Skip to content

smallkirby/kernelpwn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

bed4290 · Oct 2, 2023

History

78 Commits
Mar 5, 2021
Feb 16, 2021
Mar 31, 2023
Sep 3, 2022
Feb 23, 2021
Sep 25, 2022
Sep 15, 2022
Nov 20, 2021
Dec 2, 2021
Feb 17, 2022
Oct 2, 2023
Sep 15, 2022

Repository files navigation

kernel pwn

About this repo

This repository collects CTF kernel-pwn challenges and writeups. Also, it introduces how to start learning kernel-pwn for beginners including me. All the challs here are solved by me, though the writeup may be based on the author's one or others's ones. I'm planning to include not only kernel-pwn, but also general non-userland pwn including QEMU, V8, multi-arch...

IMPORTANT: If you know some good kernel(non-userland) pwn challs, please tell me and I'll solve it. Then I'll add it on this repo if I feel it good to solve. And if you notice some wrong points in my writeups or blog posts, feel free to contact me.

Good Challs

Frequently Updated now...

Nirugiri

I don't know these challs are difficult or not and good or soso. But at least I feel these challs are worth solving.

Frequently Updated now...

Beginners

If you don't know how to prepare for solving kernel-pwn, please refer to start-kernel-pwning.

Frequently Updated now...

Techniques

I want to know some techniques to pwn in kernelland. If you know something I should know, please tell me. For the techniques I used to solve the challs listed above is listed HERE(under construction).

Frequently Updated now...

Configs to check

Kernel is distributed in the form of bzImage and no information about build configuration is not provided in 99% cases. However, you have to change the way of exploit depending on the configuration. Some config might hide important information. Some config might randomize the memory layout. Some config might make variables only readable... important_config directory collects the important configurations and tries to summarize how to check if it is enabled and how to bypass it.

My Blog

My blog posts contain not only kernel-writeup, but normal userland-pwn and technique frequently used in pwning and so on... Please check it out. NOTE: The most parts of my blog is written when I'm solving the chall as a memo in HackMD and is converted to blog entry with md2html converter . I received some DMs which ask me to write my blog posts in Englinsh and I'm willing to, cuz writing in English is not a so heavy task for me (regardless of the quality of my English). I know that my blog is ill-translated by Google translater :( I'm planning to write them in English someday in the near future.

References

List of usefull resources are listed under reference directory.

If you have any suggestions, feel free to contact me on Twitter.

LICENSE

This repository is licensed under MIT.

Note that this license is applied only to WHAT I WROTE.

Binary of kernel challenges themselves would be in many cases licensed under other licenses.

Please follow these in that case.

If you think this or related repositories violate your rights, please contact me.