reversefreemedium

Cyberpsychosis

HackTheBox

The challenge provides a ZIP archive (password: `hackthebox`) with `diamorphine.ko` (Linux kernel module) and `LICENSE.txt`, as well as a remote QEMU VM instance via netcat.

$ ls tags/ techniques/

linux rootkit lkm kernel_module diamorphine syscall_hooking

lkm_rootkit_analysissyscall_hook_identificationrootkit_backdoor_exploitationkernel_module_disassemblyfile_hiding_bypass

Cyberpsychosis — HackTheBox

Description

Malicious actors have infiltrated our systems and we believe they've implanted a custom rootkit. Can you disarm the rootkit and find the hidden data?

The challenge provides a ZIP archive (password: hackthebox) with diamorphine.ko (Linux kernel module) and LICENSE.txt, as well as a remote QEMU VM instance via netcat.

Analysis

File Identification

$ file diamorphine.ko
diamorphine.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=..., not stripped

Linux kernel module for kernel 5.15.0-82-generic. Modified version of the open-source rootkit Diamorphine (m0nad), compiled from /dev/shm/diamorphine.c (tmpfs — anti-forensics).

Hooked System Calls

Syscall	Number	Hook
`sys_kill`	62	`hacked_kill`
`sys_getdents`	78	`hacked_getdents`
`sys_getdents64`	217	`hacked_getdents64`

Magic Signals (Backdoor)

Signal	Action
31	Toggle process invisibility (PF_INVISIBLE bit 28)
46	Toggle module visibility in lsmod (changed from 63)
64	Grant root (zeroing uid/gid via prepare_creds/commit_creds)

File Hiding Mechanism — "psychosis" Prefix

movabs r9, 0x69736f6863797370    ; "psychosi" (little-endian)
cmp    qword ptr [rbx + 0x12], r9 ; d_name[0:8] == "psychosi"?
jne    skip
cmp    byte ptr [rdi + 0x8], 0x73  ; d_name[8] == 's'?
jne    skip

Differences from Standard Diamorphine

Parameter	Original	Modified
File hiding prefix	`__`	`psychosis`
Module hiding signal	63	46
Auto-hide on load	No	Yes
sect_attrs destruction	No	Yes
Source path	normal	`/dev/shm/` (tmpfs)

Solution

# Connect to VM via netcat, wait ~150 sec for boot

# 1. Get root via rootkit backdoor (signal 64)
kill -64 $$

# 2. Make module visible in lsmod (signal 46)
kill -46 $$

# 3. Unload rootkit from kernel
rmmod diamorphine

# 4. Find hidden directory
find / -name "psychosis*" 2>/dev/null
# /opt/psychosis

cat /opt/psychosis/flag.txt
# HTB{N0w_Y0u_C4n_S33_m3_4nd_th3_r00tk1t_h4s_b33n_sUcc3ssfully_d3f34t3d!!}

The directory /opt/psychosis/ was hidden by the rootkit (name starts with the magic prefix "psychosis"). After unloading the module — it became visible.

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups

[reverse][Pro]Kernel Monarch— hackthebox
[forensics][free]Suspicious Threat Challenge— hackthebox
[reverse][free]SEPC (Secure Enclave)— HackTheBox
[crypto][free]Cryptohorrific— hackthebox
[pwn][free]Evil Corp— hackthebox