Vulnerability Research | CTF

Ahmet Göker
5 min readSep 28, 2023

--

Hello everyone,

Welcome back to my new blog post about CTF challenges focused on vulnerability research. I hope you’ll learn how to develop the mindset needed to become a privileged user. As you know, any system can have low or high vulnerabilities, so we can’t claim that a machine, server, phone, or computer is 100% protected against vulnerabilities. In this blog, I’ll demonstrate how we can enumerate a machine, discover vulnerabilities, search for exploits, and ultimately gain privileged access. If you’re ready, let’s get started! As you always know, that I will illustrate in the practical manner.

Research and Exploit

In the realm of pentesting, it’s crucial to leverage network scanning tools such as NMAP or their counterparts capable of enumerating ports, IP addresses, and DNS information. These tools serve as invaluable assets in the initial reconnaissance phase, offering valuable insights into the target IP. When your objective revolves around identifying potential vulnerabilities and crafting exploits, this information becomes an indispensable foundation for advancing your exploit development efforts.

Port 7070 is open and running a service that seems to be related to AnyDesk, a remote desktop software. The SSL certificate used for this service is an RSA certificate with a 2048-bit key. It appears to be self-signed or issued by AnyDesk itself. The certificate is valid from March 23, 2022, to March 10, 2072.

Interesting, it also uses port 50001? But why….

The relevant port is UDP 50001, which is used to announce AnyDesk clients within a local network. On startup of AnyDesk we can see that our client sends UDP packets to 10.10.235.55 in order to announce its presence.

In order to understand this exploit and why port 50001 is important, you can check this: https://devel0pment.de/?p=1881

We have identified the issuer as “AnyDesk Client.” In the course of my independent research, I uncovered that this particular exploit was issued in the year 2020. I did not possess information about the specific version of AnyDesk at the time, but I deemed it worthwhile to attempt this exploit nonetheless. Now, I am prepared to present and demonstrate the corresponding code:

I will try out whether it works or not…

Awesome! It works…..

Local privilege escalation

In this phase, I will try to become a root user. Is it possible? We shall see….

setcap, short for "set capabilities," is a command in Linux used to assign specific capabilities to an executable binary or program. Linux capabilities provide a way to grant or restrict certain privileges to processes, offering a more fine-grained approach to security compared to the traditional root user privileges.

In Linux, the traditional security model relies on two levels of privilege: the root user (superuser) and regular users. The root user has full control and can perform any action on the system. This level of access is often considered excessive for many tasks and can pose security risks.

To address this, Linux introduced capabilities, which allow you to delegate specific privileges to individual processes without granting them full root privileges. This way, you can enhance the security of your system by reducing the attack surface.

In a system administration context, consider a scenario where the administrator intends to confer superuser-level permissions to a particular binary program, such as Python 3, but restrict this elevated access to a specific user, without resorting to granting SUID (Set User ID) or sudo permissions. Instead, the administrator opts to employ Linux capabilities for the Python 3 executable, ensuring that it can be executed with enhanced privileges solely by a designated user, in this case, “annie.” This objective can be achieved through the following commands executed on the host machine.

which python3
cp /usr/bin/python3 /home/annie/
setcap cap_setuid+ep /home/annie/python3

As a result, the user annie received the privilege to run the python3 program as root because here admin has upraised the privilege by using `cap_setuid+ep` which means all privilege is assigned to the user for that program. But if you will try to find 4000 permission files or programs then it might not be shown for /home/annie/python3.

Note: the user home directory should be not accessible for other users because if it is accessed to other non-root users then other users will also proficient to take the privilege of capabilities set for user demo.

getcap -r / 2>/dev/null
./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
id

Awesome! We are root…

Thank you for taking the time to explore this technical blog! I hope you found it both informative and engaging. I aimed to provide practical explanations in an accessible manner. Should you have any questions or require further clarification on any topic discussed, please don’t hesitate to reach out to me via social media.

Social Media

Twitter: https://twitter.com/lockpin010_

LinkedIn: https://www.linkedin.com/in/ahmetgoker/

Ahmet | Security Researcher | Sociologist

--

--

Ahmet Göker
Ahmet Göker

Written by Ahmet Göker

Full stack Reverser | C-ASM | Security

No responses yet