This repository collects CTF kernel-pwn challenges and writeups. Also, it introduces how to start learning kernel-pwn for beginners including me. All the challs here are solved by me, though the writeup may be based on the author's one or others's ones. I'm planning to include not only kernel-pwn, but also general non-userland pwn including QEMU, V8, multi-arch...
IMPORTANT: If you know some good kernel(non-userland) pwn challs, please tell me and I'll solve it. Then I'll add it on this repo if I feel it good to solve. And if you notice some wrong points in my writeups or blog posts, feel free to contact me.
-
corjail from CoRCTF2022
- SMEP/ SMAP/ KPTI/ KASLR/ Docker escape/ heap randomized/ heap hardened/ uffd disabled/ modprobe_path static/
poll_list
/user_key_payload
/ kROP ontty_struct
- https://blog.smallkirby.com/posts/corjail/
- SMEP/ SMAP/ KPTI/ KASLR/ Docker escape/ heap randomized/ heap hardened/ uffd disabled/ modprobe_path static/
-
Fire of Salvation from CoRCTF2021
- SMEP/ SMAP/ KPTI/ KASLR/ FGKASLR/ heap randomized/
msg_msg
/ uffd - https://blog.smallkirby.com/posts/fire-of-salvation/
- SMEP/ SMAP/ KPTI/ KASLR/ FGKASLR/ heap randomized/
-
nightclub from pbctf 2021
- SMEP/ SMAP/ KPTI/ KASLR/ uffd disabled/ heap
- https://blog.smallkirby.com/posts/nightclub/
-
kone_gadget from SECCON CTF 2021
- SMEP/ SMAP/ KPTI/ no-KASLR/ unprivileged ebpf installation is NOT allowed / well-crafted shellcode in JIT-ed seccomp filter
- https://blog.smallkirby.com/posts/kone_gadget/
- you are able to control RIP but all the registers are zero-cleared before it. Unprivileged ebpf is forbidden, but seccomp filter is still JIT-ed. you abuse operand to be shellcode and jump everytime to next opcode (which means next shellcode).
- Unexpected solution is
jmp &flag
, which leaks secret content inCODE
secition of panic message. It means that if the kernel usesinitramfs
and KASLR is disabled (or we have full knowlege of memory layout), just getting RIP means success of exploit, SMEP/SMAP is useless.
-
klibrary from 3kCTF 2021
- SMEP/ SMAP/ KPTI/ KASLR/ race w/ uffd/
tty_struct
/modprobe_overwrite
via vtable intty_struct
- https://blog.smallkirby.com/posts/klibrary/
- between beginner and med
- SMEP/ SMAP/ KPTI/ KASLR/ race w/ uffd/
-
shared knote from Bsides Ahmedabad 2021
- no-SMEP/ no-SMAP/ KPTI/ KASLR/ modprobe_path search/ invalid
fpos
use/ zero-addr mapping - https://blog.smallkirby.com/posts/shared-knote/
- I added
check /proc/sys/vm/mmap_min/addr
in my first procedures list.
- no-SMEP/ no-SMAP/ KPTI/ KASLR/ modprobe_path search/ invalid
-
pprofile from LINE CTF 2021
- SMEP/ SMAP/ KPTI/ KASLR/ pointer validation/ modprobe_path
- https://blog.smallkirby.com/posts/pprofile/
- I realized again that validating userland pointer is important and kernel can endure some wirte-bruteforce. If the validation doesn't exist in distributed binaries, I should recall this chall.
-
nutty from Union CTF 2021
- SMEP/ SMAP/ KPTI/ KASLR/ race without uffd/ SLOB
- https://blog.smallkirby.com/posts/nutty/
- NOTE: I ignored the heap-overflow bug, and invoked race condition w/o uffd to abuse
tty_struct
. Then, bypass SMAP by kROP in kheap(ontty_strut
).
-
Day One from AIS3 EOF CTF 2021 Final
- SMEP/ SMAP/ KPTI/ KASLR/ eBPF verifier
- https://blog.smallkirby.com/posts/dayone/
- NOTE: the first half part of the chall is a little bit boring cuz it is exactly the same with the report of ZDI. But, the last half part, where we get root without
bpf_map.btf
, is cool.
-
kernel-rop from hxp CTF 2020
- SMEP/ SMAP/ KPTI/ FGKASLR/ single-core/ kROP
- https://blog.smallkirby.com/posts/kernel-rop/
-
SharedHouse from ASIS 2020 Quals
- SMEP/ no-SMAP/ no-KPTI/ single-core/ heap
- https://blog.smallkirby.com/posts/sharedhouse/
-
Spark from HITCON 2020
- SMEP/ no-SMAP/ no-KPTI/ signle-core/ heap
- https://blog.smallkirby.com/posts/spark/
-
hashbrown from DiceCTF 2021
- SMEP/ SMAP/ KPTI/ FGKASLR/ double-core/ race/ hardened-heap
- https://blog.smallkirby.com/posts/hashbrown/
-
gnote from TokyoWesterns CTF 2019
-
eebpf from TokyoWesterns CTF 2020
- eBPF/ verifier bug
- https://blog.smallkirby.com/posts/eebpf/
-
Krazynote from BalsnCTF 2019
- classic uffd/ race
- https://blog.smallkirby.com/posts/krazynote/
Frequently Updated now...
I don't know these challs are difficult or not and good or soso. But at least I feel these challs are worth solving.
-
hwdbg from CakeCTF 2021
- TODO: writeup
- SMEP/ SMAP/ KPTI/ KASLR/ physicasl memory access/ modprobe_path
- https://blog.smallkirby.com/posts/cakectf2021/
- You have AAW towards
/dev/mem/
, so all the protection is useless. However,CONFIG_DEVMEM_STRICT
is enabled and you would be confused if you don't know this config.
-
Stonks Socket from Hack.lu CTF 2021
- no-SMEP/ no-SMAP/ race w/o uffd/ custom TCP hook
- https://blog.smallkirby.com/posts/stonks-socket/
- challenge itself is a little bit buggy, but enough for practice of race w/o uffd.
Frequently Updated now...
If you don't know how to prepare for solving kernel-pwn, please refer to start-kernel-pwning.
- lkgit(TBD) from TSGCTF 2021
- SMEP/SMAP/KPTI/KASLR/race
- simple uffd, though appropriate fault timing handling is required.
- https://blog.smallkirby.com/posts/lkgit/
- meowmeow from zer0pts CTF 2020
- kstack from SECCON CTF 2020
- babydriver from NCSTISC CTF 2018
- flitbip from Midnightsun CTF 2018 Finals
- no-SMEP/ no-SMAP/ no-KASLR/ custom syscall
- https://blog.smallkirby.com/posts/flitbip/
Frequently Updated now...
I want to know some techniques to pwn in kernelland. If you know something I should know, please tell me. For the techniques I used to solve the challs listed above is listed HERE(under construction).
Frequently Updated now...
Kernel is distributed in the form of bzImage
and no information about build configuration is not provided in 99% cases. However, you have to change the way of exploit depending on the configuration.
Some config might hide important information. Some config might randomize the memory layout. Some config might make variables only readable...
important_config
directory collects the important configurations and tries to summarize how to check if it is enabled and how to bypass it.
My blog posts contain not only kernel-writeup, but normal userland-pwn and technique frequently used in pwning and so on... Please check it out. NOTE: The most parts of my blog is written when I'm solving the chall as a memo in HackMD and is converted to blog entry with md2html converter . I received some DMs which ask me to write my blog posts in Englinsh and I'm willing to, cuz writing in English is not a so heavy task for me (regardless of the quality of my English). I know that my blog is ill-translated by Google translater :( I'm planning to write them in English someday in the near future.
List of usefull resources are listed under reference directory.
If you have any suggestions, feel free to contact me on Twitter.
This repository is licensed under MIT.
Note that this license is applied only to WHAT I WROTE.
Binary of kernel challenges themselves would be in many cases licensed under other licenses.
Please follow these in that case.
If you think this or related repositories violate your rights, please contact me.