# Corny Kernel - uiuctf 2023
## Writeups by er4pwn
```misc``` ```systems``` ```beginner```
50 Points

Challange information:
```
Use our corny little driver to mess with the Linux kernel at runtime!

$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337

author: Nitya
```
when i open the ``` $ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337 ```
there is a file pwnymodule.ko.gz

```py
┌──(era㉿jihyoppa)-[~]
└─$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337
== proof-of-work: disabled ==
+ mount -n -t proc -o nosuid,noexec,nodev proc /proc/
+ mkdir -p /dev /sys /etc
+ mount -n -t devtmpfs -o 'mode=0755,nosuid,noexec' devtmpfs /dev
+ mount -n -t sysfs -o nosuid,noexec,nodev sys /sys
+ cd /root
+ exec setsid cttyhack ash -l
/root ~ ls -al
total 4
drwx------ 2 root root 0 Jun 21 06:03 .
drwxr-xr-x 13 root root 0 Jul 3 10:26 ..
-rw-r--r-- 1 root root 2076 Jun 21 05:28 pwnymodule.ko.gz
/root ~
```
the content of the file pwnymodule.ko.gz is:
```c
// SPDX-License-Identifier: GPL-2.0-only

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>

extern const char *flag1, *flag2;

static int __init pwny_init(void)
{
pr_alert("%s\n", flag1);
return 0;
}

static void __exit pwny_exit(void)
{
pr_info("%s\n", flag2);
}

module_init(pwny_init);
module_exit(pwny_exit);

MODULE_AUTHOR("Nitya");
MODULE_DESCRIPTION("UIUCTF23");
MODULE_LICENSE("GPL");
MODULE_VERSION("0.1");

```
So KO is a file extension commonly associated with Linux Kernel Module Format files. So in this challenge we must extract the pwnymodule.ko.gz using gzip -d command and run the kernel module by using insmod command
```py
┌──(era㉿jihyoppa)-[/mnt/c/Users/jihyoppa/Desktop/kali]
└─$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337
/root ~ gzip -d pwnymodule.ko.gz
/root ~ ls
pwnymodule.ko
/root ~
```
use the command insmod to insert the module on the kernel
```
┌──(era㉿jihyoppa)-[/mnt/c/Users/jihyoppa/Desktop/kali]
└─$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337
/root ~ insmod pwnymodule.ko
[ 29.628494] pwnymodule: uiuctf{m4ster_
/root ~
```
so after inserting the module we get half the flag which is the uiuctf{m4ster_. So we just need the flag2.
And after analyzing the code the pwny_exit function mentioned in the previous code i showed will only be executed if the kernel module containing that function is loaded and subsequently unloaded. So we must find a way to unload or exit the modules. I tried the rmmod, modprobe and reboot command on linux kernel but nothing happened and the flag2 is not printed out so this got me thinking what if we can just view the boot-time messages and kernel log messages by using the ```dmesg``` command.




so i use the dmesg command and the result is:
```py
┌──(era㉿jihyoppa)-[/mnt/c/Users/jihyoppa/Desktop/kali]
└─$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337
[ 0.217051] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 0.217149] NET: Registered PF_PACKET protocol family
[ 0.217158] 9pnet: Installing 9P2000 support
[ 0.218141] sched_clock: Marking stable (208019724, 9681918)->(172917108, 44784534)
[ 0.218176] Loading compiled-in X.509 certificates
[ 0.224602] Freeing initrd memory: 1844K
[ 0.224641] kworker/u2:2 (28) used greatest stack depth: 14616 bytes left
[ 0.225203] Loaded X.509 cert 'Build time autogenerated kernel key: a9d43cafa40d837a865018b58152634d5e302d54'
[ 0.226000] PM: Magic number: 15:78:830
[ 0.228140] Freeing unused kernel image (initmem) memory: 1376K
[ 0.228749] Write protecting the kernel read-only data: 12288k
[ 0.229153] Freeing unused kernel image (rodata/data gap) memory: 1452K
[ 0.229156] Run /init as init process
[ 0.229158] with arguments:
[ 0.229158] /init
[ 0.229159] with environment:
[ 0.229159] HOME=/
[ 0.229160] TERM=linux
[ 0.235842] mount (31) used greatest stack depth: 13464 bytes left
[ 17.868047] pwnymodule: uiuctf{m4ster_
[ 165.201780] pwnymodule: k3rNE1_haCk3r}
/root #
```
the flag is ```uiuctf{m4ster_k3rNE1_haCk3r}```