🤖Cyberpsychosis HTB
In Cyberpunk, Cyberpsychosis is a mental illness, specifically a dissociative disorder, caused by an overload of cybernetic augmentations to the body.
Cyberpsychosis is a reverse engineering challenge that provides:
kernel module:
Remote access to a server:
Our task is to disarm the rootkit and uncover hidden data:
Let’s analyze it
Basic Static Analysis
First, we discover the symbols
The initial step is to determine the module init function, which appears to be
init_module.
We identify some important functions.
Let's understand the use of:
getdents/getdents64: A system call in Unix-like operating systems that retrieves directory entries.kill: A command and system call in Unix-like operating systems used to send signals to processes.
This leads us to conclude that the rootkit hooks the
getdentsandkillsyscalls to provide malicious functionality. Let's verify if our conclusion is correct!Advanced Static Analysis
I'm a Ghidra enthusiast :)
Let's delve into our
init_module.
As we suspected, it hooks the three functions by replacing them with
hacked_SyscallName.hacked_kill:
It hides the module using the kill signal 46.
Signal 64, if the current user isn’t root, upgrades it using:
prepare_creds: Prepares a new set of credentials for a process.commit_creds: Applies the new credentials to a process.
Conclusion: We can elevate to root using signal 64 and show/hide the rootkit using signal 46.
hacked_getdents:
hacked_getdentsandhacked_getdents64provide the same functionality.It first calls
org_getdents.
Then, it looks for a string and calls
LAB_00100245, which seems to hide some data.
The string is:
After converting it, we find 'isohcysp'. (in little endian)
Finally, the hidden directory is 'psychosis'.
Conclusion, It hides the directory named 'psychosis'.
Let’s test our hypothesis
As we see, we can escalate to root and hide/show the module.
Next, we look for 'psychosis'. Nothing is found, so we disable the module and here it is.
Good luck!
Last updated