We covered the boot2root challenge Athena from TryHackMe. We scanned the machine with Nmap and discovered SMB server from which we extracted a note that pointed us to a directory on the webserver where we discovered a ping tool running. We used command substitution to inject a bind shell and land the first foothold. We discovered a backup script running on a periodic basis as another user. We modified the script to execute reverse shell and opened another session as the user Athena. Upon enumeration, we found that the user Athena can load kernel modules as sudo using insmod without the need for root password. We downloaded the kernal module “venom.ko” and used Ghidra to reverse engineer the binary. We discovered that it’s a rootkit and after code analysis we were able to interact with the module to call a function that escalated privileges from Athena to Root.
Obviously we can login without a password. Enter without a password or blank you’re going to be able to log in as an anonymous user.
We see two shares public and IPC. Obviously the one very interested is the public share. And we provide the share name. We provide blank password and we successfully log in to the share.
And this is the note here administrator.
I would like to inform with that a new ping system is being developed And I left the corresponding application.
In a specific path, which can be accessed through the following address.
If you go back. and try some command injection methods like command chaining so semicolon analysts send and attempt is blocked attempt hacking so here the
looks like the character is filtered if we try with the ampersand nd send again attempt hacking so there is a filter.
What’s the solution here? The solution is to use command substitution. I explained common substitution in previous videos guys. You can get back to them specifically this video.
Bypassing SQL filters using command substitution
It was a demonstration on overthewire CTF games Natas level 16. All right, so we’re gonna use command substitution here.
As you can see what I did. I used the IP address. This is the input the application expects the IP to Ping. That’s the one because -C1 is an option. We can use in the ping command. So here we send one packet and the comment substitution starts. So the comma substitution starts with $ sign And between two parentheses, we provide in the command we would like to execute since the characters such as the Ampersand the pipe and the semicolon are blocked or filtered we need to use something different.
In bind shell we connect to the machine which means the machine now will act the role of a listener. So NC – LP four five four five the port and I want the machine to listen on and once the connection is received. I will execute /bin/bash. so we do this as you can see now the it is spinning indicating that the that is listener running now, so go to my machine, this is the machine shell.
And as you can see guys I connect with the machine using this command. This is how bind shell works so.
We notice a pattern with a backup script. So there is this backup script running on a regular interval by the user UID 1001.
So Athena is the user whose uid is 1001. So this means that the script is being run periodically by the user Athena. We navigate to the directory storing the script user share backup.
plus -la user share backup and here we see the backup script. Surprisingly the current user www-data is the owner of the script which means we can modify on the script. What’s the purpose of modifying on the script since this script is being run on a regular basis by these are Athena and since we are still owning a low privileged user www-data we would like to shift the privileges upwards meaning we want to move from www-data to Athena.
Since the script is running as Athena. It means that if we can modify the contents of the script and put A reverse shell when the script runs again. It’s going to execute the reverse shell.The user Athena can run insmod command as sudo with out the need to provide root password so we downloaded the module venom.ko to my machine for reverse engineering using Ghidra.
So this is the main page of diamorphine. As per the description it is an LKM rootkit for Linux Kernels. And here are the instructions how to install it and unlock with it as you can see here the model starts invisible. To remove it you need to make it visible.
So that’s the idea of a rootkit which is a malicious or a malware that hides itself from the processes or the modules. So even if you enumerate the processes or we try to find the current running modules, the rootkit will not show up. Okay, because it is a rootkit. And rootkits use process hollowing and process injection to hide from the eyes of investigators. So this command is very important because this command will reveal the module.