reversefreemedium

Cyberpsychosis

HackTheBox

The challenge provides a ZIP archive (password: `hackthebox`) with `diamorphine.ko` (Linux kernel module) and `LICENSE.txt`, as well as a remote QEMU VM instance via netcat.

$ ls tags/ techniques/
lkm_rootkit_analysissyscall_hook_identificationrootkit_backdoor_exploitationkernel_module_disassemblyfile_hiding_bypass

Cyberpsychosis — HackTheBox

Description

Malicious actors have infiltrated our systems and we believe they've implanted a custom rootkit. Can you disarm the rootkit and find the hidden data?

The challenge provides a ZIP archive (password: hackthebox) with diamorphine.ko (Linux kernel module) and LICENSE.txt, as well as a remote QEMU VM instance via netcat.

Analysis

File Identification

$ file diamorphine.ko diamorphine.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=..., not stripped

Linux kernel module for kernel 5.15.0-82-generic. Modified version of the open-source rootkit Diamorphine (m0nad), compiled from /dev/shm/diamorphine.c (tmpfs — anti-forensics).

Hooked System Calls

SyscallNumberHook
sys_kill62hacked_kill
sys_getdents78hacked_getdents
sys_getdents64217hacked_getdents64

Magic Signals (Backdoor)

SignalAction
31Toggle process invisibility (PF_INVISIBLE bit 28)
46Toggle module visibility in lsmod (changed from 63)
64Grant root (zeroing uid/gid via prepare_creds/commit_creds)

File Hiding Mechanism — "psychosis" Prefix

movabs r9, 0x69736f6863797370 ; "psychosi" (little-endian) cmp qword ptr [rbx + 0x12], r9 ; d_name[0:8] == "psychosi"? jne skip cmp byte ptr [rdi + 0x8], 0x73 ; d_name[8] == 's'? jne skip

Differences from Standard Diamorphine

ParameterOriginalModified
File hiding prefix__psychosis
Module hiding signal6346
Auto-hide on loadNoYes
sect_attrs destructionNoYes
Source pathnormal/dev/shm/ (tmpfs)

Solution

# Connect to VM via netcat, wait ~150 sec for boot # 1. Get root via rootkit backdoor (signal 64) kill -64 $$ # 2. Make module visible in lsmod (signal 46) kill -46 $$ # 3. Unload rootkit from kernel rmmod diamorphine # 4. Find hidden directory find / -name "psychosis*" 2>/dev/null # /opt/psychosis cat /opt/psychosis/flag.txt # HTB{N0w_Y0u_C4n_S33_m3_4nd_th3_r00tk1t_h4s_b33n_sUcc3ssfully_d3f34t3d!!}

The directory /opt/psychosis/ was hidden by the rootkit (name starts with the magic prefix "psychosis"). After unloading the module — it became visible.

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups