makeway

Kernel Exercise Collection.

You should complete Kernel Security module and Kernel Exploitation module before these challenges.

Notes

These challenges use /challenges/run.sh as a starting point. They do not use vm script at all.

You might run /challenges/run.sh <bin path> to copy the exploit binary to the vm. In most cases, the exploit binary should be statically compiled since there is no glibc runtime inside the init rootfs.

There are hints encoded in base64. If you feel stuck after a day or two, feel free to take hints for new ideas. After all the dojo is to learn, not to score anyone.

In practice mode, to aid debugging, edit run.sh to modify qemu arguments:

Add nokaslr after the -append flag.
Enable kvm with -enable-kvm flag for better performance.
Add -s flag for gdb port 1234.

Challenges

Learn msg_msg.

Notes

I fixed the SMEP config bug in the original qemu run.sh script.

Hint 1:

T2ZmLWJ5LW9uZSBpbiBlZGl0Cg==

Hint 2:

VGhlcmUgYXJlIDIgYnVncy4K

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

After repeated attacks on poor kernel objects, I've decided to place pwners in a special isolated place - a marooned region of memory. Good luck escaping out of here :^)

Notes

You can use /challenge/run.sh <exploit> to run the challenge. However because the kernel is compiled without block device support, we will have to re-compress the initramfs every run. This may lead to unstable physical layout of the image.
The original event does not provide mod.c during the contest. But to focus on the bug, here I gift it to you.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Instruction

You have a busybox shell running as user user
Try exploiting rose.ko to achieve privilege escalation
You may assumed that busybox, the Linux kernel, and Qemu are not vulnerable.

Files

/challenge/rose.ko: The vulnerable driver
/challenge/src/rose.c: The source code of rose.c

Notes

FG-KASLR is enabled
Your exploit should be kernel-agnostic. In other words, it should not rely on any kernel offsets

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Elastic objects seem to have even more power in many more slabs!

Can you use RetSpill and bypass FGKASLR to solve this ?

Notes

You can use /challenge/run.sh <exploit> to run the challenge. However because the kernel is compiled without block device support, we will have to re-compress the initramfs every run. This may lead to unstable physical layout of the image.
The original event does not provide firewall.c during the contest. But to focus on bug, here I gift it to you.

Hints

Hint 1: The module is safe ?

VGhlcmUgaXMgYSBVQUYgYnVnIG9uIHRoZSBkdXBsaWNhdGUgZnVuY3Rpb24K

Hint 2: How to bypass FGKASLR ?

FGKASLR is short for Function Granular Kernel Address Space Layout Randomization.

UG9pbnRlcnMgdG8gLmByb2RhdGFgIG9yIGAuZGF0YWAgc2VjdGlvbiBhcmUgbm90IHNodWZmbGVk
IChhcyB0aGV5IGFyZSBub3QgZnVuY3Rpb25zKS4NU28geW91IGNvdWxkIGdldCBrZXJuZWwgYmFz
ZSBmcm9tIHRob3NlIHBvaW50ZXJzLg0NQnV0IGhvdyBkbyB5b3UgY2FsbCBhbiBhcmJpdHJhcnkg
ZnVuY3Rpb24gd2hlbiBpdHMgYWRkcmVzcyB3YXMgc2h1ZmZsZWQgYXQgYm9vdCA/DQ1IZXJlIGlz
IHdoZXJlIGBzdHJ1Y3Qga2VybmVsX3N5bWJvbGAgZGVmaW5lZDoNPGh0dHBzOi8vZWxpeGlyLmJv
b3RsaW4uY29tL2xpbnV4L3Y1LjE0LjE2L3NvdXJjZS9pbmNsdWRlL2xpbnV4L2V4cG9ydC5obWFr
ZXdheS9ERVNDUklQVElPTi5tZEw2MD4uDQ1Ib3cgaXQgaXMgdXNlZDoNPGh0dHBzOi8vZWxpeGly
LmJvb3RsaW4uY29tL2xpbnV4L3Y1LjE0LjE2L3NvdXJjZS9rZXJuZWwvbW9kdWxlLmNtYWtld2F5
L0RFU0NSSVBUSU9OLm1kTDQ2Mj4NDVN1cHBvc2UgeW91IGdvdCB0aGUgYXJiaXRyYXJ5IHJlYWQg
cHJpbWl0aXZlICh3aXRoIG5vIGxpbWl0YXRpb25zKSwgeW91IGNvdWxkIGxlYWsNYW55IGZ1bmN0
aW9uIGJ5IHJlYWRpbmcgdGhlaXIgYF9fa3N5bXRhYl8qYCBzeW1ib2xzLg0NRm9yIGV4YW1wbGUs
IHRvIGZpbmQgYGNvbW1pdF9jcmVkc2AgYWRkcmVzczoNYGBgZ2RiDWdlZj4geC8zeCBfX2tzeW10
YWJfY29tbWl0X2NyZWRzDTB4ZmZmZmZmZmZhOTU0ZmMwNCA8X19rc3ltdGFiX2NvbW1pdF9jcmVk
cz46ICAgIDB4ZmZiN2RhY2MgICAgICAweDAwMDE3NTQ2ICAgICAgMHgwMDAyMjE2NQ1nZWY+IHAg
X19rc3ltdGFiX2NvbW1pdF9jcmVkcysweGZmYjdkYWNjDSQzID0gMHhhOTBjZDZkMA1nZWY+IHAg
Y29tbWl0X2NyZWRzDSQ0ID0gMHhmZmZmZmZmZmE5MGNkNmQwIDxjb21taXRfY3JlZHM+DWBgYAo=

Hint 3: RetSpill is impossible for this kernel ?

U3RhY2sgc2hpZnRpbmcgZ2FkZ2V0IChub3QgcGl2b3RpbmcpIGFyZSBgYWRkIHJzcCwgMHguLmAg
YW5kIC4uID8gQnV0IHRoZQ1sYXR0ZXIgZ2FkZ2V0IGtpbmQgaXMgbm90IGFzIGdvb2QgYXMgdGhl
IGZvcm1lciBvbmUuIEl0IGRvZXMgbm90IHNraXAgdGhlIGNsZWFuIHVwIHBhcnQuCg==

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

Format string but in kernel ?

Notes

Now you could use vm script to start the challenge.

Connect with SSH

Link your SSH key, then connect with: ssh [email protected]

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank		Hacker	Badges		Score

makeway

Kernel Exercise Collection.

Notes

Recommended readings

Challenges

1 - IPS

Notes

Connect with SSH

2 - Cache of Castway

Notes

Connect with SSH

3 - Wall Rose

Instruction

Files

Notes

Connect with SSH

4 - Wall of Perdition (Hard)

Notes

Hints

Connect with SSH

5 - First World Problem

Notes

Connect with SSH

30-Day Scoreboard:

makeway

Kernel Exercise Collection.

Notes

Recommended readings

Challenges

1 - IPS 1 solves

1 - IPS

Notes

Connect with SSH

2 - Cache of Castway 1 solves

2 - Cache of Castway

Notes

Connect with SSH

3 - Wall Rose 1 solves

3 - Wall Rose

Instruction

Files

Notes

Connect with SSH

4 - Wall of Perdition (Hard) 1 solves

4 - Wall of Perdition (Hard)

Notes

Hints

Connect with SSH

5 - First World Problem 0 solves

5 - First World Problem

Notes

Connect with SSH

30-Day Scoreboard: