pwn.college (CSE466) speedrun any%
For the past month I have been putting my complete focus on this ASU Computer Systems Security course, CSE466. Over the course of 24 days, I completed 472 challenges which range from basic linux usage to kernel module exploitation. Here is my breakdown of each module.
Preamble⌗
To start, you provide your ssh keys to connect to dojo.pwn.college as hacker
With each module, anything related to the current challenge can be found in /challenge/. The flag file is /flag
As a personal goal, I aimed to solve all of these challenges with vim and binaryninja Before this, I had little to no experience in both
Program Interaction (embryoio)⌗
In essence, this entire module is built on top of one python script. This python script will take in the arguments and perform certain checks based off those arguments. These checks can include
- What program is interacting with the script
- Where the current file descriptors are pointing to
- If it is pointing to a file
- If it is pointing to another running process
- What program is piping input into the script
- What program is recieving output from the script
There’s more but I can’t remember all of them, I found the entire module to be very tedious but it has taught me a better understanding of pipe, dup2, and bash redirections
Program Misuse (babysuid)⌗
For this module, some utility program such as cat or less is changed to become a setuid binary. This elevates the privilleges of the user to root when running the binary. As always, the goal is to read the flag.
As an extra note, for any of you who do REDACTED, you can use REDACTED to quickly breeze through most of these challenges
Assembly Refresher (embryoioasm)⌗
I personally found this module pretty straightforward. If you ever had any experience with reading and writing assembly, you will have a breeze with this module.
It will teach a core assembly concepts such as loops, conditionals, and the stack.
Be sure not to skip this! Reading and writing assembly are key concepts to do several of these modules!
Shellcode Injection (babyshell)⌗
In this module, you are allowed to write any assembly you like, but as you continue, your shellcode must satsify more and more constraints. That can be
- Can not exceed a certain length
- Can not contain certain bytes
- Your shellcode might be modifyied
stdinandstderrmay be closed
All in all, you’ll learn one key trick from this module. You should remember this trick as you may need it in future modules
Sandboxing (babyjail)⌗
This module teaches you to escape two sandboxes, chroot and seccomp.
I think this module teaches you a great understanding of chroot and it’s weaknesses. I certainly did enjoy the last challenge :)
seccomp was also an interesting module. One key idea it teaches is that you don’t always need to write out the flag somewhere, you may use other behaviours of a program to exfiltrate data.
Debugging Refresher (embryoiogdb)⌗
Idk is cheesed all of the levels with the same trick
Reverse Engineering (babyrev)⌗
Oh boy, this is where things start to get fun. For this and future modules, decompilers such as ghidra, ida, or binaryninja will be your best friend. Most of the module is straight forward reverse engineering until you hit yan85.
Now what is yan85? It is a custom architecture with it’s own instructions, and memory layout. Do not try to skimp on these challenges, they will come back to haunt you later.
Memory Errors (babymem)⌗
Ok, after doing half the modules, this is where you start to do some binary exploitation like you see in CTFs. This entire module is focused on buffer overflows and its mitigations.
Also, I believe this is the first challenge where you will have to connect remotely in order to exploit the challenge (ignoring embryoio).
Exploit Scenarios (toddlerone)⌗
With everything you have done up to now, this module is here to try to combine different modules together to exploit a binary. It is certainly a good module for reviewing everything you have learned up to now.
Oh, remember yan85? Well get ready for yan85_64!
Return Oriented Programming (babyrop)⌗
It’s your classic ROP challenges, but given different constraints. That can be several things such as overflow size or filters.
Dynamic Allocator Misuse (babyheap)⌗
Personally thought it was a great module. This module mainly focuses on the tcache and related attacks you can do with that. For me, this is where I started to venture into areas which I did not completely understand beforehand. I have to say, this module certainly did help me understand what the tcache does and what attacks you can do by corrupting metadata
Race Conditions (babyrace)⌗
Great module, taught me a ton about different race conditions within the filesystem and multithreaded program.
Tips:
- Loading and running programs are slow, consider scripting or c
- Use
strace -ftttT <your script>to show how long every syscall takes in the main process and every child - To get more consistent races, try using
usleep - Office hours are OP
Kernel Security (baby kernel)⌗
Oh, this module is what I was looking forward to the most. Kernel exploitation has evaded me for a very long time and I was glad to be able ot sit down and try these challenges. Note that these challenges are done in vms and pwn.college provides a tool call vm to easily connect to an instance, debug and view logs.
I think Yan did a great job teaching this module and he has given me a better understanding of the tools you can use in kernel exploitation.
Tip: 12.0 is hard
Advanced Exploitation⌗
God damn this was a hard module. This module took ROP, heap, race conditions and kernel security and combined them all into one module. Each challenge is difficult but I (and many others) found the office hours to be extremely useful in gaining stable race conditions, and reliable exploits. I believe I chained 3 out of the 4 concepts used in this module to complete the last challenge. It is certainly difficult, but very rewarding to complete all the challenges in pwn college!
Also, once again yan85 pops up again, as a kernel module!?!
Conclusion⌗
All in all, completing pwn.college took 24 days of constant focus and hard work. I have learned several new tricks and have gotten a better understanding of c, bash, the kernel and all the tools I used throughout these challenges.
I want to thank Yan and Connor for putting the effort in making the challenges and lectures available for anyone on the internet to learn.
As for you the reader, I hope to see you with a blue belt soon!