From AAR to /flag (Part 1)

For kernel challenges, an AAR primitive is very powerful. Sometimes it’s even enough to extract the flag without RIP control. I decided to investigate into it. In this post, I am going to extract a file with AAR only. Intro My very first solved kernel challenge solved is “SCTF 2021 flying_kernel”. In that challenge, there’s a format string vulnerability, where you can achieve AAR. I did not have experience with kernel exploitation, so I just brute-forced the address space with “%s” and found the flag. Two weeks ago, there was a challenge called krce from zer0pts CTF 2022. The challenge is a simple heap buffer overflow and we achieved AAR and AAW initially.

A tour to virtual memory

Winter 2022 has finished and I have finished my Operating System course. Apparently, I did not take proper notes as I promised. However, I am now a beginner to kernel exploitation by taking this course. To compensate, I decided to write a beginner-friendly post on basic virtual memory. RAM from the physical world Let’s start with this actual ram in the real world. You can see there are pins on this electronic. RAM, as the name suggests, is a piece of (physical) memory that stores data. It is volatile, meaning the data will be lost if power is off. How do we use this if we’re building a PC from scratch?

Notes on CS170

So finally, I started a proper date with Miss OS. I have read some code from Serenity OS and done some intro-level kernel challenges, but I feel I should definitely ace the OS course in school. To show my respect, I am going to take notes of this course on my website. Intro to OS notes I believe a pwn player would definitely have an overview of what a kernel is more or less. After all, syscall is a familiar concept when writing shellcode or doing a ret2sys trick. To my understanding, the kernel is the layer between userland and hardware.