avatar
Articles
19
Tags
4
Categories
3

Home
Archives
About
Robbert
Home
Archives
About

Robbert

Write-up GoogleCTF 2025
Created2025-06-30|Pwnable
Write-ups for 5 challenges I solved. All scripts and IDA databases are stored in the attachment file. I don’t describe how I reversed the challenge binary files, you could check the IDA database if you want to know what did I do to reverse the binary files. Attachment multiarch-2AnalyzeFirst, I analyzed two functions mapSegment(0x1319) and panic (0x2A1E) to figure out the structor of VM: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585 ...
Quick note for exploiting CVE-2024-0582 with DirtyPageTable
Created2025-05-29|Pwnable
AnalysisIO_URING register io_uring_setup: Create io_uring context, setup SQ queue and a CQ queue, return a file descriptor. io_uring_register: Operate files or user buffers used for async I/O io_uring_enter: Submit new I/O request io_uring_register is defined as: 12SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,void __user *, arg, unsigned int, nr_args) The core logic is at __io_uring_register, this CVE focuses on PBUF: 1234567891011121314151617181920212 ...
Writeup PWNME Final 2025
Created2025-04-14|Pwnable
There are 5 three pwn challenges, but I only sloved 2 challenges. These are write-ups for them: Poetry of a bugAttachment Rerversing create_pdf and add_metadata helps me recover Entry and Pdf struct: 12345678910111213141516171819202122232425262728293031323334353637383940414243444546struct Entry{ char name[50]; char value[100];};struct __attribute__((packed)) __attribute__((aligned(4))) Pdf{ Stream *next; int stream_count; Entry entries[10]; int entries_num;};Pdf *create ...
Writeup CodeGate Quals 2025
Created2025-03-29|Pwnable
Better than last year! Todo ListAttachment This is a normal heap-note challenge. There is a logic bug in this program that can lead to a buffer-overflow attack. The create function doesn’t check if there are || strings in desc or title: 1234567891011121314void __fastcall create(){ ... printf("Title: "); v1 = read(0, buf->title, 0xFuLL); if ( buf->title[v1 - 1] == 10 ) buf->title[v1 - 1] = 0; ... printf("Desc : "); v1 = read(0, buf->des, 0x18uLL) ...
Writeup PWNME Quals 2025
Created2025-03-03|Pwnable
This time, I’ve played with my new team Alternative für Knights.Our team was on the top 6. EinsteinAttachment 123456789101112131415161718192021222324252627282930313233int __cdecl handle(){ int offset; // [rsp+8h] [rbp-38h] BYREF unsigned int size; // [rsp+Ch] [rbp-34h] BYREF unsigned __int64 *wher; // [rsp+10h] [rbp-30h] BYREF unsigned __int64 wat; // [rsp+18h] [rbp-28h] BYREF unsigned __int64 *wher2; // [rsp+20h] [rbp-20h] BYREF unsigned __int64 wat2; // [rsp+28h] [rbp-18h] BYREF c ...
Build Linux kernel TIL for IDA - Write up Physical Test CodeGate Quals 2024
Created2025-01-02|Pwnable
Hello and Happy new year!! Today I will write about building til for IDA. The Physical Test challenge is used for exampling. Why this time? Because I’m too lazy. But now I’ve not only written the solution for the challenge but also introduced a new way to reverse the Linux module file, which helps you reduce the time it takes to reverse; use that time to pwn. You can get challenge’s files here. What is TIL“TIL” stands for “Type Library” . It includes defenitions of many structors, functions tha ...
Write up ACS 2024
Created2024-12-27|Pwnable
This is write-up for challenges which I solved during the event. You can find attachments (included unsolved challenges) here. Quals roundUnfortunally, I couldn’t solve any pwnable challenges because they are too hard but luckily there is a challenge in Audit catagory that I could solve it. no-name minorA float variable stop incrementing at 16777216 First, I load $16777216$ and buy a name. I loan one by one, and my cash increases, but the debt doesn’t change. After buying the name, we can call ...
Write up babybs of bi0s CTF 2024
Created2024-02-26|Pwnable
Last week, we - m1cr0$oft 0ff1c3 team participated in this event and got 21th place. These pwn challenges are so damm hard, I did only solve 2 challenges. This is the write-up for babybs challenge with the intentded way ( I used this way during the CTF event ). Attachment: babybs.tar.gz Check the files: At the first time, I had thought the OS booting had to take a long time so I had been waiting for it. But then when read the description , I decied to analyze the babybs.bin file with IDA. This i ...
Write up Securinets Quals 2023
Created2023-08-07|Pwnable
Last week, we - m1cr0$oft 0ff1c3 team participated in this event and got 11th place. I’ve solved all Pwn challenges. But now I only show the solution for the “Swix” challenge. ( I feel this is only the “real” pwn challegne ). Attachemnt: Swix.zip We are provided the source code of this binray: 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031 ...
Write up CorCTF 2023
Created2023-07-31|Pwnable
This year, I’ve played for m1cr0$oft 0ff1c3 team. We were in 24th place. zerodayAttachment Not like a normal Linux kernel exploit challenge. This challenge doesn’t provide any vulnerable driver. Then, I did check run.sh again carefully. 1234567891011#!/bin/shqemu-system-x86_64 \ -m 128M \ -nographic \ -kernel "./bzImage" \ -append "console=ttyS0 loglevel=3 oops=panic panic=-1 pti=on" \ -no-reboot \ -cpu qemu64,+smep,+smap \ -smp 2 \ -initrd "./i ...
12
avatar
Kernek3rnel-pan1c
Articles
19
Tags
4
Categories
3
About me
Recent Post
Write-up GoogleCTF 20252025-06-30
Quick note for exploiting CVE-2024-0582 with DirtyPageTable2025-05-29
Writeup PWNME Final 20252025-04-14
Writeup CodeGate Quals 20252025-03-29
Writeup PWNME Quals 20252025-03-03
Categories
  • Pwnable18
  • Tool1
    • Pwnable1
Tags
Pwn, Rev Trick HTB Pwn
Archives
  • June 20251
  • May 20251
  • April 20251
  • March 20252
  • January 20251
  • December 20241
  • February 20241
  • August 20231
Info
Article :
19
UV :
PV :
Last Update :
©2020 - 2025 By Kernek3rnel-pan1c
Framework Hexo|Theme Butterfly