AI

Finally, I managed to root this box. First, thanks to @MrR3boot for creating it, but I don’t really like this machine, the user part isn’t real lifelike, but anyways, I learned new things with the root part.

These are my hints.

USER:

• If you aren’t a native English speaker as I’m, and you need to “open” something to get the result that you want, try to be literal with the words. Think like if you are guiding someone to do something. Word by word.

ROOT:

• This part is plenty of rabbit holes, I think that I fell in all of them before finding the correct path.
• To avoid waste time in rabbit holes, check versions of the things that you are trying to exploit. The exploit is not very common or famous.
• Focus on the cat and try to find his four legs. Read it carefully and look for each word that seems to be suspicious on Google.

This is the first machine that I asked for help, thanks to @bumika and @w4x for helping me.

Type your comment> @MrR3boot said:

@Warlord711 said:
I think this is the first machine that I skip. I like the idea but to test 20+ TTS to find one that works is just waste of time.

You will find it in second google result and its so obvious available best utility for *nix. Hint: Let’s Celebrate the xxxxxxxx

Mmm Im trying with that tool, trying like “do XXX and now XXX”, but some stuff is not being interpeted correctly, am I in the right path? otherwise Im kind really confused (I already know literally commands…doesn’t work, that made me to change the approach on how to tell), is there any special hint if Im ok?

Type your comment> @0PT1MUS said:

Type your comment> @zkvo said:

Hmm totally stuck on init foothold, how are people getting AI to recognize any symbols/punctuations besides the ones on i********e.p, I only have words so far.
or if this is not even needed to get the required info out of the qy page

Pay attention to what is said on i*********e.**p and do some googlefu

@salute101 said:
Type your comment> @Vfocfz said:

just I need to know if am I in the right way after playing little bit with the waf I triggered *QL error

same

yes

bruhh i guess that file xD thanks

Finally rooted.

I have nothing left to say about this box.

Rooted.

Well… both user and root were not so hard as I thought from the beginning.

Thanks to @mRr3b00t for one more enjoyable box
Many thanks to @bumika for initial foothold nudge due I totally missed the hint

For user:
If you know the way but can not pass through some specific symbols - make sure that you fully read the page with the reference table. What if you will be able to find missed parts somewhere outside the box?

For root:
Enumerate. Check if you understand what every unusual executable\service doing, check every parameter to know how it works exactly and you will find something interesting.

Box is exploitable and as was written above - you don’t need to wait to trigger it, so continue to check if you found yourself waiting things to be done.

The only this I will say is monty likes md5(process)

Thanks @bumika and @n3b0r for such good hints!

Got user…thanks @g3of0xx

Type your comment> @bergi said:

Can anyone please dm me a decent TTS tool?

This machine is a real pain in … .
I got the idea. I found internal reference. I found external reference.
I have managed to generate output proving existence of the vulnerability, but still cannot proceed further.
I understand that I need to perform full blown manual exploitation of the vulnerability but there are still too many unknowns. For instance how to make it to generate a number (I mean numeral number not the word)? Internal reference is lacking info, external does not work. Really frustrating.

Edit:
Got user, many thanx to @bumika !
Sorry to say, but this was really insane. Even knowing what to do, finding the voice …
Not a great fan to be honest.

Just rooted. Regarding user I already wrote everything in my previous post. Amount of time I spent on finding the voice … well Im still very angry. It was very CTFish and Im not fan of that.

Root part was nice. Classified as difficult (by users), but for someone who knows this particular solution very long, finding the right “thing” to exploit takes only a short while. Just a quick look and you see that there is something what basically should not be there.

Author of the box has of course viciously eliminated possibility to connect and use default set of exploit parameters to complete the machine, but finding an alternative should not take more than a few minutes. Overal the root part very enjoyable. Well done @MrR3boot !!!

query part done.
Fast and not annoying at all :

'narration(10).mp3' 'narration(18).wav' 'narration(6).mp3' 'speech(16).wav' 'speech(31).wav' 'speech(47).wav' 'narration(10).wav' 'narration(19).mp3' 'narration(6).wav' 'speech(17).wav' 'speech(32).wav' 'speech(48).wav' 'narration(11).mp3' 'narration(19).wav' 'narration(7).mp3' 'speech(18).wav' 'speech(33).wav' 'speech(49).wav' 'narration(11).wav' 'narration(1).mp3' 'narration(7).wav' 'speech(19).wav' 'speech(34).wav' 'speech(4).wav' 'narration(12).mp3' 'narration(1).wav' 'narration(8).mp3' 'speech(1).wav' 'speech(35).wav' 'speech(50).wav' 'narration(12).wav' 'narration(20).mp3' 'narration(8).wav' 'speech(20).wav' 'speech(36).wav' 'speech(51).wav' 'narration(13).mp3' 'narration(20).wav' 'narration(9).mp3' 'speech(21).wav' 'speech(37).wav' 'speech(52).wav' 'narration(13).wav' 'narration(21).mp3' 'narration(9).wav' 'speech(22).wav' 'speech(38).wav' 'speech(53).wav' 'narration(14).mp3' 'narration(21).wav' narration.mp3 'speech(23).wav' 'speech(39).wav' 'speech(54).wav' 'narration(14).wav' 'narration(2).mp3' narration.wav 'speech(24).wav' 'speech(3).wav' 'speech(55).wav' 'narration(15).mp3' 'narration(2).wav' 'speech(25).wav' 'speech(40).wav' 'speech(5).wav' 'narration(15).wav' 'narration(3).mp3' 'speech(10).wav' 'speech(26).wav' 'speech(41).wav' 'speech(6).wav' 'narration(16).mp3' 'narration(3).wav' 'speech(11).wav' 'speech(27).wav' 'speech(42).wav' 'speech(7).wav' 'narration(16).wav' 'narration(4).mp3' 'speech(12).wav' 'speech(28).wav' 'speech(43).wav' 'speech(8).wav' 'narration(17).mp3' 'narration(4).wav' 'speech(13).wav' 'speech(29).wav' 'speech(44).wav' 'speech(9).wav' 'narration(17).wav' 'narration(5).mp3' 'speech(14).wav' 'speech(2).wav' 'speech(45).wav' speech.wav 'narration(18).mp3' 'narration(5).wav' 'speech(15).wav' 'speech(30).wav' 'speech(46).wav'

Type your comment> @davihack said:

query part done.
Fast and not annoying at all :

'narration(10).mp3' 'narration(18).wav' 'narration(6).mp3' 'speech(16).wav' 'speech(31).wav' 'speech(47).wav' 'narration(10).wav' 'narration(19).mp3' 'narration(6).wav' 'speech(17).wav' 'speech(32).wav' 'speech(48).wav' 'narration(11).mp3' 'narration(19).wav' 'narration(7).mp3' 'speech(18).wav' 'speech(33).wav' 'speech(49).wav' 'narration(11).wav' 'narration(1).mp3' 'narration(7).wav' 'speech(19).wav' 'speech(34).wav' 'speech(4).wav' 'narration(12).mp3' 'narration(1).wav' 'narration(8).mp3' 'speech(1).wav' 'speech(35).wav' 'speech(50).wav' 'narration(12).wav' 'narration(20).mp3' 'narration(8).wav' 'speech(20).wav' 'speech(36).wav' 'speech(51).wav' 'narration(13).mp3' 'narration(20).wav' 'narration(9).mp3' 'speech(21).wav' 'speech(37).wav' 'speech(52).wav' 'narration(13).wav' 'narration(21).mp3' 'narration(9).wav' 'speech(22).wav' 'speech(38).wav' 'speech(53).wav' 'narration(14).mp3' 'narration(21).wav' narration.mp3 'speech(23).wav' 'speech(39).wav' 'speech(54).wav' 'narration(14).wav' 'narration(2).mp3' narration.wav 'speech(24).wav' 'speech(3).wav' 'speech(55).wav' 'narration(15).mp3' 'narration(2).wav' 'speech(25).wav' 'speech(40).wav' 'speech(5).wav' 'narration(15).wav' 'narration(3).mp3' 'speech(10).wav' 'speech(26).wav' 'speech(41).wav' 'speech(6).wav' 'narration(16).mp3' 'narration(3).wav' 'speech(11).wav' 'speech(27).wav' 'speech(42).wav' 'speech(7).wav' 'narration(16).wav' 'narration(4).mp3' 'speech(12).wav' 'speech(28).wav' 'speech(43).wav' 'speech(8).wav' 'narration(17).mp3' 'narration(4).wav' 'speech(13).wav' 'speech(29).wav' 'speech(44).wav' 'speech(9).wav' 'narration(17).wav' 'narration(5).mp3' 'speech(14).wav' 'speech(2).wav' 'speech(45).wav' speech.wav 'narration(18).mp3' 'narration(5).wav' 'speech(15).wav' 'speech(30).wav' 'speech(46).wav'

My list was pretty much similar. Now its time for another beauty - Bankrobber -

Finally got this one rooted. This box was a huge pain, even when you know what needs to be done. As others have said, don’t even bother with offline tts (I was not able to get the celebrated recommendation to be recognized properly). I ended up getting it to work with an online tts demo from a well known company. it’s elementary my dear

Root was very interesting and can be done manually, or via a script, but there are a few quirks about the process.

Thanks to @blaudoom and @MrR3boot for the sanity checks along the way.

Finally rooted!
It was a real pain in the a**.

I have mixed feelings for this box. I’m not sure if I love it, hate it to both @MrR3boot and the box it self.

Thanks to @MrR3boot for this challenge and @bumika and @rholas for all the help!

I just got root. Painful box, The only thing that I learnt that box is patient. Try again, try again, try again. Unstable exploits, a bit guessing, broken implementation. Painful ever box in HTB.

If need help, you can ask in pm.

Is the word inf*n being replaced by in4 ?
If so, does that mean we are supposed to do the ***i without the scheme ?

Just by guessing ?

for root which process/vuln to look into … from lin**p****.py got m__ld vuln is that the one ??

anyone getting connection refused error with jw**-*******.py ???

lol I legit have no idea how to even touch this box.
Played with the AI for a while. Got as much info as I could off the source.
/shrug brain bender