In this challenge, the goal was to exploit a custom made kernel called PhotonOS, which is publicly available at https://github.com/JustBeYou/PhotonOS/tree/xmas-challenge1. However, we went the easy and probably unintended way to get both flags.
Flag 1 is simply stored as a global variable:
Flag 2 is encrypted using a xor encryption and stored alongside the key at address
There was no difference between userspace addresses and kernelspace addresses. Also there are plenty of bufferoverflows, e.g. the following one where we can overflow
So the obvious idea would be a ROP. However, when setting up the challenge locally, we saw that GRUB2 is used and we can switch to the grub shell at boot.
Leaking the flags
The boot image consists of three files:
initrd contains information about the filesystem, so it contains the flag 2 which is stored in the filesystem as
testfile.txt. This file is located at the end of the
initrd and we can just use
cat /boot/initrd in the grub shell to get the flag. Unfortunately, the flag 1 is stored somewhere in the middle of
photon.elf, at offset 0x11000 to be more precise. Transmitting the screen via netcat is much slower than printing the characters to the screen. So, if printing a large file, we miss a lot of data in between. Therefore, we can not just use
cat to leak this file. But, fortunaly, grub comes with
hexdump, which allows us to print a file from a given offset.
While this challenge did not really improve my kernel exploitation skills due to my own lazyness, I learned a few new things about grub and how to make netcat send each character immediately instead of sending them line by line:
stty -icanon -echo && nc 127.0.0.1 1337. And of course, I had a lot of fun solving this and other challenges of this year’s X-MAS CTF!