AI

12357

Comments

  • Rooted.

    $ nc -nlvp 1234
    listening on [any] 1234 ...
    connect to [10.10.14.46] from (UNKNOWN) [10.10.10.163] 51680
    id
    uid=0(root) gid=0(root) groups=0(root)

    User: Spend more time trying to get a good TTS + voice combo rather than forcing a bad one to work. I burned too many hours on default... Once you have that, the actual attack just requires looking in some well-known/guessable spots.

    Root: As others have said, do some meticulous enumeration. Read the background on how the exploit works.

    Happy to nudge people in the right direction!

    Hack The Box

  • Rooted
    I was very interesting

  • Was the machine changed? Even after reset, a certain port related to killing a cat is closed?

    Blaudoom
    Discord: Blaudoom#1254

  • Rooted. This box is pain

    joelblack

  • Just rooted it, WOW this box was fire :D

  • Rooted!
    Nice work from @mRr3b00t .
    I got user with a famous "female" voice :)
    User is pretty straightforward if you don't overthink.
    For root......I got totally stuck into the m*****t user waterhole because of its U** (and a known exploit related to that U**).
    Then I realized there is something going on periodically......and we got the shell!
    Cheers

    image
    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • it's weird I got outputs
    can I use base64 in this box to get shell ?

  • I have tried a lot of t...s and some words aren't understood.. I know the attack on the user but not all damn words are being understand by AI

  • Fuck this box. I fucking hate it. I said fucking comma motherfucker not "come out" or any fucking variation of such.

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • edited November 2019

    So, does anyone know how to make machine understand queries correctly and not give "but i'm single" "select few" "err err" instead of actual words? I am using tts org with male voice. I am trying to add spaces to make ai read words relatively distinctly, but always get stuff from above, i can't even get what condition make it happen.

    EDIT: finally found site (sadly, not local tool) which, most of time, works. You can PM me for this site, i always get spoiler removed when posting tools in mrreboot machine's forums.

  • Done. Finally.

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • it's wired I got this uid=4294967294 gid=1000(a) groups=1000(a)

  • I got this sudo: unknown uid 4294967294: who are you? any hint

  • nice box I learned a lot of this box thanks MrR3boot

  • Root was a literal pain. Couldnt get exploit to work, ended up doing everything manually.
    Gotta say, this machine was fun and not fun at the same time. Made me wanna cry a few times, but at the end it feels good to finish it.
    Well done @MrR3boot !

  • edited November 2019

    Rooted. I got a root shell, and I used the exact same syntax to obtain it about ~13-14 times over. I reset the box twice. Super unreliable and not sure how to MAKE IT reliable. I didn't change my methods for running anything the entire time. Did the same process over a dozen times and it just happened to work once.

    Not really sure what was going on here, but not even going to bother investigating. This box was a huge pain in the ass for me.

    If I can show you my syntax @MrR3boot maybe you can better explain what I was doing wrong and/or what was causing it to be so unpredictable?

    Thanks for the machine, regardless. Always a learning experience.

    Edit: @MrR3boot has now verified what was causing this issue, and I've fixed it accordingly. For those of you running into a similar issue as myself, learn more about the service and specific aspects of it that your script may be utilizing. This is the part that stumped me!


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • I liked the user part, it was an original idea and an unusual task for a hacker. There were bad and good moments while I struggle to find a proper tts, but finally I managed to find an online service which "solved" my problem.

    This was my second host that was made by MrR3boot, and noticed that he like to leave his signature. And it is only a signature and it is not the key to the vulnerability. I think I understand the joke (or fine irony?) behind "sudo", which is very often solution for privilege escalation in this site.

    Root part was interesting but contained uncertainty. I was lucky because my third attempt - including the same command - was successful.

    bumika

  • edited November 2019

    Type your comment> @bumika said:

    Root part was interesting but contained uncertainty. I was lucky because my third attempt - including the same command - was successful.

    I read the article and now I have managed to stabilize my privilege escalation process.

    Just send PM if you are interested in.

    bumika

  • @farbs said:
    Rooted. I got a root shell, and I used the exact same syntax to obtain it about ~13-14 times over. I reset the box twice. Super unreliable and not sure how to MAKE IT reliable. I didn't change my methods for running anything the entire time. Did the same process over a dozen times and it just happened to work once.

    Not really sure what was going on here, but not even going to bother investigating. This box was a huge pain in the ass for me.

    If I can show you my syntax @MrR3boot maybe you can better explain what I was doing wrong and/or what was causing it to be so unpredictable?

    Thanks for the machine, regardless. Always a learning experience.

    Please DM

    MrR3boot
    Learn | Hack | Have Fun

  • Very satisfying, awesome box! Thanks

    Getting user was hair-pullingly tiresome at first, the only (seemingly) working service was some online-only generator. Thanks to a hint from another User (Kudos to you again ) I found out about some neat Linux offline tool which allowed me to create different samples quite fast. With little bit of tinkering here and there I managed to find creds. Try the usual stuff first, and you won't need to go far.

    Really enjoyed the root process, learned quite a few new things.
    Do thorough enumeration (there are probably 2-3 different standard enum scripts one should always run anyways) and you will discover it. Google if you are not familiar with the found processes. Also, , don't let some errors discourage you, try again ;)

  • OK I have to throw in the towel and ask for some help.

    I've posted hundreds of WAVs to this thing and 90% of the time the request just times out. I've used all the terms on the smart page, used the hinted at online tts along with several others, local tools, and recording myself. I've tried 8 and 16 bit WAVs; 16bit always just time out, while 8bit occasionally make it through but almost always don't attempt interpretation or search.

    Out of all the requests I've sent, one set of a few random words did trigger interpretation, but even with the same file on subsequent requests, I get nothing back. Not sure how that's even possible.

    After confirming I was doing the exact thing another user was on discord, they sent me a file that worked for them, which when I upload doesn't trigger any audio interpretation or a search, much less an error or more. Sending a fake, empty .wav file triggers the interpretation and search with blank results, but any actual audio at all times out 90% of the time or 200s the POST without showing the search response at all.

    DMs welcome, any thoughts on what I could change in this process would rock. Thanks!

  • Spoiler Removed

    adyd

  • Spoiler, really? - my bad.

    adyd

  • Type your comment> @MrR3boot said:

    @Warlord711 said:
    I think this is the first machine that I skip. I like the idea but to test 20+ TTS to find one that works is just waste of time.

    You will find it in second google result and its so obvious available best utility for *nix. Hint: Let's Celebrate the xxxxxxxx :)

    When you know what it is - this tool is way faster and better than the online versions - Thanks to boxcreator for this hint !

  • @TONI said:
    Type your comment> @MrR3boot said:

    @Warlord711 said:
    I think this is the first machine that I skip. I like the idea but to test 20+ TTS to find one that works is just waste of time.

    You will find it in second google result and its so obvious available best utility for *nix. Hint: Let's Celebrate the xxxxxxxx :)

    When you know what it is - this tool is way faster and better than the online versions - Thanks to boxcreator for this hint !

    Cheers

    MrR3boot
    Learn | Hack | Have Fun

  • Is j***-s********r.py right tool for root?

  • edited December 2019

    @oisjfdsofdij said:

    Type your comment> @Crashie said:

    I really hope i dont need a mic for this box, cz i dont have one xD

    pip install gtts
    gtts-cli "mic not required" -o no.mp3
    mpg123 -w no.wav no.mp3

    this seems to be very inaccurate. any other recommended tts interface?

  • Type your comment> @an0n said:

    @oisjfdsofdij said:

    Type your comment> @Crashie said:

    I really hope i dont need a mic for this box, cz i dont have one xD

    pip install gtts
    gtts-cli "mic not required" -o no.mp3
    mpg123 -w no.wav no.mp3

    this seems to be very inaccurate. any other recommended tts interface?

    Try with Google API

  • Type your comment> @an0n said:
    > @oisjfdsofdij said:
    >
    > (Quote)
    > this seems to be very inaccurate. any other recommended tts interface?

    I’m afraid that typing an exact tts name in this topic is a spoiler, but I can give you some hints.

    I used a free, online service (premium one is accessible after registration) where you could choose English voice (US, UK, AU, IN - male and female), and a lot of other languages, you could set speed and pitch (but generally are not needed) and you could get .mp3 output. David was my favorite choice.

    bumika

  • with gtts (google): 'I’m afraid that typing an exact tts name in this topic is a spoiler, but I can give you some hints.' translates to 'i'm afraid that typing in exactly the heiress named in this 2pic is the spoiler the nineteen duties them hang'

Sign In to comment.