sh /tmp/root.sh") and get a shell as root.!

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4