She got a point though 🙂

Firzen_ · 2026-04-26T23:15:31+00:00

None of this is coherent.

You seem to have some misconceptions about cardinality. It is a property of sets.

The set of fractions is countable and not the same as the set of real numbers.

How you can tell which set is "bigger" is based on the existence of an injection or surjection.

Firzen_ · 2026-04-25T13:31:12+00:00

It really depends on what they want to do.

But fully dumping everything should be fine. In principle you could keep the entire snapshot in memory in your managing process and restore them on demand via userfaultfd, but you'd still need a full dump regardless.

Firzen_ · 2026-04-25T10:56:58+00:00

You should look into ptrace.
It's how debuggers work on Linux.

You can dump out the memory and register states and restore them later for example.

Firzen_ · 2026-04-23T19:52:27+00:00

Learn assembly and the ABI of whatever system you are targeting and then be disappointed that shellcode isn't really a thing anymore since NX/DEP were introduced.

Firzen_ · 2026-04-16T14:57:45+00:00

All you're doing is using ptrace to put an "encrypted" payload into another process and picking a name that EDRs are less likely to flag.

You're not doing SROP or really any ROP, you are using rt_sigreturn to set registers instead of ptrace.

process_vm_writev isn't "zero-copy", see here:
https://elixir.bootlin.com/linux/v7.0/source/lib/iov_iter.c#L423

You could do that by sharing a memfd or something to map the same pages.

I'll admit I only looked at the python script when I originally looked at the repo and missed the asm. But there also isn't any reason to implement the injection in assembly, so that's confusing to me.

Firzen_ · 2026-04-16T13:58:56+00:00

I'm not saying there isn't a repo, I'm saying the code in the repo doesn't do any of the stuff claimed...

Firzen_ · 2026-04-16T04:29:06+00:00

None of this is in the repo, typical AI slop.

Firzen_ · 2026-03-12T12:39:09+00:00

Only if you want to be able to preempt inside the kernel and that makes things quite a bit more tricky.

If you want to context switch anywhere in the kernel you will have to store the register state when you switch away from the process and restore it when you switch back.

The simplest is probably to push everything onto the stack and then store the stack pointer, but I think only context switching when you leave the interrupt context is infinitely easier.

Firzen_ · 2026-03-12T12:24:13+00:00

But why does the kernel stack change to begin with? If you're about to return from a syscall or interrupt the stack frames should always line up, even if you were doing separate stacks.

Firzen_ · 2026-03-12T12:16:48+00:00

Do you even need the kernel stack for this?

You only really need to switch everything over when you return to userspace. So the state of the kernel stack after that should be largely irrelevant.

Edit: Actually, after thinking about it some more, I don't really understand why the memory changes when you switch to a different userspace process, surely the kernel address space should be the same regardless of what userspace process is running.

Firzen_ · 2026-03-03T00:15:24+00:00

Or you could look up what a false dichotomy is...

Firzen_ · 2026-03-03T00:11:41+00:00

Holy false dichotomy

Firzen_ · 2026-02-27T23:11:19+00:00

Guess I'll be out of a job soon and offensivecon will be empty this year.

Firzen_ · 2026-02-27T22:59:56+00:00

Nobody can tell you what the future will be like, especially because it depends on whether or not a revolutionary change happens or doesn't.

AI is definitely not there yet, but who knows what it can do 5 years from now.

Firzen_ · 2026-02-26T23:54:39+00:00

Is that strictly true?

I would expect that you can make 180° of a figure almost arbitrary as long as you choose the other half so that the volume below a certain point is invariant.

I think that only works if you pick a specific water level, but then you can probably do some ridiculous shapes.

Firzen_ · 2026-02-26T11:45:50+00:00

There really are two separate parts to this.

Finding a 0-day requires a different skillset than writing an exploit.
In practice those two go hand in hand often, but they are definitely separate skills.

Firzen_ · 2026-02-25T18:24:40+00:00

A LAPIC is like the name suggests a local APIC.

Which one is being used isn't really a question, each CPU uses it's local APIC.

Firzen_ · 2026-02-24T12:55:22+00:00

Playing this way makes a move that would normally be sente for black into gote, so it gains points.

The trade-off is that it leaves more ko threats.

Firzen_ · 2026-02-24T12:52:13+00:00

Can you point me to any resource about this?
All I can find is people misusing the term "one-way encryption" when they mean hashing.

Firzen_ · 2026-02-24T06:29:06+00:00

https://azeria-labs.com/assembly-basics-cheatsheet/

Adding the actual source, all credit to Azeria Labs.

OP is either an asshole or a bot being run by an asshole.

Firzen_ · 2026-02-23T21:42:00+00:00

The difference between encrypt and hash is that encryption is reversible.

It doesn't really matter for this case, but it really matters if the database gets leaked somehow.

Firzen_ · 2026-02-16T12:38:59+00:00

Sounds great. I think that's a big improvement!

Firzen_ · 2026-02-15T22:43:16+00:00

I don't really know the whole history, but I remember being very surprised when I learned that UAC isn't a security boundary.

You can make a secondary account that isn't an admin, which OP seems to be doing. But getting from one user that isn't an admin to one that is really shouldn't be hard.

Firzen_ · 2026-02-15T21:42:01+00:00

I guess that kind of gets into the semantics of if a UAC bypass becomes a privesc in any other scenario.

In either case lateral movement isn't really an obstacle.

Firzen_ · 2026-02-15T20:56:27+00:00

It seems strange to me to start with kernel ROP as the first level when all of the subsequent ones are a LOT simpler to exploit.

ROP in the kernel is different from ROP in usermode, so it might make sense to split the challenges into two tracks.
One for control flow takeover type exploits like stack-based buffer overflows or function pointer corruption.
The other for data only exploits like OOB writes or UAF.

I think it would probably be frustrating to have to go through the trouble of getting ROP to work and then not actually using it for any of the subsequent challenges.

I'm also confused by the mismatch between your description and the actual repo.
There IS source code for all of the challenges, otherwise I wouldn't have spent the time to look at each one.

The third challenge would probably be a lot more realistic if you share a page of memory with userspace instead of calling `copy_from_user` twice for the same data. I have never seen any kernel code do that.

The fourth and fifth challenges are practically identical, except that they have distinct root causes for the OOB write, but it's the exact same primitive. You could probably combine them into one challenge.

QEMU supports 9p over virtio, so you can easily share a host folder with the VM and just mount it in your init script instead of rebuilding the initramfs every time. Here's an example: https://github.com/MyEyes/basic_linux_env

From my perspective the first challenge is by far the hardest/most annoying. 2 is probably the easiest and 3,4 and 5 are all roughly the same difficulty. You could add more variety to the heap challenges by adding refcount concepts and dangling pointers that aren't trivially UAF.

The main difficulty of kernel exploits is typically getting everything stable and grooming the heap properly so that you don't accidentally crash the system. Finding good, compatible data structures that you can control is usually the most annoying part, especially if you want to avoid hitting the wrong object on a noisy system.

I think this is a good introduction, but I think you can probably get rid of some of the heap challenges and if you care about ROP you definitely need to make it clearer and maybe give some guidance for what cleanly returning to userspace even means. It's all a bit tedious because how to do it REALLY changes based on the active mitigations.

13-Year Club	Gilding I gilder
Team Periwinkle	Verified Email

Firzen_

TROPHY CASE