Posts
Full chain - Google CTF 2021
· β˜• 10 min read
Full chain Do you have what it takes to pwn all the layers? Intro Hi, last weekend I participated in Google CTF 2021 with my team vh++. To quote from my last year’s writeup: Although I didn’t solve the challenge in time for the points,

Pwnable01 scull - Whitehat Grandprix 06
· β˜• 4 min read
Pwnable01 Intro Hi guys, this is the writeup for the challenge Pwnable01 from Whitehat Grandprix 06 Final You may want to checkout the exploit code and challenge’s source Challenge #pwn01: You can ssh into our server as a low-privilege user.

Google CTF 2020 teleport: Chromium sandbox escape
· β˜• 13 min read
Teleport Please write a full-chain exploit for Chrome. The flag is at /home/user/flag. Maybe there’s some way to tele<port> it out of there? 1. Story Hi, last week I participated in Google CTF 2020 with my team pwnPHOfun

PlaidCTF2020 PlaidStore mojo chromium
· β˜• 6 min read
PlaidStore Story Hi, everyone, this is the writeup for the challenge 500pts “mojo” of PlaidCTF 2020. As usual, I got the flag after the CTF has ended :< Well, currently I am not in any active teams, so I decided to pick a hard challenge and do it on my own.

CrackIt, GCI
· β˜• 6 min read
CrackIT Writeup for CrackIt task at Google CodeIn 2019 1stcrackme easy, you can use strings 1stcrackme to list all strings in binary stripped output: Enter password: FEDORAGCIPASSEASY Success! Error! Wrong password! Because the password should be around the prompt and the so we could try FEDORAGCIPASSEASY because it looks like a password

pwning your kernelz: macOS 0day LPE
· β˜• 6 min read
pwning your kernelz Background Hi everyone, This is the writeup for the challenge pwning your kernelz, created by Linus Henze(@LinusHenze), I came across this challenge when Linus tweeted a status update for the CTF. Of course, I didn’t solve this challenge during the time of the CTF.

kpets FacebookCTF 2019 QR
· β˜• 4 min read
kpets welcome to Kernel Pets Simulator! We wrote a pet store application that was too slow, so we made a kernel module for it instead. Author: pippinthedog Hi everyone, this is the writeup for the Facebook CTF 2019 Qualification Round kpets challenge

IPwnKit DEFCON CTF 26 QR
· β˜• 6 min read
IPwnKit Come and take a bite of the Apple! We have reserved you a very special place at the WWPC (World Wide Pwning Conference). Email ipwnkit@gmail.com to RSVP and we will reply with your invite.

AceBear Security Contest House-of-loop
· β˜• 7 min read
House-of-loop Hi everyone, this is the writeup for the challenge House-of-loop in the AceBear Security Contest 2019 You may want to checkout the exploit code Description We are given a stripped ELF x64 binary which can be interacted with, our task is to get remote code execution(RCE).

TetCTF babySandbox
· β˜• 3 min read
Baby Sandbox This is a challenge of TetCTF, which is hosted from Jan 1st to Jan 7th by MeePwn Team of Vietnam You may want to checkout the exploit code Challenge description We are given 2 binary, one is sandbox and the other one is program.

Linux Kernel Debugging in VM
· β˜• 1 min read
Kernel Debugging Instruction Setup I used VirtualBox for Kernel Debugging, VMWare shoud be able to do the same thing. Enter Machine Settings -> Ports -> Serial -> Enable Serial Port Port Number: Any :))) Port mode: Host Pipe Connect to existing : unchecked

matesCTF KSMASH
· β˜• 3 min read
KSMASH - Kernel Stack Smashing Background This is a Linux Kernel Module(LKM) exploitation challenge by nyaacate@gmail.com host in Round 3 MatesCTF 2018-2019 I solved this challenge overtime :< But It seems that no team solved this so I still sent the exploit to the challenge author for testing and also wrote this writeup.

35C3 CTF Pillow
· β˜• 5 min read
Pillow Background This is the writeup for the challenge Pillow, created by Samuel Groß(@saelo) of Project Zero, of 35C3 CTF annually organized by @EatSleepPwnRpt happening at the end of year 2018. I didn’t solve this challenge during the CTF, when revisiting this challenge after checkout @LinusHenze repo, I have a big learning oppuntunity to checkout XNU exploitation, which was completely new to me.