prettify code

2019年10月23日 星期三

[Official Write-up] HITCON CTF Quals 2019 - Path of Exploitation

Path of Exploitation (PoE) are the pwn challenges I designed for this year's HITCON CTF qualification. It contains three stages/layers, hackers have to exploit a user-space program, do privilege escalation on Linux, and attack the custom device embedded in QEMU. Solve all three stages to be the master of pwn!

This challenge has a similar hierarchy as "Abyss" has, which is also my series of challenges in HITCON CTF 2018. Abyss contains three layers as well, the user-space program, the kernel, and the hypervisor, but with the self-implemented kernel and hypervisor based on KVM.

For PoE, I modified the latest QEMU source code to add a custom device, Treap Processing Unit (TPU), developed a Linux kernel module to drive my fancy device, and a simple note editor in user-space that utilize TPU to perform string operations.
I have released all the source code and my exploit scripts  for this challenge, along with the patch needed for Linux kernel and QEMU.

2018年10月2日 星期二

[Note] Learning KVM - implement your own kernel

Few weeks ago I solved a great KVM escaping challenge from TWCTF hosted by @TokyoWesterns. I have given a writeup on my blog: [Write-up] TokyoWesterns CTF 2018 - pwn240+300+300 EscapeMe, but it mentions nothing about KVM because there's no bug (at least I didn't find) around it.

Most introduction articles of KVM I found are actually introducing either libvirt or qemu, lack of how to utilize KVM directly, that's why I have this post.

This thread is a good start to implement a simple KVM program. Some projects such as kvm-hello-world and kvmtool are worthy to take a look as well. And OSDev.org has great resources to learn system architecture knowledge.

In this post I will introduce how to use KVM directly and how it works, wish this article can be a quick start for beginners learning KVM.

I've created a public repository for the source code of KVM-based hypervisor and the kernel: david942j/kvm-kernel-example. You can clone and try it after reading this article.
Warning: all code in this post may be simplified to clearly show its function, if you want to write some code, I highly recommend you read examples in the repository instead of copy-paste code from here.

2018年9月5日 星期三

[Write-up] TokyoWesterns CTF 2018 - pwn240+300+300 EscapeMe

The best KVM (Kernel-based Virtual Machine) challenge I've ever seen! Thanks @shift_crops for giving such great challenge. He released the source code of EscapeMe after the contest as well.

2018年6月26日 星期二

[Write-up] Google CTF 2018 - pwn420 sandbox compat

Basic Info
This is an interesting sandbox-escaping challenge! Though I solved it after the game, still want to share how fun this challenge is, so I make this writeup.


Attachment contains the binary and source code, you can find them in my github repository.

2018年4月5日 星期四

[Write-up] 0ctf quals 2018 - pwn1000 Mighty Dragon

Glad to say that we (HITCON) are the only team solved this challenge :D
But in my opinion this challenge is more like a reversing but not a pwnable one.
This is a pwn challenge - but the pwn part is extremely easy, and the hardest part is to understand what is this binary doing. Anyway, let's see the details.




2017年11月7日 星期二

[Official Write-up] HITCON CTF 2017 - pwn327 Real Ruby Escaping

Introduction


The attachment can be found in my repository: link

Many people ask me to give this writeup because I announced that all the 11 teams used unintended solution on IRC. Now comes the intended one :D

This task asks you to exploit the ruby interpreter, given arbitrary ruby code execution but protected by seccomp rules.

2017年9月11日 星期一

[Write-up] Tokyo Westerns CTF 2017 - rev500 Steganographer Revenge

It's a long time since I last wrote a writeup for reversing challenge! Since we(217) are the only team to solve this, and it's a great challenge, I decide to do so.This challenge was solved by me and my teammate +PZ Read.