CyberPsychosis
CyberPsychosis is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
CyberPsychosis attack path
CyberPsychosis is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on Reversing evidence, validation, and reusable operator lessons.
Walkthrough flow
Binary triage
Control-flow recovery
Key logic reconstruction
Proof captured
Source coverage
High source coverage
Status: complete. This article is generated from 6 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- Reversing/CyberPsychosis/writeup.md
- htb-challenge/Reversing/CyberPsychosis/notes.md
- htb-challenge/Reversing/CyberPsychosis/memory-summary.md
- htb-challenge/Reversing/CyberPsychosis/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Reversing__CyberPsychosis__memory-summary.md.6f8159accc.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Reversing__CyberPsychosis__notes.md.7dd4de5c67.md
Technical Walkthrough
Writeup
Challenge
- Name: CyberPsychosis
- Category: Reversing
- Difficulty: Easy
- Mode: hybrid
Summary
The archive contains a modified Diamorphine Linux kernel rootkit. Static analysis shows it hooks directory listing syscalls and kill, hides names beginning with psychosis, and uses special signals to grant root or toggle module visibility. The remote service boots a QEMU VM with the rootkit active. The solve is to use the rootkit's own signal handlers to become root, reveal and unload the module, then read the hidden flag file under /opt/psychosis.
Artifact Inventory
files/extracted/rev_cyberpsychosis/diamorphine.ko: x86-64 Linux kernel module, debug info present, not stripped.files/extracted/rev_cyberpsychosis/LICENSE.txt: Diamorphine license text.- Remote service:
<TARGET>:31455, QEMU VM console. - Static analysis:
- analysis/diamorphine-strings.txt
- analysis/objdump-symbols.txt
- analysis/objdump-disasm.txt
- Remote validation:
- analysis/remote-solve-transcript-redacted.txt
- analysis/remote-solve-summary.json
Analysis
The module symbols identify the main behavior:
hacked_getdentshacked_getdents64hacked_killgive_rootmodule_hidemodule_showis_invisible
The string/disassembly evidence shows the hidden filename prefix is psychosis. The hacked_kill routine branches on three special signal values:
31/0x1f: toggle process invisibility.64/0x40: callgive_root.46/0x2e: toggle module visibility.
The remote VM starts at a low-privileged shell. After running kill -64 $$, the current shell becomes UID 0. Running kill -46 $$ makes the hidden diamorphine module visible in /proc/modules. After rmmod diamorphine, normal directory listings are restored and /opt/psychosis/flag.txt is visible.
The advisory RAG query returned no useful match, so the decision was based on local module symbols/disassembly and remote validation.
Solve
Run:
python3 Reversing/CyberPsychosis/solve/solve.pyThe solver:
- Waits for the QEMU shell prompt.
- Confirms the starting identity.
- Runs
kill -64 $$to triggergive_root. - Runs
kill -46 $$to expose the module. - Runs
rmmod diamorphineto unload the rootkit. - Finds and reads
/opt/psychosis/flag.txt.
Outputs:
loot/flag-candidate.txtloot/remote-solve-transcript.rawanalysis/remote-solve-transcript-redacted.txtanalysis/remote-solve-summary.json
The harness captured the final validated flag into loot/flag.txt.
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
- Rootkit reversing should start from symbols and syscall hooks when debug info is available.
- Hidden-file prefixes may be recovered directly from hooked
getdentslogic. - A rootkit's control channel can be used as the cleanest disarm path: escalate, expose the module, unload it, then inspect the filesystem normally.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: CyberPsychosis
- Category: Reversing
- Difficulty: Easy
- Mode: hybrid
- Remote instance: <TARGET>:31455
- Start time: 2026-06-09T10:17:14Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c733d-c3cf-4fe0-92ed-8d5b8d8a02ac.zip | 103249 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-09T10:17:14Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-09T10:17:14Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-09T10:17:14Z | hypothesis recorded | hypothesis-board.md | Reverse the provided rootkit artifact, identify how it hides or transforms data, then use the remote service only after local disarm/extraction logic is understood. | Medium | Extract archive, inventory binaries/source/files, inspect strings/imports/entrypoints/configs, and determine whether the remote expects a recovered value or provides an execution environment. |
| 2026-06-09T10:18:29Z | checkpoint recorded | analysis/checkpoint-analysis-20260609T101829733233Z-e6c40cac.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-09T10:18:36Z | RAG query | analysis/rag/rag-query-20260609T101829783458Z-d9cf6bec.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-09T10:19:37Z | source audit | analysis/source-audit.md | Source audit recorded | High | Gate before exploit |
| 2026-06-09T10:19:37Z | RAG record | analysis/rag-records.md | Retrieved memory tagged MISSING | Medium | Validate or reject with live evidence |
| 2026-06-09T10:19:37Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-09T10:19:37Z | evaluator | analysis/evaluator-20260609T101937665523Z-04af91bb.md | Proceed | High | Run scripted VM console interaction and capture any HTB-format flag to loot. |
| 2026-06-09T10:22:20Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-09T10:23:00Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
- Archive contains
diamorphine.ko, an x86-64 Linux kernel module with debug info and symbols. - Module symbols include
hacked_getdents,hacked_getdents64,hacked_kill,give_root,module_hide,module_show, andis_invisible. - Strings/disassembly identify the hidden-name prefix as
psychosis. hacked_killbranches on special signals:
- 31 (0x1f): toggles invisibility for a PID.
- 64 (0x40): calls give_root.
- 46 (0x2e): toggles module hide/show state.
- The rootkit hides directory entries matching the
psychosisprefix via hookedgetdents/getdents64. - Remote service behaves like a QEMU VM console; initial boot transcript saved to
analysis/remote-initial-probe.bin. - Working hypothesis: gain root with the rootkit signal, reveal/unload the module to restore directory listing behavior, then read hidden
psychosis*data. - Prompt-aware solver confirmed the full chain:
- Shell starts as UID 1000.
- kill -64 $$ changes the current shell to UID 0.
- kill -46 $$ exposes the hidden diamorphine module.
- rmmod diamorphine unloads the rootkit and restores normal directory listings.
- /opt/psychosis/flag.txt becomes visible and readable.
- Raw VM transcript is stored in
loot/remote-solve-transcript.raw; redacted transcript is stored inanalysis/remote-solve-transcript-redacted.txt. - Harness captured the final flag into
loot/flag.txt.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: Reversing
- Challenge: CyberPsychosis
- Difficulty: Easy
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Reverse the provided rootkit artifact, identify how it hides or transforms data, then use the remote service only after local disarm/extraction logic is understood. | Challenge provides a rootkit-themed reversing ZIP plus remote instance; scenario asks to disarm the rootkit and find hidden data. | Extract archive, inventory binaries/source/files, inspect strings/imports/entrypoints/configs, and determine whether the remote expects a recovered value or provides an execution environment. | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Memory Summary
approval_required: true
Sanitized Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: Reversing
- Challenge: CyberPsychosis
- Difficulty: Easy
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Notes
Notes
Scope
- Challenge: CyberPsychosis
- Category: Reversing
- Difficulty: Easy
- Mode: hybrid
- Remote instance: <TARGET>:31455
- Start time: 2026-06-09T10:17:14Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c733d-c3cf-4fe0-92ed-8d5b8d8a02ac.zip | 103249 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-09T10:17:14Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-09T10:17:14Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-09T10:17:14Z | hypothesis recorded | hypothesis-board.md | Reverse the provided rootkit artifact, identify how it hides or transforms data, then use the remote service only after local disarm/extraction logic is understood. | Medium | Extract archive, inventory binaries/source/files, inspect strings/imports/entrypoints/configs, and determine whether the remote expects a recovered value or provides an execution environment. |
| 2026-06-09T10:18:29Z | checkpoint recorded | analysis/checkpoint-analysis-20260609T101829733233Z-e6c40cac.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-09T10:18:36Z | RAG query | analysis/rag/rag-query-20260609T101829783458Z-d9cf6bec.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-09T10:19:37Z | source audit | analysis/source-audit.md | Source audit recorded | High | Gate before exploit |
| 2026-06-09T10:19:37Z | RAG record | analysis/rag-records.md | Retrieved memory tagged MISSING | Medium | Validate or reject with live evidence |
| 2026-06-09T10:19:37Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-09T10: <REDACTED> | |||||
| 2026-06-09T10: <REDACTED> | |||||
| 2026-06-09T10:23:00Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
- Archive contains
diamorphine.ko, an x86-64 Linux kernel module with debug info and symbols. - Module symbols include
hacked_getdents,hacked_getdents64,hacked_kill,give_root,module_hide,module_show, andis_invisible. - Strings/disassembly identify the hidden-name prefix as
psychosis. hacked_killbranches on special signals:
- 31 (0x1f): toggles invisibility for a PID.
- 64 (0x40): calls give_root.
- 46 (0x2e): toggles module hide/show state.
- The rootkit hides directory entries matching the
psychosisprefix via hookedgetdents/getdents64. - Remote service behaves like a QEMU VM console; initial boot transcript saved to
analysis/remote-initial-probe.bin. - Working hypothesis: gain root with the rootkit signal, reveal/unload the module to restore directory listing behavior, then read hidden
psychosis*data. - Prompt-aware solver confirmed the full chain:
- Shell starts as UID 1000.
- kill -64 $$ changes the current shell to UID 0.
- kill -46 $$ exposes the hidden diamorphine module.
- rmmod diamorphine unloads the rootkit and restores normal directory listings.
- /opt/psychosis/flag.txt becomes visible and readable.
- Raw VM transcript is stored in
loot/remote-solve-transcript.raw; redacted transcript is stored inanalysis/remote-solve-transcript-redacted.txt. - Harness captured the final flag into
loot/flag.txt.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Technical analogy
How to remember this solve
Think of it like taking apart a small appliance on a workbench. You do not need every screw at once; you trace the control path and rebuild just enough logic to make it reveal the answer.
For CyberPsychosis, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.