Cyberpsychosis
HackTheBox
The challenge provides a ZIP archive (password: `hackthebox`) with `diamorphine.ko` (Linux kernel module) and `LICENSE.txt`, as well as a remote QEMU VM instance via netcat.
$ ls tags/ techniques/
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Cyberpsychosis — HackTheBox
Description
Malicious actors have infiltrated our systems and we believe they've implanted a custom rootkit. Can you disarm the rootkit and find the hidden data?
The challenge provides a ZIP archive (password: hackthebox) with diamorphine.ko (Linux kernel module) and LICENSE.txt, as well as a remote QEMU VM instance via netcat.
Analysis
File Identification
$ file diamorphine.ko diamorphine.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=..., not stripped
Linux kernel module for kernel 5.15.0-82-generic. Modified version of the open-source rootkit Diamorphine (m0nad), compiled from /dev/shm/diamorphine.c (tmpfs — anti-forensics).
Hooked System Calls
| Syscall | Number | Hook |
|---|---|---|
sys_kill | 62 | hacked_kill |
sys_getdents | 78 | hacked_getdents |
sys_getdents64 | 217 | hacked_getdents64 |
Magic Signals (Backdoor)
| Signal | Action |
|---|---|
| 31 | Toggle process invisibility (PF_INVISIBLE bit 28) |
| 46 | Toggle module visibility in lsmod (changed from 63) |
| 64 | Grant root (zeroing uid/gid via prepare_creds/commit_creds) |
File Hiding Mechanism — "psychosis" Prefix
movabs r9, 0x69736f6863797370 ; "psychosi" (little-endian) cmp qword ptr [rbx + 0x12], r9 ; d_name[0:8] == "psychosi"? jne skip cmp byte ptr [rdi + 0x8], 0x73 ; d_name[8] == 's'? jne skip
Differences from Standard Diamorphine
...
$ grep --similar
Similar writeups
- [reverse][Pro]Kernel Monarch— hackthebox
- [forensics][free]Suspicious Threat Challenge— hackthebox
- [reverse][free]SEPC (Secure Enclave)— HackTheBox
- [crypto][free]Cryptohorrific— hackthebox
- [pwn][free]Evil Corp— hackthebox