Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
0ctf_fastandfurious.i64 Add 0ctf fast&furious Jun 9, 2019
Fast&Furious.zip
README.md Update README.md Jun 9, 2019
hax.c
voidexp.c

README.md

Fast&Furious

Category: Pwn

250 Points

10 Solves


Full write-up coming soon. For now please refer to hax.c. It's a lot like the Blazeme challenge from Blazectf 2018, but with SMEP and KPTI. That makes our life more tricky since we cannot return directly to userland: even if we disable SMEP, under KPTI the kernel page table has all user pages marked as NX. Instead we use a ropchain to commit_creds then return to the KTPI exit trampoline that swaps CR3 properly. If we don't swap CR3 back to the userland page table we will double fault when we try to step on the first userland instruction after returning.

Another less elegant option is to simply chmod the flag then hang in the kernel, then view the flag on a different core. See voidexp.c for this.

Solved as group effort by VoidMercy, Jazzy, cts, theKidOfArcania, and jonathanj

You can’t perform that action at this time.