Introduction
We are given a bzImage, a kernel object, rootfs.img and a run shell script.
The file run.sh contains the following:
#!/bin/bash
qemu-system-x86_64 \
-m 64M \
-nographic \
-kernel bzImage \
-append 'console=ttyS0 loglevel=3 oops=panic panic=1' \
-monitor /dev/null \
-initrd rootfs.img
Essentially, we are given a compressed kernel (bzImage), a kernel object which is likely what we will have to exploit (kmod.ko), a root fs, and a script to run it all.
This was my first kernel pwn challenge, my first idea was to start looking around in the provided vm by running the run.sh script. Most directories do not contain interesting files, and are rather empty. We also do not have access to the /root directory, which will likely contain the flag. In /dev, however, there is an interesting device called vuln. Likely, the loaded kernel object, kmod.ko, can be interacted with using this device.
echo "a" > vuln
dmesg
[ 93.585803] opening device : vuln
[ 93.585881] MAJOR no = 700 and MINOR no = 3
[ 93.585898] Opened device : vuln
[ 93.585962] opened : 1
[ 93.586496] ramdisk : a
[ 93.586496] ��������������������������������������������������������������
[ 93.586517] Writing : bytes = 2
[ 93.586605] closing device : vuln
Indeed, this seems to be where the vulnerability lies.
The rest of this writeup is restricted.
enter access token →