IOKit

CSE 598 AVR - Fall 2024

Let's dig into kernel space and learn how to talk to kernel extensions and drivers using IOKit!

Critical Note: The machines that you are working on are purely ephemeral and none of your data there is saved!

This means that you must, must, must, save your files / solution locally if you want them to persist.

You've been warned.

Also, you can only use ssh hacker@pwn.college to acess the server, the Workspace and Desktop don't work.

Shoutout the great and mysterious hacker crowell for the original version of these challenges.

Lectures and Reading

Challenges

Connect to io.oooverflow.IPwnKit, and the flag is given in the logs.

Kext is in /Library/Extensions/IPwnKit.kext

Use log show to read the logs.

Correctly open a connect to the user client to get the flag.

Kext is in /Library/Extensions/IPwnKit.kext

Use the user client to say hi, and the driver will give you the flag.

Kext is in /Library/Extensions/IPwnKit.kext

Now we're getting to the good stuff. You can now call ReadNum, how can you use this to get the flag?

Kext is in /Library/Extensions/IPwnKit.kext

Well, the flag isn't in the driver anymore, but you can call WriteNum. How can you use this to get the flag?

Kext is in /Library/Extensions/IPwnKit.kext

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank		Hacker	Badges		Score