KalioNix

❯

Linux Kernel Study

❯

Linux Kernel Curriculum with CTF

Linux Kernel Curriculum with CTF

Jun 24, 20264 min read

GPT가 작성해준 커리큘럼에 따라 CTF에 출제된 커널 문제들을 풀어보며 학습해보려고 한다.

0. 기본 10개

Phase 1: Primitive

3kCTF-2021 / echo
- direct AAR/AAW syscall
ASIS CTF Finals 2025 / KList
- simple OOB write
NexHunt CTF 2025 / below
- OOB read/write
TAMUctf 2022 / Shmeeky
- integer overflow + OOB R/W

Phase 2: Kernel heap object

UIUCTF 2025 / Baby Kernel
- tty_struct ops hijack
PatriotCTF 2025 / switchboard
- kmalloc-32 UAF

Phase 3: 종합

TSG CTF 2021 / lkgit
- userfaultfd race + seq_operations leak
ASIS CTF Quals 2021 / Mini memo
- msg_msg + pipe_buffer + freelist poisoning

Phase 4: ROP 보강

NahamCon CTF 2025 / The Jumps 또는 K3RN3LCTF / Easy kernel is still kernel right?
- kernel ROP / KPTI trampoline 입문
hxp CTF 2020 / kernel-rop
- kernel ROP + FG-KASLR + ksymtab

1. tty_struct hijacking 트랙

Easy — TSJ CTF 2022 / clipboard.ko
- 목표: tty_struct reclaim 복습
Medium — zer0pts CTF 2020 / meowmow
- 목표: leak + fake tty_operations
Hard — 3kCTF-2021 / klibrary
- 목표: UFFD race + tty_struct overlap

추천 순서: clipboard.ko → meowmow → klibrary

2. pipe_buffer / Dirty Pipe 트랙

Easy — b01lers CTF 2026 / throughthewall
- 목표: 쉬운 pipe_buffer reclaim
Medium — BackdoorCTF 2024 / Kuwu
- 목표: msg_msg + pipe_buffer overlap
Hard — bi0sCTF 2024 / palindromatic
- 목표: OOB/double free + msg_msg/pipe_buffer 종합

추천 순서: throughthewall → Kuwu → palindromatic

3. msg_msg 트랙

Easy — BackdoorCTF 2024 / Kuwu
- 목표: msg_msg overlap 입문
Medium — HITCON CTF 2020 / atoms
- 목표: msg_msg reclaim / UAF
Hard — pbctf 2021 / Nightclub
- 목표: m_ts corruption + heap leak + freelist corruption

추천 순서: Kuwu → atoms → Nightclub

Kuwu는 pipe_buffer 트랙과 겹치므로 한 번 풀고 두 트랙에 같이 체크해도 됨.

4. seq_operations overlap 트랙

Easy — bi0sCTF 2022 / k32
- 목표: heap leak + kernel text leak
Medium — SECCON 2020 Online CTF / kstack
- 목표: seq_operations + UFFD + ROP
Hard — SUSCTF 2022 / kqueue’s revenge
- 목표: seq_operations leak + UFFD reclaim + ROP 종합

추천 순서: k32 → kstack → kqueue’s revenge

5. userfaultfd / race 트랙

Easy — BackdoorCTF 2023 / EmpDB
- 목표: UFFD-assisted race 입문
Medium — DiceCTF 2021 / hashbrown
- 목표: resize race + UFFD + pipe_buffer
Hard — HITCON CTF 2022 / Fourchain - Kernel
- 목표: UFFD + heap objects + DirtyCred 종합

추천 순서: EmpDB → hashbrown → Fourchain - Kernel

6. kernel ROP / KPTI trampoline 트랙

Easy — m0leCon CTF 2020 Teaser / babyk
- 목표: kernel ROP 기본 복습
Medium — zer0pts CTF 2022 / kRCE
- 목표: AAR/AAW + task traversal + KPTI
Hard — SECCON CTF 2021 / kone_gadget
- 목표: SMEP/SMAP, seccomp JIT, ROP 심화

추천 순서: babyk → kRCE → kone_gadget

7. FG-KASLR / ksymtab 트랙

Easy — hxp CTF 2020 / kernel-rop 복습
- 목표: FG-KASLR + ksymtab 기본
Medium — corCTF 2021 / Wall of Perdition
- 목표: ksymtab symbol resolution 심화
Hard — skernel 또는 oboe
- 목표: ROP 고난도 문제와 결합

추천 순서: hxp kernel-rop 복습 → Wall of Perdition → skernel 또는 oboe

8. DirtyCred 트랙

Easy — N1CTF 2022 / File
- 목표: DirtyCred 사고방식 입문
Medium — HITCON CTF 2022 / Fourchain - Kernel
- 목표: DirtyCred + UFFD + heap 종합
Hard — N1CTF 2024 / heap_master
- 목표: cross-cache / page-level exploitation 확장

추천 순서: N1CTF 2022 File → Fourchain - Kernel → heap_master

9. eBPF 트랙

Easy — Google CTF 2021 / EBPF
- 목표: verifier type confusion 입문
Medium — SECCON CTF 2022 Quals / babypf
- 목표: verifier range bug
Hard — DownUnderCTF 2025 / Rolling Around
- 목표: custom eBPF verifier bug

추천 순서: Google CTF EBPF → babypf → Rolling Around

10. UEFI 트랙

Easy — N1CTF 2022 / Babyuefi
- 목표: UEFI 입문
Medium — Pwn2Win CTF 2021 / Accessing the Truth
- 목표: UEFI stack overflow + shellcode
Hard — 별도 UEFI/SMM 문제로 확장
- 목표: SMM, firmware exploitation

추천 순서: Babyuefi → Accessing the Truth

0. 기본 10개
Phase 1: Primitive
Phase 2: Kernel heap object
Phase 3: 종합
Phase 4: ROP 보강
1. tty_struct hijacking 트랙
2. pipe_buffer / Dirty Pipe 트랙
3. msg_msg 트랙
4. seq_operations overlap 트랙
5. userfaultfd / race 트랙
6. kernel ROP / KPTI trampoline 트랙
7. FG-KASLR / ksymtab 트랙
8. DirtyCred 트랙
9. eBPF 트랙
10. UEFI 트랙

Created with Quartz v4.5.2 © 2026

GitHub
Discord Community