Posts by sleirsgoevy

• Sep 9, 2025

  BlackHat MEA CTF Qualification - Kinc write-up

  Kinc was a kernel exploitation challenge with a vulnerable kernel module featuring a use-after-free bug. The module’s increment primitive had an 8-bit counter that could be overflowed to bypass usage restrictions.

  We used the “dirty page” technique to replace freed kernel objects with page table entries. By mapping memory at specific addresses and using the vulnerable increment primitive to modify physical addresses within page tables, we gained read/write access to all physical memory. Finally, we patched the kexec_load syscall with privilege escalation shellcode to get root and retrieve the flag.

• Sep 9, 2025

  BlackHat MEA CTF Qualification - Calc write-up

  Calc was a pwn challenge with a stack underflow bug in a reverse Polish notation calculator. The C++ std::vector used for the stack didn’t validate size before operations, allowing us to pop from an empty vector and corrupt heap metadata.

  We exploited this by carefully traversing heap structures to leak ASLR-defeating pointers through the corrupted vector’s back() method. After leaking the xor function handler address, we overwrote it with __errno_location@plt to leak libc base addresses. The final step required guessing one byte of the leaked pointer (1/256 success rate) to call system() and get the flag.