reversePromedium

Kernel Monarch

hackthebox

Task: reverse a Linux kernel rootkit (malware.ko) that uses ftrace to hook syscalls and filter /dev/kmsg output. Solution: identify dentry-based filename check in hook_read, bypass by creating alternate device node with mknod to read unfiltered kernel logs revealing the flag.

$ ls tags/ techniques/

linux x86_64 rootkit lkm kernel_module syscall_hooking bypass ftrace dmesg_filtering device_node mknod

syscall_hook_identificationftrace_hook_analysisdentry_name_bypassalternate_device_node_creationkernel_module_symbol_analysisrodata_string_extraction

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[reverse][free]Cyberpsychosis— HackTheBox
[reverse][free]SEPC (Secure Enclave)— HackTheBox
[reverse][free]FFModule— HackTheBox
[pwn][free]throughthewall— b01lersc
[pwn][free]KHP Protocol Challenge Scenario— hackthebox