[Official Write-up] HITCON CTF 2021 - chaos

Foreword

I planned to go through the details of these challenges about how components interacted with each other. But after seeing the team organizers posts their writeup which is so well organized and detailed I have a different thought. So readers, please refer to their write-up, especially the "challenge architecture" section which is accurate and illustrated. I suggest you to read their article if you'd like to know how to solve these challenges, and back to here if you are interested in knowing things that only the challenge author knows 😉

Before sharing fun facts or intended solutions I have to thank to the co-author of these "chaos" challenges - lyc. lyc also designed a lot crypto challenges for HITCON CTF every year, and without his help I won't have enough ideas or time to design this whole thing.

This year's HITCON CTF I provided several challenges (most in category pwnable and some in reversing), CHAOS was the one I spent lots of time to design and develop. I have released all sources and intended solutions on GitHub: https://github.com/david942j/hitcon-2021-chaos. If you check the commit history you can see there are 110 commits in total and the first one was sent at Nov 1st.

Speaking of time I noticed some teams complained about CHAOS was not released at the beginning of the game - I'm pretty sorry about this 😢. My original intention indeed was make them be released on game start. However we were too busy on preparing other challenges, it was two hours after the game started that I finally finished the exploit scripts for chaos-sandbox (must ensure it's truly exploitable on remote service before releasing it to public!). That was why we released them at the 4th hour of the game. Fortunately they were all solved by at least 2 teams which already reached my expectation.

This challenge set included three problems, and we named them as chaos-firmware, chaos-kernel, and chaos-sandbox.

Their category were marked as [crypto|pwn]+ because some of them were pure pwnables and some of them required both techs and we didn't want them be revealed - the true categories in our mind were "crypto,pwn", "pwn", and "crypto,pwn" for chaos-firmware, kernel, and sandbox, respectively. Turned out for chaos-sandbox a solution without any crypto knowledge existed (I felt I was so dumb when the team organizers told me their solution 😭) so it actually could be a pure pwn challenge, I will talk about what happened here later.

[Note] Learning KVM - implement your own kernel

Few weeks ago I solved a great KVM escaping challenge from TWCTF hosted by @TokyoWesterns. I have given a writeup on my blog: [Write-up] TokyoWesterns CTF 2018 - pwn240+300+300 EscapeMe, but it mentions nothing about KVM because there's no bug (at least I didn't find) around it.

Most introduction articles of KVM I found are actually introducing either libvirt or qemu, lack of how to utilize KVM directly, that's why I have this post.

This thread is a good start to implement a simple KVM program. Some projects such as kvm-hello-world and kvmtool are worthy to take a look as well. And OSDev.org has great resources to learn system architecture knowledge.

In this post I will introduce how to use KVM directly and how it works, wish this article can be a quick start for beginners learning KVM.

I've created a public repository for the source code of KVM-based hypervisor and the kernel: david942j/kvm-kernel-example. You can clone and try it after reading this article.
Warning: all code in this post may be simplified to clearly show its function, if you want to write some code, I highly recommend you read examples in the repository instead of copy-paste code from here.