Microarchitecture Exploitation


System Security.

Modern CPUs are impressive feats of engineering effort. Consistently offering performance improvements every generation, but how? This module explores security vulnerabilities that can lurk hidden, below the assembly, in CPU architecture itself!

Note: Meltdown challenges must be performed inside the VM!



Challenges

Get started with a binary that side-channels itself!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

A binary that side-channels itself, now using multiple pages.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Measure memory access timings to leak the flag via a side-channel.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Perform a full flush and reload side-channel attack!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

This binary never reads the flag bytes.. or does it?

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Locate the flag in memory using shellcode after all references to it have been DESTROYED, you will only have access to the "exit" system call. You will need a creative way of locating the flag's address in your process!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Use a speculative bounds check bypass which accesses a page mapped in userspace to leak the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Use a speculative indirect call which accesses a page mapped in userspace to leak the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Use a cache side channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Use a Spectre v1 channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Use a Spectre v2 side channel triggered through y85 shellcode which accesses a page mapped in userspace to leak the flag.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Use meltdown to read the flag from the kernel module's memory. Note - This challenge must be executed inside the VM!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Leak the flag via meltdown from another process after getting the address of its task_struct from the kernel module and using it to find and walk its page tables. Note - This challenge must be executed inside the VM!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score