makeway

You should complete Kernel Security module and Kernel Exploitation module before these challenges.

Notes

These challenges use /challenges/run.sh as a starting point. They do not use vm script at all.

You might run /challenges/run.sh <bin path> to copy the exploit binary to the vm. In most cases, the exploit binary should be statically compiled since there is no glibc runtime inside the init rootfs.

There are hints encoded in base64. If you feel stuck after a day or two, feel free to take hints for new ideas. After all the dojo is to learn, not to score anyone.

In practice mode, to aid debugging, edit run.sh to modify qemu arguments:

• Add nokaslr after the -append flag.
• Enable kvm with -enable-kvm flag for better performance.
• Add -s flag for gdb port 1234.

Recommended readings

• Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel.
• (2018) Linux Kernel universal heap spray by Vitaly Nikolenko.
• RetSpill: Igniting User-Controlled Data to Burn Away Linux Kernel Protections.
• A Systematic Study of Elastic Objects in Kernel Exploitation.
• SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel: Especially page 17.
• (Japanese|2020) Structures that can be used with Kernel Exploit by ptr-yudai.