AI HTB Writeup

User

Port scanning gives me two ports, 22,80. which both are well known to me.

I goto 80/http because I don’t have any credentials for port 22. On port 80 all I see is a web app which it’s purpose is to
read a .wav file and give me the text which is back from it. At this time I play with this a lot and find another file by directory bruteforce.

gives me some hints on what my wave file can include so I get the output from the web app.

I play with this and when I send something like `it's` with the single quote I get an error, which indicates to me there is an sql injection.
I had a hard time send a working  query to sql inject this.

tldr: All looked on a bunch of websites(`https://text-to-speech-demo.ng.bluemix.net/`, `https://www.text2speech.org/`) to get the finall query to work, also I used sox to get all the different .wav files together.

After all the frustration I got the password by sending `1' union select password from users` and to get the password I had to send `1' union select user from user` in which I got an error which exposed the username. 


I used the credentials to login to the box by using ssh 

Username: Alexa
Password: H,Sq9t6}a<)?q93_

# Root

Running linenum.sh I see that user root, is running a weird command by using java, after a bit of research I find out it's running jdwt(java debug wire protocol), I can use `jdb --attach localhost:8000` after I port forward the port 8000 from the remote box to me, after I set a break point using `stop in java.netServerSocket.accept` and then I find out the port 8005 is exposed so I send a request there to trigger the breakpoint. I write a reverse shell to /tmp/ and then I execute `print new java.lang.Runtime().exec("/bin/sh /tmp/root.sh")` and get a shell as root.!