2021年12月13日 星期一

[Official Write-up] HITCON CTF 2021 - chaos

Foreword

I planned to go through the details of these challenges about how components interacted with each other. But after seeing the team organizers posts their writeup which is so well organized and detailed I have a different thought. So readers, please refer to their write-up, especially the "challenge architecture" section which is accurate and illustrated. I suggest you to read their article if you'd like to know how to solve these challenges, and back to here if you are interested in knowing things that only the challenge author knows 😉

Before sharing fun facts or intended solutions I have to thank to the co-author of these "chaos" challenges - lyc. lyc also designed a lot crypto challenges for HITCON CTF every year, and without his help I won't have enough ideas or time to design this whole thing.

This year's HITCON CTF I provided several challenges (most in category pwnable and some in reversing), CHAOS was the one I spent lots of time to design and develop. I have released all sources and intended solutions on GitHub: https://github.com/david942j/hitcon-2021-chaos. If you check the commit history you can see there are 110 commits in total and the first one was sent at Nov 1st.
Speaking of time I noticed some teams complained about CHAOS was not released at the beginning of the game - I'm pretty sorry about this 😢. My original intention indeed was make them be released on game start. However we were too busy on preparing other challenges, it was two hours after the game started that I finally finished the exploit scripts for chaos-sandbox (must ensure it's truly exploitable on remote service before releasing it to public!). That was why we released them at the 4th hour of the game. Fortunately they were all solved by at least 2 teams which already reached my expectation.

This challenge set included three problems, and we named them as chaos-firmware, chaos-kernel, and chaos-sandbox.


Their category were marked as [crypto|pwn]+ because some of them were pure pwnables and some of them required both techs and we didn't want them be revealed - the true categories in our mind were "crypto,pwn", "pwn", and "crypto,pwn" for chaos-firmware, kernel, and sandbox, respectively. Turned out for chaos-sandbox a solution without any crypto knowledge existed (I felt I was so dumb when the team organizers told me their solution 😭) so it actually could be a pure pwn challenge, I will talk about what happened here later.