[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-77341":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":14,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":44,"readmeContent":45,"aiSummary":46,"trendingCount":16,"starSnapshotCount":16,"syncStatus":14,"lastSyncTime":47,"discoverSource":48},77341,"Kernel-Exploit-Dojo","mito753\u002FKernel-Exploit-Dojo","mito753","CTF kernel exploitation notes, PoCs, exploits, and writeups.","",null,"C",178,28,2,1,0,3,152,6,4.39,false,"main",true,[25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43],"ctf","ctf-writeups","dirty-pipe","ebpf","kernel-exploitation","kernel-pwn","kernel-rop","kpti","linux-kernel","linux-kernel-exploitation","modprobe-path","msg-msg","pipe-buffer","pwn","qemu","smap","smep-bypass","uaf","userfaultfd","2026-06-12 02:03:42","![Kernel Exploit Dojo banner](.\u002Fassets\u002Fbanner02.jpg)\n\n# Kernel-Exploit-Dojo （道場）\n\n## Overview\n\nKernel-Exploit-Dojo is a curated archive of 100+ Linux kernel exploitation CTF challenges, organized by bug class, exploitation primitive, final technique, difficulty, and solve count.\nEach challenge directory contains the original distribution files when available, exploit code, and a technical writeup.\n\nThe goal is to organize practical kernel pwn techniques such as UAF, heap spraying, pipe_buffer abuse, msg_msg, modprobe_path overwrite, and cred overwrite.\n\nChallenges are organized by year, and the top-level Challenge List works as an index to each challenge directory.\n\nFor technique-based navigation, see [Techniques Index](.\u002FTECHNIQUES.md).\n\nNote: Year folders are based on the actual event date, not necessarily the year shown in the CTF name.\n\nKernel-Exploit-Dojo (道場) は、100件以上の Linux Kernel Exploit CTF 問題を、Bug・Primitive・Final Technique・Difficulty・Solve数ごとに整理した技術索引です。\n\n各問題ごとに配布ファイル、exploit、解説をまとめ、実戦的な kernel pwn 技術を復習できる形にしています。\n\n各問題は年度別フォルダに整理しており、トップページの Challenge List から各問題へ移動できます。\n\n技術別に探したい場合は [Techniques Index](.\u002FTECHNIQUES.md) を参照してください。\n\nNote: 年度別フォルダは CTF 名の年ではなく、実際の開催年を基準にしています。\n\n## Disclaimer\n\nThis repository is for CTF learning and local lab environments only.\nDo not run the exploits on production systems or systems you do not own.\nAll examples are intended to be executed inside isolated QEMU\u002FCTF environments.\n\n本リポジトリは CTF 学習およびローカル検証環境向けです。\n実環境・第三者環境では絶対に実行しないでください。\n\n## Challenge List\n\nDifficulty is based on exploit complexity, required kernel knowledge, and solve count.\n\nDifficulty は exploit の複雑さ、必要な kernel 知識、solve 数をもとに主観的に分類しています。\n\n| CTF | Challenge | Status | Difficulty (Solves) | Bug | Primitive | Final Technique |\n|---|---|:---:|:---:|---|---|---|\n| CakeCTF 2022 | [welkerme](.\u002F2022\u002FCakeCTF_2022\u002FPwn_welkerme) | solved \u002F writeup | Very-Easy (75) | kernel calls user function pointer | run user code as kernel | `CC(PKC(0))` |\n| b01lers CTF 2026 | [throughthewall](.\u002F2026\u002Fb01lers_CTF_2026\u002FPwn_throughthewall) | solved \u002F writeup | Easy (69) | kmalloc-1024 UAF | pipe_buffer reclaim | Dirty Pipe, `\u002Fetc\u002Fpasswd` overwrite |\n| ASIS CTF Finals 2025 | [KList](.\u002F2025\u002FASIS_CTF_Finals_2025\u002FPwn_KList) | solved | Easy (37) | OOB write | kernel memory write | modprobe_path overwrite |\n| NexHunt CTF 2025 | [below](.\u002F2025\u002FNexHunt_CTF_2025\u002FPwn_below) | solved \u002F writeup | Easy (12) | OOB read\u002Fwrite | kernel read\u002Fwrite | modprobe_path overwrite |\n| N1CTF 2025 | [ktou](.\u002F2025\u002FN1CTF_2025\u002FPwn_ktou) | solved \u002F writeup | Easy (38) | logic flaws | kernel object pointer corruption | GOT overwrite |\n| UIUCTF 2025 | [Baby Kernel](.\u002F2025\u002FUIUCTF_2025\u002FPwn_Baby_Kernel) | solved \u002F writeup | Easy (53) | customizable UAF | `tty_struct` ops hijack | modprobe_path overwrite |\n| NahamCon CTF 2025 | [The Jumps](.\u002F2025\u002FNahamCon_CTF_2025\u002FPwn_The_Jumps) | solved \u002F writeup | Easy (59) | stack overflow | kernel stack ROP | kernel ROP, `CC(PKC(0))` |\n| TCP1P CTF 2024 | [K-Revenge](.\u002F2024\u002FTCP1P_CTF_2024\u002FPwn_K-Revenge) | solved \u002F writeup | Easy (4) | customizable UAF + double free | pipe-based kernel leak + AAW | freelist poisoning => modprobe_path overwrite |\n| SECCON Beginners CTF 2024 | [kbuf](.\u002F2024\u002FSECCON_Beginners_CTF_2024\u002FPwn_kbuf) | solved | Easy (8) | uninit heap + OOB R\u002FW + arbitrary seek | OOB leak => AAR\u002FAAW | modprobe_path overwrite |\n| SECCON Beginners CTF 2023 | [driver4b](.\u002F2023\u002FSECCON_Beginners_CTF_2023\u002FPwn_driver4b) | solved \u002F writeup | Easy (19) | missing copy_from_user \u002F copy_to_user | AAR\u002FAAW | modprobe_path overwrite \u002F `core_pattern` overwrite |\n| Midnight Sun CTF 2023 Quals | [SPD D](.\u002F2023\u002FMidnight_Sun_CTF_2023_Quals\u002FSpeed_SPD_D) | solved \u002F writeup | Easy (?) | unchecked ppos used as kernel stack buffer offset | kernel stack OOB read\u002Fwrite | saved RIP overwrite => ret2usr => `CC(PKC(0))` |\n| ADDA CTF 2022 | [Kernauth](.\u002F2022\u002FADDA_CTF_2022\u002FPwn_Kernauth) | solved | Easy (11) | TOCTOU race | struct cred overwrite | cred overwrite \u002F `commit_creds()` |\n| TSJ CTF 2022 | [clipboard.ko](.\u002F2022\u002FTSJ_CTF_2022\u002FPwn_clipboard.ko) | solved | Easy (11) | kmalloc-1024 UAF | tty_struct overlap + function pointer hijack | modprobe_path overwrite |\n| BackdoorCTF 2021 | [babyKernel](.\u002F2021\u002FBackdoorCTF_2021\u002FPwn_babyKernel) | solved | Easy (?) | improper strlen() boundary check | linked-list pointer overwrite | modprobe_path overwrite |\n| K3RN3LCTF | [Easy kernel is still kernel right?](.\u002F2021\u002FK3RN3LCTF\u002FPwn_Easy_kernel_is_still_kernel_right) | solved \u002F writeup | Easy (16) | stack leak + stack BOF | canary leak + KASLR leak + kernel ROP | `CC(PKC(0))` + KPTI trampoline |\n| 3kCTF-2021 | [echo](.\u002F2021\u002F3kCTF-2021\u002FPwn_echo) | solved \u002F writeup | Easy (9) | unsafe syscall | 8-byte AAR\u002FAAW + physmap leak | modprobe_path overwrite |\n| m0leCon CTF 2020 Teaser | [babyk](.\u002F2020\u002Fm0leCon_CTF_2020_Teaser\u002FPwn_babyk) | solved \u002F writeup | Easy (20) | stack BOF | saved RIP control | `CC(PKC(0))` + kernel ROP |\n| 0xFUN CTF 2026 | [Phantom](.\u002F2026\u002F0xFUN_CTF_2026\u002FPwn_Phantom) | solved \u002F writeup | Easy-Medium (45) | mmap UAF | dangling mmap, freed page reuse | cred overwrite, modprobe_path |\n| THJCC CTF 2026 | [Excalipipe](.\u002F2026\u002FTHJCC_CTF_2026\u002FPwn_Excalipipe) | solved \u002F writeup | Easy-Medium (17) | allowing reuse of merge flag | page cache overwrite | `\u002Fbin\u002Fbusybox` overwrite |\n| PatriotCTF 2025 | [switchboard](.\u002F2025\u002FPatriotCTF_2025\u002FPwn_switchboard) | solved \u002F writeup | Easy-Medium (53) | kmalloc-32 UAF | small-cache reclaim, controlled object reuse | modprobe_path overwrite |\n| TFC_CTF_2025 | [SLOTS](.\u002F2025\u002FTFC_CTF_2025\u002FPwn_SLOTS) | solved \u002F writeup | Easy-Medium (28) | customizable UAF | `tty_struct` ops hijack | read global flag buffer |\n| smileyCTF 2025 | [blargh](.\u002F2025\u002FsmileyCTF_2025\u002FPwn_blargh) | solved \u002F writeup | Easy-Medium (38) | 1-byte NULL write into kernel memory | read-only kernel text modification | patch kernel function |\n| Codegate CTF 2025 Preliminary | [pew](.\u002F2025\u002FCodegate_CTF_2025_Preliminary\u002FPwn_pew) | solved \u002F writeup | Easy-Medium (13) | kmalloc-4096 UAF | pipe_buffer reclaim | Dirty Pipe, `\u002Fetc\u002Fpasswd` overwrite |\n| BackdoorCTF 2024 | [Kuwu](.\u002F2024\u002FBackdoorCTF_2024\u002FPwn_Kuwu) | solved \u002F writeup | Easy-Medium (4) | double free, kmalloc-4096 UAF | msg_msg overlap + pipe_buffer leak | Dirty Pipe, `\u002Fetc\u002Fpasswd` overwrite |\n| HKCERT CTF 2024 (Qualifying Round) | [Flipper Hero](.\u002F2024\u002FHKCERT_CTF_2024\u002FPwn_Flipper_Hero) | solved \u002F writeup | Easy-Medium (10) | arbitrary bit flip | arbitrary kernel bit flip | modprobe_path overwrite |\n| IERAE CTF 2024 | [free2free](.\u002F2024\u002FIERAE_CTF_2024\u002FPwn_free2free) | solved \u002F writeup | Easy-Medium (2) | double free | heap overlap | Dirty Pipe, `\u002Fetc\u002Fpasswd` overwrite |\n| DownUnderCTF 2024 | [Faulty Kernel](.\u002F2024\u002FDownUnderCTF_2024\u002FPwn_Faulty_Kernel) | solved \u002F writeup | Easy-Medium (15) | page cache map\u002Fwrite | pipe_buffer page cache mapping | page cache overwrite (`\u002Fetc\u002Fpasswd`) |\n| HITCON CTF 2023 Quals | [Full Chain - Wall Rose](.\u002F2023\u002FHITCON_CTF_2023_Quals\u002FPwn_Full_Chain-Wall_Rose) | solved \u002F writeup | Easy-Medium (17) | global pointer double-free | pipe_buffer overlap | Dirty Pipe \u002F init_cred overwrite |\n| idekCTF 2022 | [Sofire=good](.\u002F2023\u002FidekCTF_2022\u002FPwn_Sofire=good) | solved \u002F writeup | Easy-Medium (7) | global UAF | ptmx reclaim + stale list R\u002FW | `core_pattern` overwrite |\n| TAMUctf 2022 | [Shmeeky](.\u002F2022\u002FTAMUctf_2022\u002FPwn_Shmeeky) | solved \u002F writeup | Easy-Medium (7) | integer overflow in size calculation | OOB read\u002Fwrite via shmvec_get\u002Fshmvec_set | modprobe_path overwrite |\n| GrabCON CTF 2021 | [Paas](.\u002F2021\u002FGrabCON_CTF_2021\u002FPwn_Paas) | solved \u002F writeup | Easy-Medium (1) | kernel format string | cpu_entry_area leak + pipe capture + AAW | modprobe_path overwrite |\n| LINE CTF 2021 | [pprofile](.\u002F2021\u002FLINE_CTF_2021\u002FPwn_pprofile) | solved \u002F writeup | Easy-Medium (7) | put_user misuse | constrained kernel write + oracle leak | modprobe_path overwrite |\n| Union CTF 2021 | [nutty](.\u002F2021\u002FUnion_CTF_2021\u002FPwn_nutty) | solved \u002F writeup | Easy-Medium (10) | heap OOB read + signed arithmetic overflow | tty_struct leak + heap OOB write | modprobe_path overwrite |\n| GACTF2020 | [forest](.\u002F2020\u002FGACTF2020\u002FPwn_forest) | solved | Easy-Medium (1) | customizable UAF + double free | seq_operations reclaim | `CC(PKC(0))` + kernel ROP |\n| ASIS CTF Quals 2020 | [Shared House](.\u002F2020\u002FASIS_CTF_Quals_2020\u002FPwn_Shared_House) | solved \u002F writeup | Easy-Medium (7) | off-by-one NULL | freelist poisoning | modprobe_path overwrite \u002F kernel ROP |\n| zer0pts CTF 2020 | [meowmow](.\u002F2020\u002Fzer0pts_CTF_2020\u002FPwn_meowmow) | solved \u002F writeup | Easy-Medium (9) | forward OOB R\u002FW | tty_struct leak + fake tty_operations + AAW | modprobe_path overwrite |\n| CTF@AC26 Quals | [Event Horizon](.\u002F2026\u002FCTF%40AC26-Quals\u002FPwn_Event_Horizon) | solved | Medium (31) | custom microcode VM bug | custom VM analysis, kernel code execution path | TBD |\n| HeroCTF_v7 | [Safe Device](.\u002F2025\u002FHeroCTF_v7\u002FPwn_Safe_Device) | solved \u002F writeup | Medium (7) | stack overflow | kernel stack ROP | aarch64 kernel ROP, modprobe_path overwrite |\n| DownUnderCTF 2025 | [backdoor](.\u002F2025\u002FDownUnderCTF_2025\u002FPwn_backdoor) | solved \u002F writeup | Medium (18) | custom syscall | kbase leak and kernel memory write | modprobe_path overwrite |\n| MaltaCTF 2025 Quals | [Write Flag Where](.\u002F2025\u002FMaltaCTF_2025_Quals\u002FPwn_Write_Flag_Where) | solved \u002F writeup | Medium (16) | custom syscall | physical memory write via direct map | call `modify_ldt` |\n| LA CTF 2025 | [messenger](.\u002F2025\u002FLA_CTF_2025\u002FPwn_messenger) | solved \u002F writeup | Medium (10) | 3-byte overflow of msgutil | pipe_buffer page corruption | cred search, cred overwrite |\n| IrisCTF_2025 | [Checksumz](.\u002F2025\u002FIrisCTF_2025\u002FPwn_Checksumz) | solved \u002F writeup | Medium (39) | OOB read\u002Fwrite | relative OOB R\u002FW + kernel leak | `core_pattern` overwrite |\n| HeroCTF v6 | [Buafllet](.\u002F2024\u002FHeroCTF_v6\u002FPwn_Buafllet) | solved \u002F writeup | Medium (4) | kmalloc-8192 UAF | UAF R\u002FW + AAW | tty struct => modprobe_path \u002F Pipe => Dirty Pipe |\n| cr3 CTF 2024 | [mov-cr3](.\u002F2024\u002Fcr3_CTF_2024\u002FPwn_mov-cr3) | solved \u002F writeup | Medium (10) | arbitrary CR3 Write | kernel AAR + cross-AS AAR | task->mm->pgd => CR3 pivot |\n| bi0sCTF 2024 | [palindromatic](.\u002F2024\u002Fbi0sCTF_2024\u002FPwn_palindromatic) | solved \u002F writeup | Medium (5) | OOB + double free | buddy reclaim + pipe_buffer + msg_msg overlap | Dirty Pipe, `\u002Fetc\u002Fpasswd` overwrite |\n| BackdoorCTF 2023 | [EmpDB](.\u002F2023\u002FBackdoorCTF_2023\u002FPwn_EmpDB) | solved \u002F writeup | Medium (15) | race UAF | userfaultfd race | modprobe_path overwrite |\n| bi0sCTF 2022 | [k32](.\u002F2023\u002Fbi0sCTF_2022\u002FPwn_k32) | solved \u002F writeup | Medium (1) | uninitialized heap read + heap object reuse | heap leak + kernel text leak + RIP control | seq_operations overlap + register spill + stack pivot + `CC(PKC(0))` |\n| CrewCTF 2022 | [qKarachter](.\u002F2022\u002FCrewCTF_2022\u002FPwn_qKarachter) | solved \u002F writeup | Medium (6) | state inconsistency + u8 overflow + invalid kfree | double free + overlapping objects | modprobe_path overwrite |\n| Securinets CTF Quals 2022 | [xblob](.\u002F2022\u002FSecurinets_CTF_Quals_2022\u002FPwn_xblob) | solved \u002F writeup | Medium (4) | TOCTOU open race + UAF | UAF + kernel heap leak + AAW | modprobe_path overwrite |\n| zer0pts CTF 2022 | [kRCE](.\u002F2022\u002Fzer0pts_CTF_2022\u002FPwn_kRCE) | solved \u002F writeup | Medium (8) | signedness OOB | OOB => AAR\u002FAAW => task traversal => stack leak | `CC(PKC(0))` + KPTI trampoline + userland ROP |\n| SUSCTF 2022 | [kqueue's revenge](.\u002F2022\u002FSUSCTF_2022\u002FPwn_kqueue's_revenge) | solved \u002F writeup | Medium (19) | queue UAF | seq_operations leak + userfaultfd reclaim + RIP control | `CC(PKC(0))` kernel ROP |\n| hxp CTF 2021 | [日本旅行](.\u002F2021\u002Fhxp_CTF_2021\u002FPwn_日本旅行) | writeup | Medium (4) | double PTRACE_SYSCALL \u002F ptrace state desync | syscall path-filter bypass | unchecked openat(\"\u002Fflag.txt\") + sendfile |\n| Hack.lu CTF 2021 | [Stonks Socket](.\u002F2021\u002FHack.lu_CTF_2021\u002FPwn_Stonks_Socket) | writeup | Medium (12) | UAF race on sk_user_data | kernel RIP control via freed 32-byte object \u002F function pointer call | userland shellcode => `CC(PKC(0))` |\n| ASIS CTF Quals 2021 | [Mini memo](.\u002F2021\u002FASIS_CTF_Quals_2021\u002FPwn_Mini_memo) | solved \u002F writeup | Medium (16) | partial heap OOB (3-byte) | msg_msg overlap => pipe_buffer leak => freelist poisoning | modprobe_path overwrite |\n| TSG CTF 2021 | [lkgit](.\u002F2021\u002FTSG_CTF_2021\u002FPwn_lkgit) | solved \u002F writeup | Medium (7) | duplicate-hash race UAF | userfaultfd race + kmalloc-32 UAF write \u002F seq_operations leak | modprobe_path overwrite |\n| Circle City Con CTF 2021 | [sockcamp](.\u002F2021\u002FCircle_City_Con_CTF_2021\u002FPwn_sockcamp) | solved \u002F writeup | Medium (3) | single-bit flip in task_struct | thread flag corruption (TIF_SECCOMP) | inject shellcode => `CC(PKC(0))` |\n| 3kCTF-2021 | [klibrary](.\u002F2021\u002F3kCTF-2021\u002FPwn_klibrary) | solved \u002F writeup | Medium (2) | race-based UAF | userfaultfd + tty_struct overlap | tty_ops hijack + modprobe_path overwrite |\n| Midnight Sun CTF 2021 Quals | [Brohammer](.\u002F2021\u002FMidnight_Sun_CTF_2021_Quals\u002FPwn_Brohammer) | solved \u002F writeup | Medium (18) | arbitrary 1-bit kernel write | physmap PTE permission flip | `CC(PKC(0))` |\n| DiceCTF 2021 | [hashbrown](.\u002F2021\u002FDiceCTF_2021\u002FPwn_hashbrown) | solved \u002F writeup | Medium (7) | resize race + value UAF | userfaultfd race + pipe_buffer UAF read\u002Fwrite | `\u002Fbin\u002Fbusybox` page cache overwrite |\n| HITCON CTF 2020 | [atoms](.\u002F2020\u002FHITCON_CTF_2020\u002FPwn_atoms) | solved \u002F writeup | Medium (17) | missing vm_open() refcount bug | fork()+munmap() UAF + msg_msg reclaim | lock corruption => watchdog-triggered flag output |\n| GACTF2020 | [easy_kernel](.\u002F2020\u002FGACTF2020\u002FPwn_easy_kernel) | solved \u002F writeup | Medium (2) | UAF + stack OOB R\u002FW | tcache poisoning + stack leak + stack BOF | .fini hijack => kernel ROP |\n| InCTF 2020 | [lab9](.\u002F2020\u002FInCTF_2020\u002FPwn_lab9) | solved | Medium (5) | heap OOB XOR write | freelist poisoning + tty_struct overlap | modprobe_path overwrite |\n| TRX CTF 2026 | [krwd](.\u002F2026\u002FTRX_CTF_2026\u002FPwn_krwd) | writeup | Medium-High (15) | deferred user pointer in delayed_work | cross-mm usercopy via kworker active_mm | BusyBox modprobe FSOP |\n| THJCC CTF 2026 | [僕と契約して、魔法少女になってよ！](.\u002F2026\u002FTHJCC_CTF_2026\u002FPwn_僕と契約して、魔法少女になってよ！) | solved \u002F writeup | Medium-High (3) | single-byte OOB overwrite | `struct file` corruption | `struct file->f_mode` overwrite |\n| BackdoorCTF 2025 | [skernel](.\u002F2025\u002FBackdoorCTF_2025\u002FPwn_skernel) | writeup | Medium-High (5) | kmalloc-64 UAF | race-assisted OOB leak\u002Fwrite | kernel ROP, `commit_creds(&init_cred)` |\n| CrewCTF 2025 | [barelyontime](.\u002F2025\u002FCrewCTF_2025\u002FPwn_barelyontime) | writeup | Medium-High (3) | logic bug, UAF | UFFD-assisted UAF race | kernel text overwrite |\n| corCTF 2025 | [zenerational-aura](.\u002F2025\u002FcorCTF_2025\u002FPwn_zenerational-aura) | solved \u002F writeup | Medium-High (5) | crash syscall | KASLR bypass via prefetch | kernel panic log oracle |\n| Full Weak Engineer CTF 2025 | [cknote](.\u002F2025\u002FFull_Weak_Engineer_CTF_2025\u002FPwn_cknote) | solved \u002F writeup | Medium-High (2) | kmalloc-32 UAF | UAF read\u002Fwrite, freelist manipulation | cred overwrite |\n| DownUnderCTF 2025 | [Rolling Around](.\u002F2025\u002FDownUnderCTF_2025\u002FPwn_Rolling_Around) | solved \u002F writeup | Medium-High (4) | custom eBPF ALU verifier bug | eBPF stack OOB + AAR\u002FAAW | modprobe_path overwrite |\n| MaltaCTF 2025 Quals | [secure-dwarf](.\u002F2025\u002FMaltaCTF_2025_Quals\u002FPwn_secure-dwarf) | solved \u002F writeup | Medium-High (8) | custom DWARF bytecode | AAR primitive | read flag in kernel memory |\n| DiceCTF 2025 Quals | [oboe](.\u002F2025\u002FDiceCTF_2025_Quals\u002FPwn_oboe) | writeup | Medium-High (16) | single-byte OOB overwrite | refcount overwrite | kernel ROP, `commit_creds(&init_cred)` |\n| KalmarCTF 2025 | [decore](.\u002F2025\u002FKalmarCTF_2025\u002FPwn_decore) | writeup | Medium-High (10) | executable path in `core_pattern` | race condition | replace target file with symlink |\n| TRX CTF 2025 | [\u002Fdev\u002Fmem](.\u002F2025\u002FTRX_CTF_2025\u002FPwn_dev_mem) | solved \u002F writeup | Medium-High (4) | `\u002Fdev\u002Fmem` access | KASLR bypass, physical memory R\u002FW | task list traversal, cred overwrite |\n| HITCON CTF 2024 Quals | [Seccomp Hell](.\u002F2024\u002FHITCON_CTF_2024_Quals\u002FPwn_Seccomp_Hell) | writeup | Medium-High (15) | hidden backdoor \u002F intended kernel interface | CPL3=>CPL0 via LDT call gate | manual cred + seccomp patch |\n| KalmarCTF 2024 | [msrable](.\u002F2024\u002FKalmarCTF_2024\u002FPwn_msrable) | solved \u002F writeup | Medium-High (9) | MSR exposure | LSTAR leak + FMASK abuse + entry hijack | CR4 disable => `CC(IC)` => KPTI return |\n| SECCON CTF 2023 Quals | [umemo](.\u002F2023\u002FSECCON_CTF_2023_Quals\u002FPwn_umemo) \u002F [kmemo](.\u002F2023\u002FSECCON_CTF_2023_Quals\u002FPwn_kmemo) | solved \u002F writeup | Medium-High (20\u002F5) | UAF + mmap ownership corruption | object reuse => AAR \u002F AAW | modprobe_path overwrite |\n| zer0pts CTF 2023 | [flipper](.\u002F2023\u002Fzer0pts_CTF_2023\u002FPwn_flipper) | solved \u002F writeup | Medium-High (5) | OOB 1-bit flip | single-bit heap corruption | cred capability bit flip \u002F file refcount corruption |\n| HITCON CTF 2022 | [⛓️ Fourchain - Kernel](.\u002F2022\u002FHITCON_CTF_2022\u002FPwn_Fourchain-Kernel) | writeup | Medium-High (12) | race \u002F UAF | userfaultfd + UAF => msg_msg \u002F pipe_buffer \u002F sk_buff | DirtyCred \u002F kernel ROP |\n| SECCON CTF 2022 Quals | [babypf](.\u002F2022\u002FSECCON_CTF_2022_Quals\u002FPwn_babypf) | solved \u002F writeup | Medium-High (10) | eBPF shift range verifier bug | eBPF stack corruption + AAR\u002FAAW | modprobe_path overwrite |\n| DownUnderCTF 2022 | [just-in-kernel](.\u002F2022\u002FDownUnderCTF_2022\u002FPwn_just-in-kernel) | writeup | Medium-High (11) | custom VM\u002FJIT instruction-boundary bypass | JIT immediate shellcode + stack pivot | kernel ROP + `CC(PKC(0))` |\n| LINE CTF 2022 | [ecrypt (fixed)](.\u002F2022\u002FLINE_CTF_2022\u002FPwn_ecrypt%20%28fixed%29) | solved \u002F writeup | Medium-High (7) | broken mmap() + kernel pointer exposure | key_ptr overwrite + crypto oracle + AAW | direct cred overwrite |\n| hxp CTF 2021 | [trusty user diary](.\u002F2021\u002Fhxp_CTF_2021\u002FPwn_trusty_user_diary) | solved \u002F writeup | Medium-High (8) | missing FOLL_WRITE in GUP | pinned page write \u002F COW bypass | page cache corruption => busybox shellcode injection |\n| SECCON CTF 2021 | [kone_gadget](.\u002F2021\u002FSECCON_CTF_2021\u002FPwn_kone_gadget) | writeup | Medium-High (5) | backdoored syscall (RIP control + RSP=0) | seccomp JIT + CR4 SMEP\u002FSMAP bypass | stack pivot + `CC(PKC(0))` \u002F panic dump via `jmp flag.txt` |\n| pbctf 2021 | [Nightclub](.\u002F2021\u002Fpbctf_2021\u002FPwn_Nightclub) | solved \u002F writeup | Medium-High (8) | NULL-terminated heap OOB | msg_msg m_ts corruption + heap leak + SLUB freelist corruption | modprobe_path overwrite |\n| InCTF 2021 | [MultiStorage](.\u002F2021\u002FInCTF_2021\u002FPwn_MultiStorage) | solved \u002F writeup | Medium-High (1) | TOCTOU race + heap OOB write | page-cross heap overflow + heap feng shui | cred overwrite |\n| Google Capture The Flag 2021 | [EBPF](.\u002F2021\u002FGoogle_Capture_The_Flag_2021\u002FPwn_EBPF) | writeup | Medium-High (20) | eBPF verifier type confusion | forged PTR_TO_MAP_VALUE => AAR\u002FAAW | modprobe_path overwrite |\n| Pwn2Win CTF 2021 | [Accessing the Truth](.\u002F2021\u002FPwn2Win_CTF_2021\u002FPwn_Accessing_the_Truth) | writeup | Medium-High (8) | UEFI password stack overflow | RIP control in UEFI context | UEFI shellcode reads initramfs.cpio and scans flag |\n| hxp CTF 2020 | [kernel-rop](.\u002F2020\u002Fhxp_CTF_2020\u002FPwn_kernel-rop) | solved \u002F writeup | Medium-High (4) | stack leak + stack BOF | stack leak => kernel ROP | FG-KASLR => ksymtab => `CC(IC)` |\n| SECCON 2020 Online CTF | [kstack](.\u002F2020\u002FSECCON_2020_Online_CTF\u002FPwn_kstack) | solved \u002F writeup | Medium-High (4) | race double free | UFFD heap reuse + seq_operations leak + AAW | seq_operations pivot + `CC(PKC(0))` ROP |\n| HITCON CTF 2020 | [spark](.\u002F2020\u002FHITCON_CTF_2020\u002FPwn_spark) | writeup | Medium-High (10) | UAF by missing node refcount on graph link | fake spark_node reclaim => OOB distance-array read\u002Fwrite | cred overwrite via spark_graph_query() |\n| TastelessCTF 2020 | [yaknote](.\u002F2020\u002FTastelessCTF_2020\u002FPwn_yaknote) | solved | Medium-High (1) | OOB index (signed\u002Funsigned) | type confusion => AAR\u002FAAW | modprobe_path overwrite |\n| Pwn2Win CTF 2020 | [Trusted Node](.\u002F2020\u002FPwn2Win_CTF_2020\u002FPwn_Trusted_Node) | writeup | Medium-High (12) | TA command interface \u002F function-pointer disclosure \u002F client-side misuse | TA code pointer leak + hidden function invocation | use leaked TA address to call get_secret through android_get_increment |\n| KalmarCTF 2026 | [faulty](.\u002F2026\u002FKalmarCTF_2026\u002FPwn_faulty) | under analysis \u002F TBD | High (2) | race condition (TOCTOU) | TBD | TBD |\n| tkbctf5 | [Hungry Goats](.\u002F2026\u002Ftkbctf5\u002FPwn_Hungry_Goats) | writeup | High (1) | sk_buff data_len corruption | controlled `put_page()` => page UAF | page UAF overlap => cred overwrite |\n| DiceCTF 2026 Quals | [cornelslop](.\u002F2026\u002FDiceCTF_2026_Quals\u002FPwn_cornelslop) | writeup | High (6) | RCU UAF race | RCU callback hijack | cross-cache pipe reclaim + IOPL fw_cfg initrd dump |\n| WannaGame Championship 2025 | [Johnny Sins](.\u002F2025\u002FWannaGame_Championship_2025\u002FPwn_Johnny_Sins) | writeup | High (2) | pipe_buffer page UAF via tee\u002Flink_pipe off-by-one | page UAF | ret2pt_regs via fake file_operations |\n| N1CTF 2025 | [N1khash](.\u002F2025\u002FN1CTF_2025\u002FPwn_N1khash) | writeup | High (7) | delayed work UAF | control-flow hijack + stack pivot | UAF reclaim + ROP + modprobe_path overwrite |\n| KalmarCTF 2025 | [Maestro Revenge](.\u002F2025\u002FKalmarCTF_2025\u002FPwn_Maestro_Revenge) | writeup | High (4) | missing userspace stack validation in signal delivery | kernel memory overwrite | AccessProfile overwrite \u002F privilege bypass |\n| UIUCTF 2024 | [Syscalls 2](.\u002F2024\u002FUIUCTF_2024\u002FPwn_Syscalls_2) | writeup | High (8) | kernel logic \u002F policy bypass | I\u002FO via io_uring without normal fd allocation | io_uring-based flag read \u002F FD creation restriction bypass |\n| hxp CTF 2022 | [one_byte](.\u002F2023\u002Fhxp_CTF_2022\u002FPwn_one_byte) | author writeup | High (5) | 1-byte arbitrary kernel write | one-shot 1-byte write-what-where | LDT call gate => ring0 shellcode |\n| N1CTF 2022 | [Babyuefi](.\u002F2022\u002FN1CTF_2022\u002FPwn_Babyuefi) | writeup | High (5) | UEFI UiApp stack OOB \u002F uninitialized length | stack leak + stack overwrite | UEFI boot option hijack to root shell |\n| N1CTF 2022 | [File](.\u002F2022\u002FN1CTF_2022\u002FPwn_File) | under analysis \u002F TBD | High (1) | struct file refcount bug | struct file UAF \u002F dangling fd | DirtyCred-style struct file replacement |\n| N1CTF 2022 | [Praymoon](.\u002F2022\u002FN1CTF_2022\u002FPwn_Praymoon) | writeup | High (0) | kmalloc-512 double free | user_key_payload OOB read \u002F setxattr + userfaultfd reclaim | AF_PACKET pg_vec USMA text patch |\n| Azure Assassin Alliance CTF 2022 | [kkk](.\u002F2022\u002FAzure_Assassin_Alliance_CTF_2022\u002FPwn_kkk) | under analysis \u002F TBD | High (4) | parser logic bug | hidden IOCTL reach (TBD) | kernel heap corruption (TBD) |\n| pbctf 2021 | [Access Key](.\u002F2021\u002Fpbctf_2021\u002FPwn_Access_Key) | under analysis \u002F TBD | High (1) | 8-bit refcount overflow | UAF-style kmalloc-64 heap overlap (TBD) | Secret bypass => controlled kernel function call (TBD) |\n| corCTF 2021 | [Fire of Salvation](.\u002F2021\u002FcorCTF_2021\u002FPwn_Fire_of_Salvation) | author writeup | High (0) | duplicated rule shallow copy UAF | kmalloc-4k UAF + msg_msg AAR\u002FAAW + UFFD-assisted AAW | task_struct walk + current->cred \u002F real_cred overwrite with init_cred |\n| corCTF 2021 | [Wall of Perdition](.\u002F2021\u002FcorCTF_2021\u002FPwn_Wall_of_Perdition) | author writeup | High (0) | duplicated firewall rule UAF | kmalloc-64 UAF + msg_msg AAR + pipe_buffer RIP + FG-KASLR bypass | RetSpill ROP + __ksymtab symbol resolution + `CC(PKC(0))` |\n| TRX CTF 2026 | [🍼🤏🤏 revenge](.\u002F2026\u002FTRX_CTF_2026\u002FPwn_🍼🤏🤏_revenge) | writeup | Very-High (1) | per-CPU stack pointer corruption | per-CPU stack pivot | FSGSBASE + SWAPGS stack pivot |\n| WannaGame Championship 2025 | [Matrix](.\u002F2025\u002FWannaGame_Championship_2025\u002FPwn_Matrix) | author writeup | Very-High (0) | eBPF verifier range bug | BPF stack pointer corruption => AAR\u002FAAW | current cred replacement via init_task |\n| TRX CTF 2025 | [🍼🤏](.\u002F2025\u002FTRX_CTF_2025\u002FPwn_🍼🤏) | author writeup | Very-High (0) | unrestricted `wrmsr` ioctl | arbitrary MSR write | fake syscall GS \u002F fake kernel stack + kernel ROP |\n| KalmarCTF 2023 | [hyper-k](.\u002F2023\u002FKalmarCTF_2023\u002FPwn_hyper-k) | under analysis \u002F TBD | Very-High (1) | EPT management bug \u002F guest-accessible hypervisor memory via GPA namespace confusion | writable EPT paging structures \u002F guest-controlled second-stage translation (TBD) | VMFUNC\u002FEPTP switching abuse => host physical memory AAR\u002FAAW (TBD) |\n\nNote: `CC(PKC(0))` means `commit_creds(prepare_kernel_cred(0))`.\n\n`CC(IC)` means `commit_creds(&init_cred)`.\n\n## Techniques Covered\n\n- QEMU-based kernel exploit testing\n- LKM reverse engineering\n- Use-After-Free\n- stack overflow\n- kernel ROP\n- KPTI trampoline\n- ret2usr\n- KASLR bypass\n- FG-KASLR bypass\n- __ksymtab symbol resolution\n- SMEP \u002F SMAP bypass\n- modprobe_path overwrite\n- core_pattern abuse\n- freelist poisoning\n- cred overwrite\n- race condition exploitation\n- userfaultfd-assisted exploitation\n- custom syscall abuse\n- custom VM \u002F bytecode bugs\n- kmalloc cache reclaim\n- tty_struct hijacking\n- pipe_buffer reclaim\n- Dirty Pipe style exploitation\n- msg_msg spraying\n- seq_operations overlap\n- sk_buff exploitation\n- arbitrary read\u002Fwrite\n- page cache overwrite\n- kernel text overwrite\n- mmap-based dangling mapping\n- eBPF verifier \u002F eBPF VM exploitation\n- DWARF bytecode VM exploitation\n- \u002Fdev\u002Fmem exploitation\n- ret2pt_regs\n- RCU UAF exploitation\n- MSR abuse\n- io_uring abuse\n- CR3 \u002F page table manipulation\n- EPT \u002F second-stage translation abuse\n- DirtyCred\n- LDT \u002F call gate exploitation\n- UEFI exploitation\n- COW bypass\n- seccomp JIT abuse\n- hypervisor exploitation\n\n## Build and Run\n\nMost exploits are intended to be compiled statically and executed inside the provided QEMU\u002Finitramfs environments.\n\nExample:\n\n```bash\ngcc exp01.c -o exp01 -static\n```\n\nor\n\n```bash\nmusl-gcc exp01.c -o exp01 -static\n```\n\n## Large Files Policy\n\nLarge distribution files such as rootfs images, disk images, VM images, or archives may be omitted from this repository when they exceed GitHub's normal file size limit.\nIn such cases, only the minimum files required for analysis are included, and an external download link or a note about the original distribution is provided when available.\n\nGitHub の通常のファイルサイズ上限を超える大きな配布ファイルについては、本リポジトリに直接含めない場合があります。\nその場合は、解析に必要な最小限のファイルのみを配置し、可能であれば外部リンクまたは元配布ファイルに関するメモを記載します。\n\n## Challenge Template\n\n- `README.md` — metadata and short summary\n- `distribution\u002F` — original challenge files\n- `exploit\u002F` — exploit source code and helper scripts, if available\n- `writeup\u002F` — original writeups, notes, and external references\n\n## References\n\n- [Learning Linux Kernel Exploitation - Part 1](https:\u002F\u002Flkmidas.github.io\u002Fposts\u002F20210123-linux-kernel-pwn-part-1\u002F)\n- [Learning Linux Kernel Exploitation - Part 2](https:\u002F\u002Flkmidas.github.io\u002Fposts\u002F20210128-linux-kernel-pwn-part-2\u002F)\n- [Learning Linux Kernel Exploitation - Part 3](https:\u002F\u002Flkmidas.github.io\u002Fposts\u002F20210205-linux-kernel-pwn-part-3\u002F)\n- [Pawnyable - Linux Kernel Exploitation](https:\u002F\u002Fpawnyable.cafe\u002Flinux-kernel\u002F)\n- [Kernel Exploitで使える構造体集](https:\u002F\u002Fptr-yudai.hatenablog.com\u002Fentry\u002F2020\u002F03\u002F16\u002F165628)\n\n## Acknowledgements\n\nI would like to express my sincere gratitude to all CTF challenge authors who created these excellent kernel exploitation challenges.\n\nMany of the techniques, exploit strategies, and implementation details in this repository were learned from public writeups, author writeups, and shared research notes.\nI deeply appreciate the authors of those writeups for documenting their approaches and making their knowledge available to the community.\n\nThis repository is intended as a personal learning archive and technical index.\nAll credit for the original challenges belongs to the respective CTF organizers and challenge authors.\nAll credit for referenced writeups belongs to their original authors.\n\n## 謝辞\n\n素晴らしい Kernel Exploit 問題を作成してくださった CTF 運営・問題作者の皆様に深く感謝します。\n\n本リポジトリに含まれる多くの技術、exploit 方針、実装上の知見は、公開 writeup、author writeup、各種技術メモから多くを学んだものです。\n解法や考察を公開し、知識を共有してくださった writeup 作者の皆様にも心より感謝します。\n\n本リポジトリは、個人の学習記録および技術索引として整理しているものです。\n各 CTF 問題の権利とクレジットは、それぞれの CTF 運営・問題作者に帰属します。\n参照した writeup のクレジットは、それぞれの原著者に帰属します。  \n","Kernel-Exploit-Dojo 是一个专注于 Linux 内核漏洞利用的 CTF 挑战题库，包含 100 多个按漏洞类型、利用技术、最终攻击手段、难度和解决次数分类整理的挑战。每个挑战都提供了原始分发文件、exploit 代码以及详细的技术解析文档，涵盖了 UAF、堆喷射、pipe_buffer 滥用等常见内核攻击手法。该项目适合安全研究人员、CTF 竞赛选手以及对 Linux 内核安全感兴趣的开发者在本地实验环境中学习和实践内核级别的漏洞利用技术。注意所有示例应在隔离的 QEMU 或 CTF 环境中运行，严禁用于生产环境或非授权系统上。","2026-06-11 03:55:18","CREATED_QUERY"]