Pwn onhttp://icctx.xyz/tags/pwn/Recent content in Pwn onHugoen-USCopyright © 2026, icctx.Thu, 30 Apr 2026 00:00:00 +0000b01lers ctf 2026: kernel pwn (part 1)http://icctx.xyz/blog/throughthewall/Thu, 30 Apr 2026 00:00:00 +0000http://icctx.xyz/blog/throughthewall/<h1 id="intro">Intro</h1> <p>Hello! Recently, I competed in b01lersc.tf with team 0bscuri7y, where we placed 12th. I managed to solve all the pwn challenges, and in this post, I’ll walk through my solutions for the kernel pwn tasks: throughthewall (part 1) and multifiles (part 2).</p> <p><img src="http://icctx.xyz/images/tw_1.png" alt="alt text"></p> <h1 id="throughthewall">throughthewall</h1> <p><a href="https://raw.githubusercontent.com/icctx/ctf/refs/heads/main/b01lers.2026/throughthewall/handout.zip">download</a></p> <h2 id="recon">Recon</h2> <p><img src="http://icctx.xyz/images/tw_2.png" alt="alt text"></p> <div class="highlight"><pre tabindex="0" style="background-color:#f0f0f0;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-sh" data-lang="sh"><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 1</span><span><span style="color:#007020">#!/bin/bash </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 2</span><span><span style="color:#60a0b0;font-style:italic"># start.sh</span> </span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 3</span><span> </span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 4</span><span>qemu-system-x86_64 <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 5</span><span> -m 256M <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 6</span><span> -nographic <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 7</span><span> -kernel ./bzImage <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 8</span><span> -append <span style="color:#4070a0">&#34;console=ttyS0 loglevel=3 oops=panic panic=-1 pti=on kaslr&#34;</span> <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f"> 9</span><span> -no-reboot <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">10</span><span> -cpu qemu64,+smep,+smap <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">11</span><span> -smp <span style="color:#40a070">2</span> <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">12</span><span> -initrd ./initramfs.cpio.gz <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">13</span><span> -monitor /dev/null <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">14</span><span> -s <span style="color:#4070a0;font-weight:bold">\ </span></span></span><span style="display:flex;"><span style="white-space:pre;-webkit-user-select:none;user-select:none;margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">15</span><span> 2&gt;&amp;<span style="color:#40a070">1</span> | tee vm.log </span></span></code></pre></div><p>First, create the root directory and unpack the initramfs.</p>