This is a nice, compact, and straightforward way to brush up on basic Linux rootkits. The module includes full debugging information, so you won’t have to spend much time working in IDA.
You are provided with an LKM whose flag has been modified, meaning the version of the file you have differs from the one actually executing on the system. The module implements a simple hiding mechanism and hooks the sys_read and sys_write system calls, so you cannot use standard utilities like cat to retrieve the required data.
Among all the information hidden by the module (such as kallsyms and ftrace data), the only item of interest is the kernel system log ring buffer. Therefore, you need to find a way to read the unmodified version of /dev/kmsg on the host.
Fortunately, the malware only hides sys_read calls, leaving other functions such as readv available for use. A GCC compiler is available on the host, so the task boils down to writing a small snippet of C code, compiling it, and using it to read the necessary messages.
Have fun!
You can find the challenge here.