Corny Kernel
Description
Use our corny little driver to mess with the Linux kernel at runtime! (author: Nitya)
$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337
Analysis
We are given a driver code, which is already compiled on server.
Driver has 2 functions:
// SPDX-License-Identifier: GPL-2.0-only
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
extern const char *flag1, *flag2;
static int __init pwny_init(void) {
pr_alert("%s\n", flag1);
return 0;
}
static void __exit pwny_exit(void) {
pr_info("%s\n", flag2);
}
module_init(pwny_init);
module_exit(pwny_exit);
MODULE_AUTHOR("Nitya");
MODULE_DESCRIPTION("UIUCTF23");
MODULE_LICENSE("GPL");
MODULE_VERSION("0.1");Solution
└─$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337
== proof-of-work: disabled ==
+ mount -n -t proc -o nosuid,noexec,nodev proc /proc/
+ mkdir -p /dev /sys /etc
+ mount -n -t devtmpfs -o 'mode=0755,nosuid,noexec' devtmpfs /dev
+ mount -n -t sysfs -o nosuid,noexec,nodev sys /sys
+ cd /root
+ exec setsid cttyhack ash -l
$ ls # Check for files
pwnymodule.ko.gz
$ gzip -d pwnymodule.ko.gz # Unzip
$ insmod pwnymodule.ko # Load driver
[ 52.945794] pwnymodule: uiuctf{m4ster_
$ rmmod pwnymodule # Remove driver
$ dmesg | tail # Check kernel messages
[ 0.183484] Freeing unused kernel image (rodata/data gap) memory: 1452K
[ 0.183488] Run /init as init process
[ 0.183489] with arguments:
[ 0.183490] /init
[ 0.183490] with environment:
[ 0.183491] HOME=/
[ 0.183491] TERM=linux
[ 0.191419] mount (31) used greatest stack depth: 13464 bytes left
[ 52.945794] pwnymodule: uiuctf{m4ster_
[ 104.825354] pwnymodule: k3rNE1_haCk3r}
$ exitFlag: uiuctf{m4ster_k3rNE1_haCk3r}
Last updated