Add presentation slides

kalmarctf-2025/pwn/kalmarvm/.gitignore

@@ -0,0 +1,7 @@
+scratch/
+*.id0
+*.id1
+*.id2
+*.nam
+*.til
+

kalmarctf-2025/pwn/kalmarvm/Makefile

@@ -0,0 +1,17 @@
+.PHONY: all clean cleanall
+
+all: module
+
+linux-ref:
+	$(MAKE) -C linux-skel/
+
+module: linux-ref
+	$(MAKE) -C payload_module KERNELDIR=$(PWD)/linux-skel/linux-skel-6.13.4
+
+clean:
+	$(MAKE) -C payload_module clean
+
+cleanall: clean
+	$(MAKE) -C linux-skel/ clean
+
+.DEFAULT_GOAL := all

kalmarctf-2025/pwn/kalmarvm/chall/Dockerfile

@@ -0,0 +1,15 @@
+FROM ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
+
+RUN apt update && apt install -y socat
+
+RUN groupadd -g 993 kvm && useradd -G kvm ctf
+
+COPY lkvm-static run.sh bzImage initramfs.cpio.gz .
+RUN echo "kalmar{redacted}" > /flag-$(cat /dev/urandom | tr -cd 'a-f0-9' | head -c 32).txt
+
+USER ctf
+ENV HOME=/tmp
+
+EXPOSE 1337
+
+CMD socat tcp-l:1337,reuseaddr,fork exec:/run.sh,pty,echo=0,raw,iexten=0

kalmarctf-2025/pwn/kalmarvm/chall/Dockerfile.build

@@ -0,0 +1,14 @@
+# docker build -o build -t lkvm -f Dockerfile.build .
+FROM ubuntu:24.04 AS build
+
+RUN apt update && apt install -y git build-essential && rm -rf /var/lib/apt/lists/*
+
+RUN git clone git://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git && \
+    cd kvmtool && git checkout e48563f5c4a48fe6a6bc2a98a9a7c84a10f043be
+
+WORKDIR /kvmtool
+
+RUN make lkvm-static
+
+FROM scratch
+COPY --from=build /kvmtool/lkvm-static .

kalmarctf-2025/pwn/kalmarvm/chall/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+  kalmarvm:
+    build: .
+    ports:
+      - "1337:1337"
+    devices:
+      - /dev/kvm
+    restart: always

kalmarctf-2025/pwn/kalmarvm/chall/run.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+exec timeout --foreground 300 \
+    ./lkvm-static run \
+    -c 1 \
+    -m 128 \
+    -k ./bzImage \
+    -i ./initramfs.cpio.gz \
+    --rng \
+    --console virtio \
+    --balloon

kalmarctf-2025/pwn/kalmarvm/linux-skel/.gitignore

@@ -0,0 +1,2 @@
+linux-6.13.4/
+linux-skel-6.13.4/

kalmarctf-2025/pwn/kalmarvm/linux-skel/Dockerfile.build

@@ -0,0 +1,29 @@
+# Run command: docker build -o linux-skel-6.13.4 -t linux-skel -f Dockerfile.build .
+
+# Clone the specific guest kernel version and compile preprequisites for external module build
+# Doesn't build the full kernel, but still might take a while to download everything
+
+# Set up build environment
+FROM ubuntu:24.04 AS linux-builder
+
+RUN apt update && apt install -y git build-essential libncurses-dev gawk flex bison openssl libssl-dev dkms libelf-dev libudev-dev libpci-dev libiberty-dev autoconf bc
+
+# Only clone the specific commit we need, not the full git history
+RUN git clone --depth 1 --branch v6.13.4 git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git -o kernel
+
+WORKDIR /linux-stable
+
+# Do minimal compilation to get required prereqs for external module build
+RUN make -j$(nproc) defconfig
+RUN make -j$(nproc) modules_prepare
+
+# Get stripped installer to copy required files to /build
+COPY stripped_install.sh .
+RUN chmod +x stripped_install.sh
+RUN ./stripped_install.sh /build
+
+# Copy final artifacts
+FROM scratch
+
+COPY --from=linux-builder /build .
+

kalmarctf-2025/pwn/kalmarvm/linux-skel/Makefile

@@ -0,0 +1,11 @@
+.PHONY: all clean
+
+all: linux-skel-6.13.4
+
+# Build linux-skel-6.13.4 using Docker if it doesn't exist
+linux-skel-6.13.4:
+	docker build -o linux-skel-6.13.4 -t linux-skel -f Dockerfile.build .
+
+# Clean target to remove generated directory
+clean:
+	rm -rf linux-skel-6.13.4

kalmarctf-2025/pwn/kalmarvm/linux-skel/stripped_install.sh

@@ -0,0 +1,94 @@
+# Run from within linux source, installs to /build
+# Vaguely ripped from the Arch Linux PKGBUILD (https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/main/PKGBUILD?ref_type=heads)
+#!/bin/bash
+
+if [ $# -eq 0 ]; then
+    exit 1
+else
+    builddir="$1" 
+fi
+
+mkdir -p "$builddir"
+
+
+echo "Installing build files..."
+# install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
+# localversion.* version vmlinux tools/bpf/bpftool/vmlinux.h
+install -Dt "$builddir" -m644 .config Makefile
+install -Dt "$builddir/kernel" -m644 kernel/Makefile
+install -Dt "$builddir/arch/x86" -m644 arch/x86/Makefile
+cp -t "$builddir" -a scripts
+ln -srt "$builddir" "$builddir/scripts/gdb/vmlinux-gdb.py"
+
+# required when STACK_VALIDATION is enabled
+install -Dt "$builddir/tools/objtool" tools/objtool/objtool
+
+# required when DEBUG_INFO_BTF_MODULES is enabled
+install -Dt "$builddir/tools/bpf/resolve_btfids" tools/bpf/resolve_btfids/resolve_btfids
+
+echo "Installing headers..."
+cp -t "$builddir" -a include
+cp -t "$builddir/arch/x86" -a arch/x86/include
+install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
+
+install -Dt "$builddir/drivers/md" -m644 drivers/md/*.h
+install -Dt "$builddir/net/mac80211" -m644 net/mac80211/*.h
+
+# https://bugs.archlinux.org/task/13146
+install -Dt "$builddir/drivers/media/i2c" -m644 drivers/media/i2c/msp3400-driver.h
+
+# https://bugs.archlinux.org/task/20402
+install -Dt "$builddir/drivers/media/usb/dvb-usb" -m644 drivers/media/usb/dvb-usb/*.h
+install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
+install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
+
+# https://bugs.archlinux.org/task/71392
+install -Dt "$builddir/drivers/iio/common/hid-sensors" -m644 drivers/iio/common/hid-sensors/*.h
+
+echo "Installing KConfig files..."
+find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
+
+remove_unneeded_architectures() {
+    local build_dir="$1"
+    echo "Removing unneeded architectures..."
+    local arch
+    for arch in "$build_dir"/arch/*/; do
+        [[ $arch = */x86/ ]] && continue
+        echo "Removing $(basename "$arch")"
+        rm -r "$arch"
+    done
+}
+
+# Call the function with the builddir
+# remove_unneeded_architectures "$builddir"
+
+echo "Removing documentation..."
+rm -r "$builddir/Documentation"
+
+echo "Removing broken symlinks..."
+find -L "$builddir" -type l -printf 'Removing %P\n' -delete
+
+echo "Removing loose objects..."
+find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
+
+# echo "Stripping build tools..."
+# local file
+# while read -rd '' file; do
+# case "$(file -Sib "$file")" in
+#     application/x-sharedlib\;*)      # Libraries (.so)
+#     strip -v $STRIP_SHARED "$file" ;;
+#     application/x-archive\;*)        # Libraries (.a)
+#     strip -v $STRIP_STATIC "$file" ;;
+#     application/x-executable\;*)     # Binaries
+#     strip -v $STRIP_BINARIES "$file" ;;
+#     application/x-pie-executable\;*) # Relocatable binaries
+#     strip -v $STRIP_SHARED "$file" ;;
+# esac
+# done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
+
+# echo "Stripping vmlinux..."
+# strip -v $STRIP_STATIC "$builddir/vmlinux"
+
+# echo "Adding symlink..."
+# mkdir -p "$pkgdir/usr/src"
+# ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase

kalmarctf-2025/pwn/kalmarvm/payload_module/.gitignore

@@ -0,0 +1,10 @@
+*.o
+*.ko
+*.cmd
+*.mod.c
+*.mod.o
+*.symvers
+*.order
+*.a
+*.so
+*.mod

kalmarctf-2025/pwn/kalmarvm/payload_module/Makefile

@@ -0,0 +1,15 @@
+obj-m += escape_mod.o
+# Must have used dockerfile to build kernel skeleton
+# KERNELDIR?=../refs/linux/linux-skel-6.13.4
+
+# Set KBUILD_MODPOST_WARN to skip warnings from missing symvers, since we are 
+# building against an uncompiled kernel
+VARS += KBUILD_MODPOST_WARN=1
+
+all:
+	make -C $(KERNELDIR) M=$(CURDIR) modules $(VARS)
+clean:
+	rm -f *.o *.ko *.mod *.mod.c *.order *.symvers \
+	    .*.cmd .*.o
+# clean:
+# 	make -C $(KERNELDIR) M=$(PWD) clean