The challenge target is to become root, but there is no vulnerability or third-party driver in kernel.
However, we could load a custom DSDT table when booting. Thus we could craft a malicious dsdt table that writes physical memory to modify kernel since kaslr is off.
Use acpica tools to dump original dsdt table, and compile it after modifying.
I choose to overwrite sys_arch_prctl epilogue to execute privilege escalation code, then return as normal. Since busybox would call arch_prctl, we would get root shell after booting.
Implementing and Detecting an ACPI BIOS Rootkit
Applied anti-forensics: rootkits and kernel vulnerabilities
Upgrading ACPI tables via initrd
I did not solve this challenge during the competition. This time the kernel applies kaslr, and the init process directly reboot after booting. That means we should write 'shellcode' in asl to search physical memory for kernel, then modify its code. However, there is a simple way from vakzz. He directly dump the entire ram disk memory to debug port (0x3F8) and search for flag.