Rating:

# forgotten module - pwn/misc, 13 solves, 250 points
Challenge description:
> Those damn millenials and their USBs and NVMEs! They forgot to compile my IDE module. Now i can't access my secrets stored on a trusty CD-ROM. Can you help me?

We're provided with a service that can run some custom kernel with our initramfs. It means that immediately we're quite powerful since we have root access. However, there's no CD-ROM driver.

It means that we have to do one of two things: either try compile appropriate modules and load them (quite tedious, however some people managed to do that ;) ) or replace the kernel with a new one with CD-ROM support (intended solution). The easiest way to do this is to use kexec mechanism from Linux kernel. Luckily for us it is enabled, which we can verify by checking an entry in /proc/config.gz.

OK, now that we know what we want to do, we have to assemble our components:
* kexec-tools - <https://github.com/horms/kexec-tools> - a userspace program to load our new kernel, compiled statically
* vmlinuz - with CD-ROM support. Left out as an exercise for the reader

And that's basically it. What we have to do now is to pack those things along with some dummy initramfs (could be an example one) inside new initramfs (if you have troubles with kernel panics during boot don't forget to use --format=newc switch for cpio). We connect to the challenge, send the file and run:

./kexec -f --reuse-cmdline --initrd=./dummy.cpio.gz ./vmlinuz

If everything was OK, this will boot the new kernel. A new device should be present - /dev/hdc or /dev/sr0. The last thing is to mount it and get the flag.