Kernel-Exploit-Dojo is a curated archive of 100+ Linux kernel exploitation CTF challenges, organized by bug class, exploitation primitive, final technique, difficulty, and solve count. Each challenge directory contains the original distribution files when available, exploit code, and a technical writeup.
The goal is to organize practical kernel pwn techniques such as UAF, heap spraying, pipe_buffer abuse, msg_msg, modprobe_path overwrite, and cred overwrite.
Challenges are organized by year, and the top-level Challenge List works as an index to each challenge directory.
For technique-based navigation, see Techniques Index.
Note: Year folders are based on the actual event date, not necessarily the year shown in the CTF name.
Kernel-Exploit-Dojo (道場) は、100件以上の Linux Kernel Exploit CTF 問題を、Bug・Primitive・Final Technique・Difficulty・Solve数ごとに整理した技術索引です。
各問題ごとに配布ファイル、exploit、解説をまとめ、実戦的な kernel pwn 技術を復習できる形にしています。
各問題は年度別フォルダに整理しており、トップページの Challenge List から各問題へ移動できます。
技術別に探したい場合は Techniques Index を参照してください。
Note: 年度別フォルダは CTF 名の年ではなく、実際の開催年を基準にしています。
This repository is for CTF learning and local lab environments only. Do not run the exploits on production systems or systems you do not own. All examples are intended to be executed inside isolated QEMU/CTF environments.
本リポジトリは CTF 学習およびローカル検証環境向けです。 実環境・第三者環境では絶対に実行しないでください。
Difficulty is based on exploit complexity, required kernel knowledge, and solve count.
Difficulty は exploit の複雑さ、必要な kernel 知識、solve 数をもとに主観的に分類しています。
| CTF | Challenge | Status | Difficulty (Solves) | Bug | Primitive | Final Technique |
|---|---|---|---|---|---|---|
| CakeCTF 2022 | welkerme | solved / writeup | Very-Easy (75) | kernel calls user function pointer | run user code as kernel | CC(PKC(0)) |
| b01lers CTF 2026 | throughthewall | solved / writeup | Easy (69) | kmalloc-1024 UAF | pipe_buffer reclaim | Dirty Pipe, /etc/passwd overwrite |
| ASIS CTF Finals 2025 | KList | solved | Easy (37) | OOB write | kernel memory write | modprobe_path overwrite |
| NexHunt CTF 2025 | below | solved / writeup | Easy (12) | OOB read/write | kernel read/write | modprobe_path overwrite |
| N1CTF 2025 | ktou | solved / writeup | Easy (38) | logic flaws | kernel object pointer corruption | GOT overwrite |
| UIUCTF 2025 | Baby Kernel | solved / writeup | Easy (53) | customizable UAF | tty_struct ops hijack |
modprobe_path overwrite |
| NahamCon CTF 2025 | The Jumps | solved / writeup | Easy (59) | stack overflow | kernel stack ROP | kernel ROP, CC(PKC(0)) |
| TCP1P CTF 2024 | K-Revenge | solved / writeup | Easy (4) | customizable UAF + double free | pipe-based kernel leak + AAW | freelist poisoning => modprobe_path overwrite |
| SECCON Beginners CTF 2024 | kbuf | solved | Easy (8) | uninit heap + OOB R/W + arbitrary seek | OOB leak => AAR/AAW | modprobe_path overwrite |
| SECCON Beginners CTF 2023 | driver4b | solved / writeup | Easy (19) | missing copy_from_user / copy_to_user | AAR/AAW | modprobe_path overwrite / core_pattern overwrite |
| Midnight Sun CTF 2023 Quals | SPD D | solved / writeup | Easy (?) | unchecked ppos used as kernel stack buffer offset | kernel stack OOB read/write | saved RIP overwrite => ret2usr => CC(PKC(0)) |
| ADDA CTF 2022 | Kernauth | solved | Easy (11) | TOCTOU race | struct cred overwrite | cred overwrite / commit_creds() |
| TSJ CTF 2022 | clipboard.ko | solved | Easy (11) | kmalloc-1024 UAF | tty_struct overlap + function pointer hijack | modprobe_path overwrite |
| BackdoorCTF 2021 | babyKernel | solved | Easy (?) | improper strlen() boundary check | linked-list pointer overwrite | modprobe_path overwrite |
| K3RN3LCTF | Easy kernel is still kernel right? | solved / writeup | Easy (16) | stack leak + stack BOF | canary leak + KASLR leak + kernel ROP | CC(PKC(0)) + KPTI trampoline |
| 3kCTF-2021 | echo | solved / writeup | Easy (9) | unsafe syscall | 8-byte AAR/AAW + physmap leak | modprobe_path overwrite |
| m0leCon CTF 2020 Teaser | babyk | solved / writeup | Easy (20) | stack BOF | saved RIP control | CC(PKC(0)) + kernel ROP |
| 0xFUN CTF 2026 | Phantom | solved / writeup | Easy-Medium (45) | mmap UAF | dangling mmap, freed page reuse | cred overwrite, modprobe_path |
| THJCC CTF 2026 | Excalipipe | solved / writeup | Easy-Medium (17) | allowing reuse of merge flag | page cache overwrite | /bin/busybox overwrite |
| PatriotCTF 2025 | switchboard | solved / writeup | Easy-Medium (53) | kmalloc-32 UAF | small-cache reclaim, controlled object reuse | modprobe_path overwrite |
| TFC_CTF_2025 | SLOTS | solved / writeup | Easy-Medium (28) | customizable UAF | tty_struct ops hijack |
read global flag buffer |
| smileyCTF 2025 | blargh | solved / writeup | Easy-Medium (38) | 1-byte NULL write into kernel memory | read-only kernel text modification | patch kernel function |
| Codegate CTF 2025 Preliminary | pew | solved / writeup | Easy-Medium (13) | kmalloc-4096 UAF | pipe_buffer reclaim | Dirty Pipe, /etc/passwd overwrite |
| BackdoorCTF 2024 | Kuwu | solved / writeup | Easy-Medium (4) | double free, kmalloc-4096 UAF | msg_msg overlap + pipe_buffer leak | Dirty Pipe, /etc/passwd overwrite |
| HKCERT CTF 2024 (Qualifying Round) | Flipper Hero | solved / writeup | Easy-Medium (10) | arbitrary bit flip | arbitrary kernel bit flip | modprobe_path overwrite |
| IERAE CTF 2024 | free2free | solved / writeup | Easy-Medium (2) | double free | heap overlap | Dirty Pipe, /etc/passwd overwrite |
| DownUnderCTF 2024 | Faulty Kernel | solved / writeup | Easy-Medium (15) | page cache map/write | pipe_buffer page cache mapping | page cache overwrite (/etc/passwd) |
| HITCON CTF 2023 Quals | Full Chain - Wall Rose | solved / writeup | Easy-Medium (17) | global pointer double-free | pipe_buffer overlap | Dirty Pipe / init_cred overwrite |
| idekCTF 2022 | Sofire=good | solved / writeup | Easy-Medium (7) | global UAF | ptmx reclaim + stale list R/W | core_pattern overwrite |
| TAMUctf 2022 | Shmeeky | solved / writeup | Easy-Medium (7) | integer overflow in size calculation | OOB read/write via shmvec_get/shmvec_set | modprobe_path overwrite |
| GrabCON CTF 2021 | Paas | solved / writeup | Easy-Medium (1) | kernel format string | cpu_entry_area leak + pipe capture + AAW | modprobe_path overwrite |
| LINE CTF 2021 | pprofile | solved / writeup | Easy-Medium (7) | put_user misuse | constrained kernel write + oracle leak | modprobe_path overwrite |
| Union CTF 2021 | nutty | solved / writeup | Easy-Medium (10) | heap OOB read + signed arithmetic overflow | tty_struct leak + heap OOB write | modprobe_path overwrite |
| GACTF2020 | forest | solved | Easy-Medium (1) | customizable UAF + double free | seq_operations reclaim | CC(PKC(0)) + kernel ROP |
| ASIS CTF Quals 2020 | Shared House | solved / writeup | Easy-Medium (7) | off-by-one NULL | freelist poisoning | modprobe_path overwrite / kernel ROP |
| zer0pts CTF 2020 | meowmow | solved / writeup | Easy-Medium (9) | forward OOB R/W | tty_struct leak + fake tty_operations + AAW | modprobe_path overwrite |
| CTF@AC26 Quals | Event Horizon | solved | Medium (31) | custom microcode VM bug | custom VM analysis, kernel code execution path | TBD |
| HeroCTF_v7 | Safe Device | solved / writeup | Medium (7) | stack overflow | kernel stack ROP | aarch64 kernel ROP, modprobe_path overwrite |
| DownUnderCTF 2025 | backdoor | solved / writeup | Medium (18) | custom syscall | kbase leak and kernel memory write | modprobe_path overwrite |
| MaltaCTF 2025 Quals | Write Flag Where | solved / writeup | Medium (16) | custom syscall | physical memory write via direct map | call modify_ldt |
| LA CTF 2025 | messenger | solved / writeup | Medium (10) | 3-byte overflow of msgutil | pipe_buffer page corruption | cred search, cred overwrite |
| IrisCTF_2025 | Checksumz | solved / writeup | Medium (39) | OOB read/write | relative OOB R/W + kernel leak | core_pattern overwrite |
| HeroCTF v6 | Buafllet | solved / writeup | Medium (4) | kmalloc-8192 UAF | UAF R/W + AAW | tty struct => modprobe_path / Pipe => Dirty Pipe |
| cr3 CTF 2024 | mov-cr3 | solved / writeup | Medium (10) | arbitrary CR3 Write | kernel AAR + cross-AS AAR | task->mm->pgd => CR3 pivot |
| bi0sCTF 2024 | palindromatic | solved / writeup | Medium (5) | OOB + double free | buddy reclaim + pipe_buffer + msg_msg overlap | Dirty Pipe, /etc/passwd overwrite |
| BackdoorCTF 2023 | EmpDB | solved / writeup | Medium (15) | race UAF | userfaultfd race | modprobe_path overwrite |
| bi0sCTF 2022 | k32 | solved / writeup | Medium (1) | uninitialized heap read + heap object reuse | heap leak + kernel text leak + RIP control | seq_operations overlap + register spill + stack pivot + CC(PKC(0)) |
| CrewCTF 2022 | qKarachter | solved / writeup | Medium (6) | state inconsistency + u8 overflow + invalid kfree | double free + overlapping objects | modprobe_path overwrite |
| Securinets CTF Quals 2022 | xblob | solved / writeup | Medium (4) | TOCTOU open race + UAF | UAF + kernel heap leak + AAW | modprobe_path overwrite |
| zer0pts CTF 2022 | kRCE | solved / writeup | Medium (8) | signedness OOB | OOB => AAR/AAW => task traversal => stack leak | CC(PKC(0)) + KPTI trampoline + userland ROP |
| SUSCTF 2022 | kqueue's revenge | solved / writeup | Medium (19) | queue UAF | seq_operations leak + userfaultfd reclaim + RIP control | CC(PKC(0)) kernel ROP |
| hxp CTF 2021 | 日本旅行 | writeup | Medium (4) | double PTRACE_SYSCALL / ptrace state desync | syscall path-filter bypass | unchecked openat("/flag.txt") + sendfile |
| Hack.lu CTF 2021 | Stonks Socket | writeup | Medium (12) | UAF race on sk_user_data | kernel RIP control via freed 32-byte object / function pointer call | userland shellcode => CC(PKC(0)) |
| ASIS CTF Quals 2021 | Mini memo | solved / writeup | Medium (16) | partial heap OOB (3-byte) | msg_msg overlap => pipe_buffer leak => freelist poisoning | modprobe_path overwrite |
| TSG CTF 2021 | lkgit | solved / writeup | Medium (7) | duplicate-hash race UAF | userfaultfd race + kmalloc-32 UAF write / seq_operations leak | modprobe_path overwrite |
| Circle City Con CTF 2021 | sockcamp | solved / writeup | Medium (3) | single-bit flip in task_struct | thread flag corruption (TIF_SECCOMP) | inject shellcode => CC(PKC(0)) |
| 3kCTF-2021 | klibrary | solved / writeup | Medium (2) | race-based UAF | userfaultfd + tty_struct overlap | tty_ops hijack + modprobe_path overwrite |
| Midnight Sun CTF 2021 Quals | Brohammer | solved / writeup | Medium (18) | arbitrary 1-bit kernel write | physmap PTE permission flip | CC(PKC(0)) |
| DiceCTF 2021 | hashbrown | solved / writeup | Medium (7) | resize race + value UAF | userfaultfd race + pipe_buffer UAF read/write | /bin/busybox page cache overwrite |
| HITCON CTF 2020 | atoms | solved / writeup | Medium (17) | missing vm_open() refcount bug | fork()+munmap() UAF + msg_msg reclaim | lock corruption => watchdog-triggered flag output |
| GACTF2020 | easy_kernel | solved / writeup | Medium (2) | UAF + stack OOB R/W | tcache poisoning + stack leak + stack BOF | .fini hijack => kernel ROP |
| InCTF 2020 | lab9 | solved | Medium (5) | heap OOB XOR write | freelist poisoning + tty_struct overlap | modprobe_path overwrite |
| TRX CTF 2026 | krwd | writeup | Medium-High (15) | deferred user pointer in delayed_work | cross-mm usercopy via kworker active_mm | BusyBox modprobe FSOP |
| THJCC CTF 2026 | 僕と契約して、魔法少女になってよ! | solved / writeup | Medium-High (3) | single-byte OOB overwrite | struct file corruption |
struct file->f_mode overwrite |
| BackdoorCTF 2025 | skernel | writeup | Medium-High (5) | kmalloc-64 UAF | race-assisted OOB leak/write | kernel ROP, commit_creds(&init_cred) |
| CrewCTF 2025 | barelyontime | writeup | Medium-High (3) | logic bug, UAF | UFFD-assisted UAF race | kernel text overwrite |
| corCTF 2025 | zenerational-aura | solved / writeup | Medium-High (5) | crash syscall | KASLR bypass via prefetch | kernel panic log oracle |
| Full Weak Engineer CTF 2025 | cknote | solved / writeup | Medium-High (2) | kmalloc-32 UAF | UAF read/write, freelist manipulation | cred overwrite |
| DownUnderCTF 2025 | Rolling Around | solved / writeup | Medium-High (4) | custom eBPF ALU verifier bug | eBPF stack OOB + AAR/AAW | modprobe_path overwrite |
| MaltaCTF 2025 Quals | secure-dwarf | solved / writeup | Medium-High (8) | custom DWARF bytecode | AAR primitive | read flag in kernel memory |
| DiceCTF 2025 Quals | oboe | writeup | Medium-High (16) | single-byte OOB overwrite | refcount overwrite | kernel ROP, commit_creds(&init_cred) |
| KalmarCTF 2025 | decore | writeup | Medium-High (10) | executable path in core_pattern |
race condition | replace target file with symlink |
| TRX CTF 2025 | /dev/mem | solved / writeup | Medium-High (4) | /dev/mem access |
KASLR bypass, physical memory R/W | task list traversal, cred overwrite |
| HITCON CTF 2024 Quals | Seccomp Hell | writeup | Medium-High (15) | hidden backdoor / intended kernel interface | CPL3=>CPL0 via LDT call gate | manual cred + seccomp patch |
| KalmarCTF 2024 | msrable | solved / writeup | Medium-High (9) | MSR exposure | LSTAR leak + FMASK abuse + entry hijack | CR4 disable => CC(IC) => KPTI return |
| SECCON CTF 2023 Quals | umemo / kmemo | solved / writeup | Medium-High (20/5) | UAF + mmap ownership corruption | object reuse => AAR / AAW | modprobe_path overwrite |
| zer0pts CTF 2023 | flipper | solved / writeup | Medium-High (5) | OOB 1-bit flip | single-bit heap corruption | cred capability bit flip / file refcount corruption |
| HITCON CTF 2022 | ⛓️ Fourchain - Kernel | writeup | Medium-High (12) | race / UAF | userfaultfd + UAF => msg_msg / pipe_buffer / sk_buff | DirtyCred / kernel ROP |
| SECCON CTF 2022 Quals | babypf | solved / writeup | Medium-High (10) | eBPF shift range verifier bug | eBPF stack corruption + AAR/AAW | modprobe_path overwrite |
| DownUnderCTF 2022 | just-in-kernel | writeup | Medium-High (11) | custom VM/JIT instruction-boundary bypass | JIT immediate shellcode + stack pivot | kernel ROP + CC(PKC(0)) |
| LINE CTF 2022 | ecrypt (fixed) | solved / writeup | Medium-High (7) | broken mmap() + kernel pointer exposure | key_ptr overwrite + crypto oracle + AAW | direct cred overwrite |
| hxp CTF 2021 | trusty user diary | solved / writeup | Medium-High (8) | missing FOLL_WRITE in GUP | pinned page write / COW bypass | page cache corruption => busybox shellcode injection |
| SECCON CTF 2021 | kone_gadget | writeup | Medium-High (5) | backdoored syscall (RIP control + RSP=0) | seccomp JIT + CR4 SMEP/SMAP bypass | stack pivot + CC(PKC(0)) / panic dump via jmp flag.txt |
| pbctf 2021 | Nightclub | solved / writeup | Medium-High (8) | NULL-terminated heap OOB | msg_msg m_ts corruption + heap leak + SLUB freelist corruption | modprobe_path overwrite |
| InCTF 2021 | MultiStorage | solved / writeup | Medium-High (1) | TOCTOU race + heap OOB write | page-cross heap overflow + heap feng shui | cred overwrite |
| Google Capture The Flag 2021 | EBPF | writeup | Medium-High (20) | eBPF verifier type confusion | forged PTR_TO_MAP_VALUE => AAR/AAW | modprobe_path overwrite |
| Pwn2Win CTF 2021 | Accessing the Truth | writeup | Medium-High (8) | UEFI password stack overflow | RIP control in UEFI context | UEFI shellcode reads initramfs.cpio and scans flag |
| hxp CTF 2020 | kernel-rop | solved / writeup | Medium-High (4) | stack leak + stack BOF | stack leak => kernel ROP | FG-KASLR => ksymtab => CC(IC) |
| SECCON 2020 Online CTF | kstack | solved / writeup | Medium-High (4) | race double free | UFFD heap reuse + seq_operations leak + AAW | seq_operations pivot + CC(PKC(0)) ROP |
| HITCON CTF 2020 | spark | writeup | Medium-High (10) | UAF by missing node refcount on graph link | fake spark_node reclaim => OOB distance-array read/write | cred overwrite via spark_graph_query() |
| TastelessCTF 2020 | yaknote | solved | Medium-High (1) | OOB index (signed/unsigned) | type confusion => AAR/AAW | modprobe_path overwrite |
| Pwn2Win CTF 2020 | Trusted Node | writeup | Medium-High (12) | TA command interface / function-pointer disclosure / client-side misuse | TA code pointer leak + hidden function invocation | use leaked TA address to call get_secret through android_get_increment |
| KalmarCTF 2026 | faulty | under analysis / TBD | High (2) | race condition (TOCTOU) | TBD | TBD |
| tkbctf5 | Hungry Goats | writeup | High (1) | sk_buff data_len corruption | controlled put_page() => page UAF |
page UAF overlap => cred overwrite |
| DiceCTF 2026 Quals | cornelslop | writeup | High (6) | RCU UAF race | RCU callback hijack | cross-cache pipe reclaim + IOPL fw_cfg initrd dump |
| WannaGame Championship 2025 | Johnny Sins | writeup | High (2) | pipe_buffer page UAF via tee/link_pipe off-by-one | page UAF | ret2pt_regs via fake file_operations |
| N1CTF 2025 | N1khash | writeup | High (7) | delayed work UAF | control-flow hijack + stack pivot | UAF reclaim + ROP + modprobe_path overwrite |
| KalmarCTF 2025 | Maestro Revenge | writeup | High (4) | missing userspace stack validation in signal delivery | kernel memory overwrite | AccessProfile overwrite / privilege bypass |
| UIUCTF 2024 | Syscalls 2 | writeup | High (8) | kernel logic / policy bypass | I/O via io_uring without normal fd allocation | io_uring-based flag read / FD creation restriction bypass |
| hxp CTF 2022 | one_byte | author writeup | High (5) | 1-byte arbitrary kernel write | one-shot 1-byte write-what-where | LDT call gate => ring0 shellcode |
| N1CTF 2022 | Babyuefi | writeup | High (5) | UEFI UiApp stack OOB / uninitialized length | stack leak + stack overwrite | UEFI boot option hijack to root shell |
| N1CTF 2022 | File | under analysis / TBD | High (1) | struct file refcount bug | struct file UAF / dangling fd | DirtyCred-style struct file replacement |
| N1CTF 2022 | Praymoon | writeup | High (0) | kmalloc-512 double free | user_key_payload OOB read / setxattr + userfaultfd reclaim | AF_PACKET pg_vec USMA text patch |
| Azure Assassin Alliance CTF 2022 | kkk | under analysis / TBD | High (4) | parser logic bug | hidden IOCTL reach (TBD) | kernel heap corruption (TBD) |
| pbctf 2021 | Access Key | under analysis / TBD | High (1) | 8-bit refcount overflow | UAF-style kmalloc-64 heap overlap (TBD) | Secret bypass => controlled kernel function call (TBD) |
| corCTF 2021 | Fire of Salvation | author writeup | High (0) | duplicated rule shallow copy UAF | kmalloc-4k UAF + msg_msg AAR/AAW + UFFD-assisted AAW | task_struct walk + current->cred / real_cred overwrite with init_cred |
| corCTF 2021 | Wall of Perdition | author writeup | High (0) | duplicated firewall rule UAF | kmalloc-64 UAF + msg_msg AAR + pipe_buffer RIP + FG-KASLR bypass | RetSpill ROP + __ksymtab symbol resolution + CC(PKC(0)) |
| TRX CTF 2026 | 🍼🤏🤏 revenge | writeup | Very-High (1) | per-CPU stack pointer corruption | per-CPU stack pivot | FSGSBASE + SWAPGS stack pivot |
| WannaGame Championship 2025 | Matrix | author writeup | Very-High (0) | eBPF verifier range bug | BPF stack pointer corruption => AAR/AAW | current cred replacement via init_task |
| TRX CTF 2025 | 🍼🤏 | author writeup | Very-High (0) | unrestricted wrmsr ioctl |
arbitrary MSR write | fake syscall GS / fake kernel stack + kernel ROP |
| KalmarCTF 2023 | hyper-k | under analysis / TBD | Very-High (1) | EPT management bug / guest-accessible hypervisor memory via GPA namespace confusion | writable EPT paging structures / guest-controlled second-stage translation (TBD) | VMFUNC/EPTP switching abuse => host physical memory AAR/AAW (TBD) |
Note: CC(PKC(0)) means commit_creds(prepare_kernel_cred(0)).
CC(IC) means commit_creds(&init_cred).
- QEMU-based kernel exploit testing
- LKM reverse engineering
- Use-After-Free
- stack overflow
- kernel ROP
- KPTI trampoline
- ret2usr
- KASLR bypass
- FG-KASLR bypass
- __ksymtab symbol resolution
- SMEP / SMAP bypass
- modprobe_path overwrite
- core_pattern abuse
- freelist poisoning
- cred overwrite
- race condition exploitation
- userfaultfd-assisted exploitation
- custom syscall abuse
- custom VM / bytecode bugs
- kmalloc cache reclaim
- tty_struct hijacking
- pipe_buffer reclaim
- Dirty Pipe style exploitation
- msg_msg spraying
- seq_operations overlap
- sk_buff exploitation
- arbitrary read/write
- page cache overwrite
- kernel text overwrite
- mmap-based dangling mapping
- eBPF verifier / eBPF VM exploitation
- DWARF bytecode VM exploitation
- /dev/mem exploitation
- ret2pt_regs
- RCU UAF exploitation
- MSR abuse
- io_uring abuse
- CR3 / page table manipulation
- EPT / second-stage translation abuse
- DirtyCred
- LDT / call gate exploitation
- UEFI exploitation
- COW bypass
- seccomp JIT abuse
- hypervisor exploitation
Most exploits are intended to be compiled statically and executed inside the provided QEMU/initramfs environments.
Example:
gcc exp01.c -o exp01 -staticor
musl-gcc exp01.c -o exp01 -staticLarge distribution files such as rootfs images, disk images, VM images, or archives may be omitted from this repository when they exceed GitHub's normal file size limit. In such cases, only the minimum files required for analysis are included, and an external download link or a note about the original distribution is provided when available.
GitHub の通常のファイルサイズ上限を超える大きな配布ファイルについては、本リポジトリに直接含めない場合があります。 その場合は、解析に必要な最小限のファイルのみを配置し、可能であれば外部リンクまたは元配布ファイルに関するメモを記載します。
README.md— metadata and short summarydistribution/— original challenge filesexploit/— exploit source code and helper scripts, if availablewriteup/— original writeups, notes, and external references
- Learning Linux Kernel Exploitation - Part 1
- Learning Linux Kernel Exploitation - Part 2
- Learning Linux Kernel Exploitation - Part 3
- Pawnyable - Linux Kernel Exploitation
- Kernel Exploitで使える構造体集
I would like to express my sincere gratitude to all CTF challenge authors who created these excellent kernel exploitation challenges.
Many of the techniques, exploit strategies, and implementation details in this repository were learned from public writeups, author writeups, and shared research notes. I deeply appreciate the authors of those writeups for documenting their approaches and making their knowledge available to the community.
This repository is intended as a personal learning archive and technical index. All credit for the original challenges belongs to the respective CTF organizers and challenge authors. All credit for referenced writeups belongs to their original authors.
素晴らしい Kernel Exploit 問題を作成してくださった CTF 運営・問題作者の皆様に深く感謝します。
本リポジトリに含まれる多くの技術、exploit 方針、実装上の知見は、公開 writeup、author writeup、各種技術メモから多くを学んだものです。 解法や考察を公開し、知識を共有してくださった writeup 作者の皆様にも心より感謝します。
本リポジトリは、個人の学習記録および技術索引として整理しているものです。 各 CTF 問題の権利とクレジットは、それぞれの CTF 運営・問題作者に帰属します。 参照した writeup のクレジットは、それぞれの原著者に帰属します。