prettify code

2021年12月13日 星期一

[Official Write-up] HITCON CTF 2021 - chaos

Foreword

I planned to go through the details of these challenges about how components interacted with each other. But after seeing the team organizers posts their writeup which is so well organized and detailed I have a different thought. So readers, please refer to their write-up, especially the "challenge architecture" section which is accurate and illustrated. I suggest you to read their article if you'd like to know how to solve these challenges, and back to here if you are interested in knowing things that only the challenge author knows 😉

Before sharing fun facts or intended solutions I have to thank to the co-author of these "chaos" challenges - lyc. lyc also designed a lot crypto challenges for HITCON CTF every year, and without his help I won't have enough ideas or time to design this whole thing.

This year's HITCON CTF I provided several challenges (most in category pwnable and some in reversing), CHAOS was the one I spent lots of time to design and develop. I have released all sources and intended solutions on GitHub: https://github.com/david942j/hitcon-2021-chaos. If you check the commit history you can see there are 110 commits in total and the first one was sent at Nov 1st.
Speaking of time I noticed some teams complained about CHAOS was not released at the beginning of the game - I'm pretty sorry about this 😢. My original intention indeed was make them be released on game start. However we were too busy on preparing other challenges, it was two hours after the game started that I finally finished the exploit scripts for chaos-sandbox (must ensure it's truly exploitable on remote service before releasing it to public!). That was why we released them at the 4th hour of the game. Fortunately they were all solved by at least 2 teams which already reached my expectation.

This challenge set included three problems, and we named them as chaos-firmware, chaos-kernel, and chaos-sandbox.


Their category were marked as [crypto|pwn]+ because some of them were pure pwnables and some of them required both techs and we didn't want them be revealed - the true categories in our mind were "crypto,pwn", "pwn", and "crypto,pwn" for chaos-firmware, kernel, and sandbox, respectively. Turned out for chaos-sandbox a solution without any crypto knowledge existed (I felt I was so dumb when the team organizers told me their solution 😭) so it actually could be a pure pwn challenge, I will talk about what happened here later.

2019年10月23日 星期三

[Official Write-up] HITCON CTF Quals 2019 - Path of Exploitation

Path of Exploitation (PoE) are the pwn challenges I designed for this year's HITCON CTF qualification. It contains three stages/layers, hackers have to exploit a user-space program, do privilege escalation on Linux, and attack the custom device embedded in QEMU. Solve all three stages to be the master of pwn!

This challenge has a similar hierarchy as "Abyss" has, which is also my series of challenges in HITCON CTF 2018. Abyss contains three layers as well, the user-space program, the kernel, and the hypervisor, but with the self-implemented kernel and hypervisor based on KVM.

For PoE, I modified the latest QEMU source code to add a custom device, Treap Processing Unit (TPU), developed a Linux kernel module to drive my fancy device, and a simple note editor in user-space that utilize TPU to perform string operations.
I have released all the source code and my exploit scripts  for this challenge, along with the patch needed for Linux kernel and QEMU.

2018年10月2日 星期二

[Note] Learning KVM - implement your own kernel

Few weeks ago I solved a great KVM escaping challenge from TWCTF hosted by @TokyoWesterns. I have given a writeup on my blog: [Write-up] TokyoWesterns CTF 2018 - pwn240+300+300 EscapeMe, but it mentions nothing about KVM because there's no bug (at least I didn't find) around it.

Most introduction articles of KVM I found are actually introducing either libvirt or qemu, lack of how to utilize KVM directly, that's why I have this post.

This thread is a good start to implement a simple KVM program. Some projects such as kvm-hello-world and kvmtool are worthy to take a look as well. And OSDev.org has great resources to learn system architecture knowledge.

In this post I will introduce how to use KVM directly and how it works, wish this article can be a quick start for beginners learning KVM.

I've created a public repository for the source code of KVM-based hypervisor and the kernel: david942j/kvm-kernel-example. You can clone and try it after reading this article.
Warning: all code in this post may be simplified to clearly show its function, if you want to write some code, I highly recommend you read examples in the repository instead of copy-paste code from here.

2018年9月5日 星期三

[Write-up] TokyoWesterns CTF 2018 - pwn240+300+300 EscapeMe

The best KVM (Kernel-based Virtual Machine) challenge I've ever seen! Thanks @shift_crops for giving such great challenge. He released the source code of EscapeMe after the contest as well.

2018年6月26日 星期二

[Write-up] Google CTF 2018 - pwn420 sandbox compat

Basic Info
This is an interesting sandbox-escaping challenge! Though I solved it after the game, still want to share how fun this challenge is, so I make this writeup.


Attachment contains the binary and source code, you can find them in my github repository.

2018年4月5日 星期四

[Write-up] 0ctf quals 2018 - pwn1000 Mighty Dragon

Glad to say that we (HITCON) are the only team solved this challenge :D
But in my opinion this challenge is more like a reversing but not a pwnable one.
This is a pwn challenge - but the pwn part is extremely easy, and the hardest part is to understand what is this binary doing. Anyway, let's see the details.




2017年11月7日 星期二

[Official Write-up] HITCON CTF 2017 - pwn327 Real Ruby Escaping

Introduction


The attachment can be found in my repository: link

Many people ask me to give this writeup because I announced that all the 11 teams used unintended solution on IRC. Now comes the intended one :D

This task asks you to exploit the ruby interpreter, given arbitrary ruby code execution but protected by seccomp rules.