The Wayback Machine - https://web.archive.org/web/20201113071113/https://github.com/stypr/flagchecker
Skip to content

/ flagchecker

For effective cheating detection in CTFs. Utilizes LKM to generate flags.

10 stars 0 forks
Star
Watch
main
1 branch 0 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

@stypr
stypr Fix README.md
06cc283 Nov 13, 2020
Fix README.md
06cc283

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
docs
Initial Commit
Nov 12, 2020
flag-server
Initial Commit
Nov 12, 2020
kernel-module
Initial Commit
Nov 12, 2020
README.md
Fix README.md
Nov 12, 2020

README.md

flagchecker

Effective Cheating Detection for CTFs/competitions. Feel free to submit PR requests.

This idea was inspired by the way flags were generated in the Korean domestic CTF contest called Cyber Conflict Exercise.

I decided to create this from the scratch.

How it works

In many recent CTF competitions, docker has been used for effective competition management such as container isolation and log tracing.

docker image

All Docker containers use the host kernel, which eventually means that inserting kernel modules could affect the docker instance. Wikipedia says that

Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting virtual machines.

This also means that hooking a syscall from the host kernel will eventually affect the container too.

With this in mind, I developed a simple Linux kernel module called flagchecker that generates a random flag and records it somewhere within the host instance to keep the record of user's flag submissions.

patched-docker-structure

What flagchecker does is as follows:

  1. Hooks the read() syscall.

  2. When the binary calls for a read() syscall, it looks for the string.

    To ensure that the server does not suffer from the performance bottleneck, the module only reads for the first 255 byte.

  3. When there is a value that matches with the hardcoded flag value

    1. The random value is generated. (0-9, a-f)

    2. Replaces the original string with the randomly generated value.

    3. /srv/flag.py is then executed to record the randomly generated value.

docker2

This project was tested on a small CTF named BingoCTF sponsored by Power of Commmunity (POC).

During the test, I created an additional server within the instance to gather the flag and and communicate with the scoreboard server.

docker3

Having the flagchecker on the same machine made it easier for the scoreboard server to integrate and for organizers to check cheating attempts.

How to use

Please refer to the each directory for more information.

Known Issues

  1. Reading partial data of the flag will leak the original content of the flag.

    For example, head -c68 /flag will only read the partial data of the flag, leading to the leakage of the original flag. Make sure to make that the original value of flag is randomly generated and does not conflict with other flags.

  2. Kernel will crash when you rmmod after insmod multiple times.

    It is better off to reboot the server to remove multiple kernel modules.

  3. Side Channel Attacks

    I haven't verified or succeed on exploiting this bug, but it may be possible that strstr is vulnerable to timing attacks. (Reported by a person who tested this module during the initial development.)

  4. Does not work on latest kernels

    OS that ships with 5.x may not work. There seem to be many workarounds for this but I was not able to succeed on testing it. If anyone's interested to fix it, submitting PR would be really helpful.

About

For effective cheating detection in CTFs. Utilizes LKM to generate flags.

Resources

Readme

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.