Hackfinity Battle 2025 CTF: Sneaky Patch (TryHackMe)

In this challenge, a high-value system was suspected to be compromised by a stealthy kernel-level backdoor. Traditional security tools failed to detect the attacker’s presence, signaling the need for a manual forensic investigation. The objective was to inspect the system’s kernel modules, identify malicious artifacts, and extract hidden information that could reveal the attacker’s persistence method.

Forensics - Sneaky Patch

A high-value system has been compromised. Security analysts have detected suspicious activity within the kernel, but the attacker’s presence remains hidden. Traditional detection tools have failed, and the intruder has established deep persistence. Investigate a live system suspected of running a kernel-level backdoor.

ls /proc | grep -E '^[0-9]+$'

cat /proc/modules

uname -r find /lib/modules/$(uname -r) -type f -name "spatch.ko" 2>/dev/null

strings /lib/modules/6.8.0-1016-aws/kernel/drivers/misc/spatch.ko | less

used dcode.fr to decode the ASCII Code

Through systematic inspection of the /proc filesystem and loaded kernel modules, the malicious file spatch.ko was uncovered. By analyzing the module with strings, hidden ASCII-encoded data was retrieved and later decoded to reveal the attacker’s secret. This investigation highlights the importance of low-level forensic analysis when dealing with advanced threats, as attackers often bypass conventional detection by embedding themselves deep within the kernel.