Port scanning gives me two ports, 22,80. which both are well known to me.
I goto 80/http because I don’t have any credentials for port 22. On port 80 all I see is a web app which it’s purpose is to read a .wav file and give me the text which is back from it. At this time I play with this a lot and find another file by directory bruteforce.
/intelligence.php gives me some hints on what my wave file can include so I get the output from the web app.
I play with this and when I send something like
it's with the single quote I get an error, which indicates to me there is an sql injection.
I had a hard time send a working query to sql inject this.
tldr: All looked on a bunch of websites(
https://www.text2speech.org/) to get the finall query to work, also I used sox to get all the different .wav files together.
After all the frustration I got the password by sending
1' union select password from users and to get the password I had to send
1' union select user from user in which I got an error which exposed the username.
I used the credentials to login to the box by using ssh
Username: Alexa Password: H,Sq9t6}a<)?q93_
Running linenum.sh I see that user root, is running a weird command by using java, after a bit of research I find out it’s running jdwt(java debug wire protocol), I can use
jdb --attach localhost:8000 after I port forward the port 8000 from the remote box to me, after I set a break point using
stop in java.netServerSocket.accept and then I find out the port 8005 is exposed so I send a request there to trigger the breakpoint. I write a reverse shell to /tmp/ and then I execute
print new java.lang.Runtime().exec("/bin/sh /tmp/root.sh") and get a shell as root.!