招新赛 2021 出题总结(个人向)


SLUB & Buddy System in Linux Kernel

CTF games have flourished in recent years. However, more GLIBC heap allocator exploit techiniques are becoming boring and meaningless, especially for games in China. Challenges are well-designed, deliberately constructed, leading to specific ways to solve them, which is actually further and further away from real world exploits. I started to aim more at Linux kernel memory allocator these days and gathered some imformation about Buddy System & SLUB hitherto.

Linux Kernel Mitigation & Bypass

Like user mode, there are also couples of ways of mitigation against exploits in Linux kernel. Here is a list of mitigation in kernel mode and methods to bypass some of them.


Congratulations to Kaztebin, ranked 1 in DEFCON CTF29 again.

It reminds me of my first ctf competition with Katzebin: hxp2020 [1]. There are some excellent challenges in this game which I missed out at that time, including some linux kernel exploitations. Recently I started to learn kernel pwn, and I think it’s time to solve these left challenges.

BSides Noida CTF 2021

周末和学弟学妹一起打的一场比赛,比较基础,但涉及的知识面较广,有必要整理查漏补缺 url: https://ctftime.org/event/1397 rank 8 with lilac

  • babystack: static link, find gadget to trigger your own syscall and ROP
  • warmup: glibc2.32 (lastest version) tcache exploitation, xor bypass
  • khop: basic linux kernel exploits, use-after-free and zero deference
  • babymusl: musl libc heap exploits, unlink vulnerability and ROP
  • suscall: basic linux kernel exploits, bugged syscall implemented by host
  • trash: glibc2.32 off-by-null, trigger heap overlapping and double free
  • Interpreter: virtual machine exploits, out-of-bound read and write

Qwb final 2021


比赛时看了几道cold down, EXSI找到了洞但是不好复现…

  • easy_go
  • vmnote
  • s2a
  • 强网先锋
  • EXSI (Real World)

rank 3 with AAA