We covered the boot2root challenge Athena from TryHackMe. We scanned the machine with Nmap and discovered SMB server from which we extracted a note that pointed us to a directory on the webserver where we discovered a ping tool running. We used command substitution to inject a bind shell and land the first foothold. We discovered a backup script running on a periodic basis as another user. We modified the script to execute reverse shell and opened another session as the user Athena. Upon enumeration, we found that the user Athena can load kernel modules as sudo using insmod without the need for root password. We downloaded the kernal module “venom.ko” and used Ghidra to reverse engineer the binary. We discovered that it’s a rootkit and after code analysis we were able to interact with the module to call a function that escalated privileges from Athena to Root.

Get OSCP Notes

Video Transcript
The first thing we do all the time is the Nmap scan as you can see here. I disabled the ping to the machine because sometimes the machine does not respond to ping requests or sometimes there are filters block ping. We can see we have two open ports 22 and 80.So this is the main page It’s all just readings and you go to about there is nothing in here. Contact page the same. If you try to use directory research using gobuster or dirbuster and you’re gonna not find anything of importance. So we head over to. The SMB server A file sharing server using SMB so we interact with the share using this command.
Obviously we can login without a password. Enter without a password or blank you’re going to be able to log in as an anonymous user.
We see two shares public and IPC. Obviously the one very interested is the public share. And we provide the share name. We provide blank password and we successfully log in to the share.
So here once we log in the prompt changes from the machine prompt or my machine prompt into the SMB server, because now I logged into the server. I can now interact with the SMB server. So I use LS to list the files. And we can see. One text file we retrieve the text file using the command get followed by defining. So we display the contents of the file.
And this is the note here administrator.
I would like to inform with that a new ping system is being developed And I left the corresponding application.
In a specific path, which can be accessed through the following address.
So that’s what you see when you take this address and access it through the browser. This is a simple ping tool. it hasn’t been implementation of the ping command using the command line using the Applications so basically, let’s go here and interact with it. So one to seven zero zero one. And now it’s performing The Ping.
If you go back. and try some command injection methods like command chaining so semicolon analysts send and attempt is blocked attempt hacking so here the
looks like the character is filtered if we try with the ampersand nd send again attempt hacking so there is a filter.
That rules out all of the prohibited characters used in command injection or even reverse shells. So if these characters are filtered, it means even reverse shells cannot be used.
What’s the solution here? The solution is to use command substitution. I explained common substitution in previous videos guys. You can get back to them specifically this video.
Bypassing SQL filters using command substitution
It was a demonstration on overthewire CTF games Natas level 16.  All right, so we’re gonna use command substitution here.
As you can see what I did. I used the IP address. This is the input the application expects the IP to Ping. That’s the one because -C1 is an option. We can use in the ping command. So here we send one packet and the comment substitution starts. So the comma substitution starts with $ sign And between two parentheses, we provide in the command we would like to execute since the characters such as the Ampersand the pipe and the semicolon are blocked or filtered we need to use something different.
We use a bind shell the bind shell is the other way around is the opposite of reverse shell. We make the client or we make the machine connects back to us.
In bind shell we connect to the machine which means the machine now will act the role of a listener. So NC – LP four five four five the port and I want the machine to listen on and once the connection is received. I will execute /bin/bash. so we do this as you can see now the it is spinning indicating that the that is listener running now, so go to my machine, this is the machine shell.
And as you can see guys I connect with the machine using this command. This is how bind shell works so.
And as you can see guys I am able to connect and land the first put hold so I am the wwdata, which is the Apache web server user. I uploaded pspy64 to list the current processes and cronjobs.
We notice a pattern with a backup script. So there is this backup script running on a regular interval by the user UID 1001.
So Athena is the user whose uid is 1001. So this means that the script is being run periodically by the user Athena. We navigate to the directory storing the script user share backup.
plus -la user share backup and here we see the backup script. Surprisingly the current user www-data is the owner of the script which means we can modify on the script. What’s the purpose of modifying on the script since this script is being run on a regular basis by these are Athena and since we are still owning a low privileged user www-data we would like to shift the privileges upwards meaning we want to move from www-data to Athena.

Since the script is running as Athena. It means that if we can modify the contents of the script and put A reverse shell when the script runs again. It’s going to execute the reverse shell.The user Athena can run insmod command as sudo with out the need to provide root password so we downloaded the module venom.ko to my machine for reverse engineering using Ghidra.

We can see first the functions and we have diamorphine initialize. The diamorphine is a rootkit. How do we know this is rootkit we use Google
So this is the main page of diamorphine. As per the description it is an LKM rootkit for Linux Kernels. And here are the instructions how to install it and unlock with it as you can see here the model starts invisible. To remove it you need to make it visible.
So that’s the idea of a rootkit which is a malicious or a malware that hides itself from the processes or the modules. So even if you enumerate the processes or we try to find the current running modules, the rootkit will not show up. Okay, because it is a rootkit. And rootkits use process hollowing and process injection to hide from the eyes of investigators. So this command is very important because this command will reveal the module.
kill -63 0
Similarly according to the code and the function hacked_kill and give_root we need to execute the below command to escalate privileges
kill -75 0
Room Answers
What is the user flag?
What is the root flag?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles