Rootkit Analysis & Exploitation Write-up

Introduction

Malicious actors have infiltrated our systems and implanted a custom rootkit. Our goal is to disarm the rootkit, remove it, and retrieve the hidden data. Below is a step-by-step analysis and exploitation process.

Step 1: Unzip and Analyze the File

1. Extract the challenge folder:
   unzip challenge.zip -d challenge

2. Load the file into Detect It Easy (DIE) to analyze its type.

3. Identify the file as an ELF binary, which is typical for Linux kernel modules.

Step 2: Reverse Engineer the Binary

1. Load the file into Binary Ninja for further analysis.

2. Identify the file as Diamorphine, a well-known Linux rootkit.

3. Conduct a quick Google search, leading to its GitHub repository: https://github.com/m0nad/Diamorphine

Step 3: Understanding Rootkit Behavior

Observations from the README (Uninstall Instructions)

• The module starts hidden.

• To make it visible, we need to use:
  kill -63 0

• Once visible, we can remove it with:
  rmmod diamorphine

Step 4: Attempting to Remove the Rootkit

1. Connect to the system using Netcat:
   nc -nv <target-ip> <port>

2. Attempt kill -63 0 to make the module visible.

3. System crashes (Kernel Panic) - indicating a potential modification of the original Diamorphine code.

Step 5: Finding the Modified Kill Switch

1. Return to Binary Ninja and search for cmp instructions in hacked_kill().

1. Notice multiple cmp instructions:

   • cmp eax, 0x3F (Original kill -63 for visibility toggle)

   • cmp eax, 0x40 (Modified code, corresponds to kill -64 for root access)

   • cmp eax, 0x2E (New visibility toggle, corresponds to kill -46)

1. Testing kill -64 0 gives root access, confirming the attacker modified the rootkit to require a different code.

Step 6: Removing the Rootkit

1. Gain root access:
   kill -64 0
   whoami # Should return "root"

2. Make the rootkit visible:
   kill -46 0

3. Remove the rootkit:
   rmmod diamorphine

4. Confirm its removal:
   lsmod | grep diamorphine # Should return nothing

Step 7: Finding the Hidden Data

Since this is a Hack The Box (HTB) challenge, the flag is likely stored in a .txt file.

1. Search the system for .txt files:
   find / -type f -name "*.txt" 2>/dev/null

2. Retrieve the flag:
   cat /path/to/flag.txt

Conclusion

By reverse-engineering the modified Diamorphine rootkit, we:

• Discovered the attacker modified the kill switch to kill -64 (original was kill -63).

• Identified the new visibility toggle as kill -46 (original was kill -63).

• Successfully removed the rootkit after making it visible.

• Recovered the hidden flag from a .txt file.

This challenge demonstrated the importance of understanding malware modifications and how attackers may tweak known exploits to evade detection.