https://z3r0s6.github.io/tags/pwn/Recent content in Pwn on z3r0sHugoenSun, 10 May 2026 22:54:00 +0300https://z3r0s6.github.io/challenges/pwn-cyker/Sun, 10 May 2026 22:54:00 +0300https://z3r0s6.github.io/challenges/pwn-cyker/<h1 id="cyker--kernel-exploitation-writeup"> cyKer — Kernel Exploitation Writeup <a class="heading-link" href="#cyker--kernel-exploitation-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <p><strong>Category:</strong> Pwn / Kernel <strong>Flag:</strong> <code>CyCTF{3c03ee481e3c39c175d1a8baed7f9bbe}</code></p> <hr> <h2 id="overview"> Overview <a class="heading-link" href="#overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>We are given a QEMU-based kernel challenge containing:</p> <ul> <li><code>bzImage</code> — Linux 5.4.0 kernel</li> <li><code>initramfs.cpio.gz</code> — root filesystem with a vulnerable kernel module <code>hackme.ko</code></li> <li><code>run.sh</code> — QEMU launch script with <strong>all mitigations disabled</strong>: <pre tabindex="0"><code>nokaslr nosmep nosmap mitigations=off </code></pre></li> </ul> <p>The VM boots, loads <code>hackme.ko</code>, then drops us into a shell as <strong>uid 1000</strong>. The flag at <code>/flag</code> is owned by root with <code>chmod 600</code>.</p>https://z3r0s6.github.io/challenges/pwn-bil/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/pwn-bil/<h1 id="bil---pwn-writeup"> bil - PWN Writeup <a class="heading-link" href="#bil---pwn-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge-info"> Challenge Info <a class="heading-link" href="#challenge-info"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li><strong>Name:</strong> bil</li> <li><strong>Category:</strong> PWN</li> <li><strong>Remote:</strong> 0.cloud.chals.io:18850</li> </ul> <h2 id="files-provided"> Files Provided <a class="heading-link" href="#files-provided"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li><code>app</code> - ELF 64-bit binary</li> <li><code>libc.so.6</code> - GLIBC 2.36</li> <li><code>ld-linux-x86-64.so.2</code> - dynamic linker</li> <li><code>flag</code> - placeholder flag</li> </ul> <h2 id="binary-analysis"> Binary Analysis <a class="heading-link" href="#binary-analysis"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <h3 id="checksec"> Checksec <a class="heading-link" href="#checksec"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <table> <thead> <tr> <th>Protection</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>RELRO</td> <td>Full RELRO</td> </tr> <tr> <td>Stack Canary</td> <td>No</td> </tr> <tr> <td>NX</td> <td>Enabled</td> </tr> <tr> <td>PIE</td> <td>Disabled</td> </tr> </tbody> </table> <h3 id="key-functions"> Key Functions <a class="heading-link" href="#key-functions"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <p><strong><code>vuln()</code> @ 0x4011c6</strong></p>