Interesting pwn challenge regarding the exploitation of a simple stack BOF.

Heap challenge with the goal of achieving arbitrary write to read the flag from the heap.

modprobe_path is a global variable that in most kernels is RW. This variable is contains a path to an executable, do you see where this is going..?

msg_msg is a really powerful and elastic kernel struct that can be abused to obtain strong primitives, such as arbitrary read/write/free.

This is an hard pwn challenge I wrote for Compete Against TeamEurope, this CTF was part of the training for ECSC2024. The vulnerability is a double-free triggerable through a race condition. No bruteforce is needed.

Pwnymalloc is a nice custom allocator challenge from UIUCTF 2024. The vulnerability was about an incorrect handling of the prev_size during consolitation.