Hello Guys , I am Faisal Husaini. My username on HTB is “sozfnx” . Also join me on discord.

The IP of this box is

Running masscan on it , we get

masscan -p1-65535,U:1-65535 --rate=500 -e tun0

2 Open Ports Discovered, running NMAP against them

Port 22 running OpenSSH and Port 80 running Apache httpd 2.4.29

Moving to the web part

Checking the web service running on the browser

An Artificial Intelligence webpage, running Gobuster against the webpage

We got few good results, if we crawl through the webpage we could have seen these there as there was really no need for running Gobuster on this box , but yeah recon is recon and its a must

Looking about.php page

It says that they are working on search engine using voice recognition from audio files using Artificial Intelligence

Looking further on the ai.php page

It has a file upload functionalities which accepts a wav audio file , also looking onto the intelligence.php page

This page has the examples of the speech recognition of the API, also down below it is given that the API is well familiar with the Male-US model

We use a online website to create our text to speech into wav audio file

So here we put a text from the API examples we saw above and create the wav audio file

It created our file into 2 formats, we will download the wav audio file

Now we upload the speech file we created and click on “Process It!

We got our result, we can see it shows our input first and then the query results, since this is showing a query result, I am gonna test it for SQLi

Here we test the ‘ (open single quote) and upload it and process it

Now clicking on the process button

We got an SQL syntax error, which also tells us that it is running MySQL server

Now we try to dump the username and password from this vulnerability

This will be our query, creating the file and uploading it

We see we got the username alexa, now we will do the same for password

Now we upload this and process

We got the password too in the query result

Since SSH was open on the server, we try to connect to the box using these creds

We got connected successfully to user alexa, moving onto getting user flag which was located on the same location as where we were spawned after ssh connection

Now moving onto the privilege escalation part

Running the pspy64 process checking binary

We see that its shows tomcat running which we didnt see in our NMAP results, if we check the running processes

We see that the localhost is listening on Port 3306 which is most probably MySQL, also port 8000,8080,8005 and 8009

So I port forward the port 8000 to my local machine

Now trying to access the port 8080 on our localhost

We see that port 8080 is running Apache Tomcat server locally on the box

So I port portwarded all the ports which were being listened on the box locally to my machine and then ran NMAP scan against all the ports

We see that Port 8000 is running JDWP which is a Java Debug program

After searching on Google, we got an exploit and we will use that but before that we import it into the box and then see the usage

So the usage is simple and now we run our command and see the result

We see that the exploit ran successfully and also gave us the user as root

So first I create a bash reverse shell one liner and put it in a file named shelly

Also not to forget to make it executable and then run the exploit again like the following

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store