pwnhard

lasOS

volgactf2026

Task: bootable custom x86_64 OS image running under QEMU+KVM with a tiny syscall ABI for untrusted ring-3 code. Solution: abuse setregs to control SYSRETQ state, trigger a ring-0 #GP with non-canonical RCX, and redirect the #GP exception-name pointer to the kernel flag string so puts() prints it.

$ ls tags/ techniques/

x86_64 qemu kernel custom_os kvm syscall_interface sysret non_canonical_address exception_handler ring3

sysret_noncanonical_rcxkernel_rsp_controlexception_name_table_pointer_overwritering0_exception_abuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]