shadowfax - samuel-richardson/Sam-Tech-Journal GitHub Wiki
shadowfax
| IP | Ports |
|---|---|
| 10.0.6.52 | 22,7070/tcp + 50001/udp |
CVE-2020-13160(CVE)(ExploitDB)
Description
AnyDesk before 5.5.3 has a buffer overflow format vulnerability which allows for remote code execution and allowed for remote access to shadowfax.
Severity: 9.8 Critical
Remediation
To fix this vulnerability AnyDesk should be updated to the latest version or removed from the system to prevent further remote access.
CVE-2023-3262(CVE)(Exploit)
Description a vulnerability in ubuntu overlayfs which skips security checks allows for a local privilege escalation to root.
Severity: 7.8 High
Remediation
To fix this vulnerability the system should be updated to a greater version in which this vulnerability is patched. Furthermore, the distribution release should also be updated since 18.04 is longer supported.
Proof of Concept
Recon
- Port scan from elrond
- Nmap scan of port 7070 revealing the Anydesk program.
Foothold
- Generating a payload to use in the AnyDesk exploit referenced above.
- Running the exploit(Modifications to the original exploit were made to fix python type errors).
- With remote access, the user flag was found.
Privilege Escalation
- Looking at the machine version revealed that it was Ubuntu 18.04, which is vulnerable to several exploits, including the one used for privilege escalation.
- Running the privilege escalation exploit gained access to a root shell.
Extra Loot
- /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:111:117::/nonexistent:/bin/false
kernoops:x:112:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:113:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:114:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:115:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:116:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:118:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:119:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:120:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
deployer:x:1000:1000:deployer,,,:/home/deployer:/bin/bash
sshd:x:121:65534::/run/sshd:/usr/sbin/nologin
theoden:x:1001:1001::/home/theoden:/bin/bash
- /etc/shadow
root:$6$xTnm7s43IcmvPd2N$omxZ/pK9qLXTDz9lwihy1O5cTINRTDL60GNVloXDVtQgGBw5UkjkCCb3pIFtPaWhN7PdIfVcvdhVtKMDVP45x1:19269:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
nobody:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
avahi-autoipd:*:17647:0:99999:7:::
usbmux:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
rtkit:*:17647:0:99999:7:::
speech-dispatcher:!:17647:0:99999:7:::
whoopsie:*:17647:0:99999:7:::
kernoops:*:17647:0:99999:7:::
saned:*:17647:0:99999:7:::
pulse:*:17647:0:99999:7:::
avahi:*:17647:0:99999:7:::
colord:*:17647:0:99999:7:::
hplip:*:17647:0:99999:7:::
geoclue:*:17647:0:99999:7:::
gnome-initial-setup:*:17647:0:99999:7:::
gdm:*:17647:0:99999:7:::
deployer:$6$5VOcVyot$IoUh8LSt8t7vfZ8R3dx0h/QgE.iaDSqKthqTSnhofzXlRhCxZRW51TQ9H6cCgGcf5AITSOOqbmgf85qmVmvhR.:19269:0:99999:7:::
sshd:*:19269:0:99999:7:::
theoden:$6$Nxnlv6l1tdFv3pQh$sLn2UBp.y0nQjx0bQ9mQkLj5ZkSjGfM2QpdnvRT9t26YVm/sZg/Iwdy6xGxG6HHXJ3Fpdy7r1UO5Kpw6w0LDu0:19269:0:99999:7:::