Heap challenge with the goal of achieving arbitrary write to read the flag from the heap.

modprobe_path is a global variable that in most kernels is RW. This variable is contains a path to an executable, do you see where this is going..?

msg_msg is a really powerful and elastic kernel struct that can be abused to obtain strong primitives, such as arbitrary read/write/free.

This is an hard pwn challenge I wrote for Compete Against TeamEurope, this CTF was part of the training for ECSC2024. The vulnerability is a double-free triggerable through a race condition. No bruteforce is needed.

Pwnymalloc is a nice custom allocator challenge from UIUCTF 2024. The vulnerability was about an incorrect handling of the prev_size during consolitation.

Ret2dlresolve is a really powerful tecnique to use in pwn challenges (even tho it’s not frequently seen). It’s useful when we don’t have libc leaks or don’t know the libc version.