reversefreemedium

Cyberpsychosis

HackTheBox

The challenge provides a ZIP archive (password: `hackthebox`) with `diamorphine.ko` (Linux kernel module) and `LICENSE.txt`, as well as a remote QEMU VM instance via netcat.

$ ls tags/ techniques/
lkm_rootkit_analysissyscall_hook_identificationrootkit_backdoor_exploitationkernel_module_disassemblyfile_hiding_bypass

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Cyberpsychosis — HackTheBox

Description

Malicious actors have infiltrated our systems and we believe they've implanted a custom rootkit. Can you disarm the rootkit and find the hidden data?

The challenge provides a ZIP archive (password: hackthebox) with diamorphine.ko (Linux kernel module) and LICENSE.txt, as well as a remote QEMU VM instance via netcat.

Analysis

File Identification

$ file diamorphine.ko diamorphine.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=..., not stripped

Linux kernel module for kernel 5.15.0-82-generic. Modified version of the open-source rootkit Diamorphine (m0nad), compiled from /dev/shm/diamorphine.c (tmpfs — anti-forensics).

Hooked System Calls

SyscallNumberHook
sys_kill62hacked_kill
sys_getdents78hacked_getdents
sys_getdents64217hacked_getdents64

Magic Signals (Backdoor)

SignalAction
31Toggle process invisibility (PF_INVISIBLE bit 28)
46Toggle module visibility in lsmod (changed from 63)
64Grant root (zeroing uid/gid via prepare_creds/commit_creds)

File Hiding Mechanism — "psychosis" Prefix

movabs r9, 0x69736f6863797370 ; "psychosi" (little-endian) cmp qword ptr [rbx + 0x12], r9 ; d_name[0:8] == "psychosi"? jne skip cmp byte ptr [rdi + 0x8], 0x73 ; d_name[8] == 's'? jne skip

Differences from Standard Diamorphine

...

$ grep --similar

Similar writeups