HITCON CTF Quals 2019 challenges

Author: david942j

README.md

@@ -140,8 +140,19 @@ These challenges are created by me so there're scripts for creating them.
 * EOP (rev 257pts)
 * abyss (pwn 230 + 292 + 262pts)
 * groot (pwn 305pts)
-* HITCON (327 pts)
-* unexecutable (360 pts)
+* HITCON (pwn 327pts)
+* unexecutable (misc, pwn 360pts)
+
+## hitcon-quals-2019
+
+These challenges are created by me so there're scripts for creating them.
+
+* PoE (pwn 284 + 500 + 500pts)
+  - [writeup](https://david942j.blogspot.com/2019/10/official-write-up-hitcon-ctf-quals-2019.html)
+* Welcome (welcome 50pts)
+* Revenge of Welcome (misc 105pts)
+* Suicune (rev 305pts)
+* heXDump (misc 202pts)
 
 ## meepwnctf-2018
 

hitcon-quals-2019/PoE/DESCRIPTION.md

@@ -0,0 +1,45 @@
+# PoE I - Luna [284pts]
+
+Path of Exploitation I
+
+Try this brand new editor - Luna the Legendary Ultra Note Accelerator!
+
+`nc 13.230.132.4 21700`
+
+Author: david942j
+
+20 Teams solved.
+
+
+# PoE II - Cord [500pts]
+
+Path of Exploitation II
+
+Who needs C++ string if there is Linux cord?
+
+`nc 13.230.132.4 21701`
+
+Author: david942j
+
+Nobody solved yet.
+
+Hint
+
+*Corrupted queue is good*
+
+Hint
+
+*Race condition is not needed to trigger the bug*
+
+
+# PoE III - TPU [500pts]
+
+Path of Exploitation III
+
+Everything could be HW-accelerated.
+
+`nc 13.230.132.4 21702`
+
+Author: david942j
+
+Nobody solved yet.

hitcon-quals-2019/PoE/Makefile

@@ -0,0 +1,84 @@
+FLAG1 ?= <FLAG1 WILL BE HERE>
+FLAG2 ?= <FLAG2 WILL BE HERE>
+DISK ?= disk
+INIT ?= init
+
+all: qemu kernel user test solution fs
+
+release: qemu kernel user
+	rm -fr release/disk_clean
+	tar xf disk_clean.tar.gz -C release/
+	# bios
+	mkdir -p release/pc-bios
+	cp qemu/build/pc-bios/bios-256k.bin release/pc-bios
+	cp qemu/build/pc-bios/kvmvapic.bin release/pc-bios
+	cp qemu/build/pc-bios/linuxboot_dma.bin release/pc-bios
+	cp qemu/build/pc-bios/vgabios-stdvga.bin release/pc-bios
+	cp qemu/build/pc-bios/efi-e1000.rom release/pc-bios
+	# qemu
+	mkdir -p release/x86_64-softmmu
+	cp qemu/build/x86_64-softmmu/qemu-system-x86_64 release/x86_64-softmmu
+	# kernel
+	cp linux/arch/x86_64/boot/bzImage release/
+	cp linux/drivers/misc/tpu/tpu.ko release/
+	cp linux/drivers/misc/tpu/tpu.ko release/disk_clean
+	# user
+	cp src/luna release/luna
+	cp src/luna release/disk_clean/home/poe/
+	$(MAKE) DISK=release/disk_clean INIT=init_release fs
+	rm -fr release/disk_clean
+	cd release && tar cvfz ../poe.tar.gz *
+
+deploy: .PHONY
+	$(MAKE) 'FLAG1=<FLAG1 WILL BE HERE>' 'FLAG2=<FLAG2 WILL BE HERE>' release
+	rm -fr deploy/disk deploy/x86_64-softmmu deploy/pc-bios
+	tar xf disk_clean.tar.gz -C deploy/
+	mv deploy/disk_clean deploy/disk
+	cp -r release/pc-bios release/x86_64-softmmu release/bzImage deploy/
+	cp release/tpu.ko deploy/disk/
+	cp release/luna deploy/disk/home/poe
+	$(MAKE) DISK=deploy/disk INIT=init_release fs
+	mv deploy/initramfs.cpio.gz deploy/poe1.cpio.gz
+	cd deploy && tar cvfz ../deploy.tar.gz *
+
+fs:
+	echo "$(FLAG1)" > $(DISK)/home/poe/flag1
+	echo "$(FLAG2)" > $(DISK)/flag2
+	cp src/disk/$(INIT) $(DISK)/init
+	cd $(DISK) && find . | cpio -o -Hnewc | gzip -9 > ../initramfs.cpio.gz
+
+test:
+	$(MAKE) -C tests
+	rm -fr disk/tests/
+	cp -r tests/ disk/
+	$(MAKE) fs
+
+solution:
+	$(MAKE) -C sol
+	cp sol/cord_exp disk/
+	cp sol/tpu_exp disk/
+	$(MAKE) fs
+
+user: src/luna.c
+	$(CXX) src/luna.c -o src/luna -I./src/linux/include/uapi/ -static
+	cp src/luna disk/home/poe/
+	$(MAKE) fs
+
+qemu: src/qemu/hw/misc/tpu.c src/qemu/hw/misc/tpu-ir.h
+	cp src/qemu/hw/misc/tpu.c qemu/hw/misc/
+	cp src/qemu/hw/misc/tpu-ir.h qemu/hw/misc/
+	# mkdir -p qemu/build && cd /home/PoE/qemu/build && ../configure --target-list=x86_64-softmmu && make -j `nproc`
+	cd /home/PoE/qemu/build && make -j `nproc`
+	strip --strip-debug qemu/build/x86_64-softmmu/qemu-system-x86_64
+
+kernel: src/linux/drivers/misc/tpu/tpu-*.c src/linux/drivers/misc/tpu/tpu-*.h src/linux/include/uapi/linux/cord.h
+	rm -rf linux/drivers/misc/tpu
+	cp -r src/linux/drivers/misc/tpu linux/drivers/misc/
+	cp src/qemu/hw/misc/tpu-ir.h qemu/hw/misc/
+	cp src/linux/include/uapi/linux/cord.h linux/include/linux
+	cd linux && make -j `nproc`
+	strip --strip-debug linux/drivers/misc/tpu/tpu.ko
+	cp linux/drivers/misc/tpu/tpu.ko disk/
+	$(MAKE) fs
+
+.PHONY:

hitcon-quals-2019/PoE/README.md

@@ -0,0 +1 @@
+DESCRIPTION.md

hitcon-quals-2019/PoE/release/README.md

@@ -0,0 +1,24 @@
+# Path of Exploitation
+
+## PoE I - Luna
+
+- Analyze the binary `luna` should be enough for solving this challenge.
+- There's a proof-of-work challenge on remote service.
+
+## PoE II - Cord
+
+- No PoW, but you have to solve PoE I to get the password for this challenge.
+- A file uploader is provided on remote for your convenience.
+- Linux commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8, tag: v5.3
+
+## PoE III - TPU
+
+- Solve PoE II to get the password for this challenge.
+- Don't waste time on the binaries under pc-bios/, they are normal BIOS.
+- You can upload a file as PoE II does, the uploaded file will be executed under *root* permission.
+- Flag: `/home/poe/flag` on host.
+- Run on the latest Ubuntu 18.04.
+- QEMU commit 9e06029aea3b2eca1d5261352e695edc1e7d7b8b, tag: v4.1.0
+
+
+* All services have a hard timeout 120 seconds.

hitcon-quals-2019/PoE/release/poe.tar.gz

@@ -0,0 +1,8 @@
+all: cord_exp tpu_exp
+
+cord_exp: cord_exp.c
+	$(CC) -o cord_exp -static cord_exp.c
+	strip cord_exp
+tpu_exp: tpu_exp.c
+	$(CXX) -o tpu_exp -static tpu_exp.c
+	strip tpu_exp