miscProhard

nix-revenge

kalmarctf

Task: source and VM exposed a web panel that accepted arbitrary Nix expressions and a root rebuild helper using VERSION_SUFFIX. Solution: poison the pinned Nix source fixed-output derivation with Linux fd smuggling, then let root rebuild Nix from the corrupted store path and leak the copied flag.

$ ls tags/ techniques/

nix nixos fixed_output_derivation fd_smuggling source_poisoning setuid_helper scm_rights web_panel

fod_corruptionscm_rights_fd_smugglingsource_tree_poisoningprivileged_rebuild_poisoning

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][free]Trust Issues— tjctf
[pwn][Pro]iz_heap_lv1 — BSS-pointer overlap + tcache poisoning— spbctf
[web][Pro]awesome pipeline— kalmarctf
[pwn][free]Void— hackthebox
[pwn][Pro]Taste— grodno_new_year_2026