Quarkslab Challenge 2021

Try your skills (and luck) in our first Capture the Flag held by Quarkslab!

Challenge 2021

We are in a worldwide pandemic. Bars and restaurants are closed in many places. With lockdowns and travel restrictions, meeting with friends is complicated and sometimes only possible virtually. Inside our homes, we are now only one step away from opening a bakery, and we all get bored…

BUT

We thought that there is one way we could make it better and bring joy and happiness for those of you who like to understand and break things (you know who you are ;)).

We did then what we do best and designed 3 challenges! No, no, no, you dont have to say thank you, at least not after having solved them.

Ok, how do I participate in this thing?

Participation

The contest takes the form of three challenges to solve, with increasing difficulty at each step.

By solving the first two steps, you will obtain a flag; send us each flag once obtained at the indicated email address below to register your success.

For the third and final challenge, send us the exploitation script you have used to register your success.

To win, a participant must complete all three challenges.

The first three participants to send us the two flags of challenges 1 and 2 and the exploitation script of challenge 3 will be awarded a prize.

If you manage to resolve the three challenges and wish to qualify for the optional second category, send us a write-up of your solution. The three best write-ups will be published on this page.

Duration

The challenge is opened from February, 11th to March, 26th. Flags and writeups will be accepted until March, 26th 12am CET (Paris time). No submission will be accepted after this date.

Submissions

To send flags and writeups, please send an email formatted in plain text, with your pseudonym, at challenge2021 (a) quarkslab.com

Prizes

Two rankings will be established:

  • one for speed;
  • one for the writeups, assessing their quality.

The top 3 winners for each category (speed and quality) will be announced on this page and on our Twitter account (@quarkslab).

The winners will each obtain the following prizes:

  • 1st: 1x Proxmark RDV4.01
  • 2nd: 1x HydraNFC Shield v2
  • 3rd: 1x The Ghidra Book: The Definitive Guide

Prizes will be sent through postal service to each winner. You will be contacted via the email address used to submit the flags and exploit script to confirm your postal address.

All right, I get it, just gimme the files!

Here you go! Below are the details for each challenge, as well as the download links.

Have fun :)!

1st Challenge: WebAssembly

It’s amazing what you can do with WebAssembly!

Do you feel like taking on this new and shiny language?!

Don’t forget your sunglasses, it’s time to wasm!

Download

SHA-1: 4d65d3b079efa83fd746890ef212f9c31d5793df

SHA-256: 099e9539f6295a6edf5067fc97eae8e80de025dc3b1c8c58f930325380d0041e

2nd Challenge: Crypto

AES is so backdoored; we decided to make our own version of it. To top it off, we added
military-grade mathematics, “they” will never ever manage to break.

If you feel like it, try and decrypt the provided message.

We also give you the binary that we used to generate it.

It’s obfuscated so that we can still keep our disruptive design secret!

Good luck!

Download

SHA-1: 4959c067a65fd641ac7368524b0072acf278a969

SHA-256: e8fc3b09705e26718235b66b0578d8d30199026f2d5c4048e073d034bff7996f

3rd Challenge: Exploitation

Here is a disk image, containing a pre-installed NetBSD OS. You should boot it either directly on hardware that supports virtualization, or using Qemu with nested virtualization:

Intel CPUs:

qemu-system-x86_64 -accel kvm -cpu host,+vmx -m 512M -netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:10022-:22 -device e1000,netdev=mynet0 -hda disk.raw

AMD CPUs:

qemu-system-x86_64 -accel kvm -cpu host,+svm -m 512M -netdev user,id=mynet0,hostfwd=tcp:127.0.0.1:10022-:22 -device e1000,netdev=mynet0 -hda disk.raw

If you are using Qemu in a VMWare virtual machine, you should activate Intel VT-X virtualization instructions as well as CPU counter virtualization.

This creates a local NAT, and you can log in and upload files to the VM with:

ssh -p 10022 user@localhost
sftp -P 10022 user@localhost

The user session is: name="user" pass="user".

No special pre-requisite knowledge of NetBSD is required to complete this challenge.

A special program, logroot, can give a root shell. But it expects authentication.

Your goal is to get a root shell via logroot. Reminder: this is not a crypto challenge, this is a vuln research challenge!

Download

SHA1: be563a766e1642c60c083d9f60a0f71cfbda0689

SHA256: 3124cd7c435463cc5a1f01443777c5cbb2886d958e34f326aa6607a6b00c63a7

Extra rules to please legal…

The contest is open to all, at the exception of Quarkslab employees and interns.

Participants can work in teams, however only one prize per team will be awarded.

Participants are not allowed to share or publish flags or exploitation script during the duration of the contest. On the same note, participants must refrain to post solutions before the end of the contest.

By sending your write-up, you give your explicit consent to its publication, along with the associated pseudonym. Published exploitation scripts present in the write-ups will be under a GPLv3 licence.

Participants who did not comply with these rules will be disqualified.

Results

1st Challenge: WebAssembly

Ranking

Nickname

Submission date

1

Sin__

February 11th, 6.41pm UTC+1

2

Ledger Donjon

February 16th, 5.17pm UTC+1

3

ElyKar

February 17th, 5.14pm UTC+1

2nd Challenge: Crypto

Ranking

Nickname

Submission date

1

Ledger Donjon

February 17th, 10.31pm UTC+1

3rd Challenge: Exploitation

Ranking

Nickname

Submission date

1

Ledger Donjon

February 13th, 2.29pm UTC+1