Fourchain - Prologue

Nspace — 11/27/2022 5:34 AM

  we have the browser chain

gallileo [flagbot] — 11/27/2022 5:39 AM

  I think we are ready for remote

  2-3 minutes for vm to launch

david — 11/27/2022 5:40 AM

  hell yeah

Nspace — 11/27/2022 5:41 AM

  we have a shell on the vm

  root on the vm

The Organizer — 11/27/2022 5:43 AM

  The flag: hitcon{G00dbY3_1_4_O_h3LL0_Pwn_2_Own_BTW_vB0x_Y_U_N0_SM3P_SM4P_??!!}

gallileo [flagbot] — 11/27/2022 5:43 AM

  first try everything and first blood

  didnt have to restart a single exploit 🙂

The discord convo during our solve of the final fullchain challenge, does not do our emotions justice ;) Probably the longest and most exhilarating exploit I have ran.

Introduction

Fourchain was a series of four1 challenges released during HITCON 22 CTF. After the CHAOS series from last year’s edition, we thought it would be hard to top that. However, the good people at HITCON managed to do it and I can confidently say that this series of challenges was the best pwnables I have encountered so far. Not only were they quite fun and insanely challenging, they also showcased that CTF challenges are not just simple exercises, but reflect the actual real world (more on that later). What follows are writeups of the four separate parts, followed by the fullchain and finally some closing thoughts. If you follow along, you should be able to create your own exploit, going from javascript code execution to escaping the hypervisor, just like seen below ;)

Table of Contents

Since the different stages are mostly independent, you can read them in any order. However, to understand the fullchain, it makes sense to first have read all of the other ones. The chapters are as follows:

  1. Technically five, but the fifth challenge “just” consisted of chaining the other four together.