Suspicious Threat Challenge - HackTheBox

Description

Our SSH server is showing strange library linking errors, and critical folders seem to be missing despite their confirmed existence. Investigate the anomalies in the library loading process and filesystem. Look for hidden manipulations that could indicate a userland rootkit.

Credentials provided: root:hackthebox on 94.237.120.137:42400

Analysis

Step 1: Initial Reconnaissance

Connected to the SSH server and checked for rootkit indicators. The first thing to check when investigating potential userland rootkits is /etc/ld.so.preload:

cat /etc/ld.so.preload

Found suspicious entry:

/lib/x86_64-linux-gnu/libc.hook.so.6

This file forces the dynamic linker to load a malicious shared library before any other library, allowing function hooking.

Step 2: Rootkit Library Analysis

Downloaded and analyzed the malicious library libc.hook.so.6:

scp -P 42400 [email protected]:/lib/x86_64-linux-gnu/libc.hook.so.6 .
file libc.hook.so.6

Output:

libc.hook.so.6: ELF 64-bit LSB shared object, x86-64

Source file was hider.c (found via strings analysis).

Strings analysis:

strings libc.hook.so.6

Revealed:

readdir
pr3l04d_
ld.so.preload
readdir64
fopen

Symbol analysis:

nm -D libc.hook.so.6

Showed hooked functions:

• readdir (T at 0x1139)
• readdir64 (T at 0x11e0)
• fopen (T at 0x1287)

Rootkit Behavior

The rootkit hides any files/directories containing:

1. pr3l04d_ - hidden prefix pattern for malicious files
2. ld.so.preload - hides itself from detection

By hooking readdir and readdir64, standard tools like ls, find, and even tree cannot see hidden files.

Solution

Step 3: Bypassing the Rootkit

Since the rootkit hooks userland libc functions, we need to bypass them by using direct syscalls to the kernel. The getdents64 syscall (syscall 217 on x86_64) reads directory entries directly without going through libc.

Created a Python script using ctypes to invoke the syscall directly:

...