堇姬 Naup's Blog

2025-07-05 3k words 16 mins

2025 Google CTF - writeup

GoogleCTF 2025 - writeup Author: 堇姬 Naup Pwnmulti-arch 2一題 VM pwn第一題是 Reverse 第二題是 pwn這份 writeup 只有寫 pwn analyze IDA沒有 debug symbol，所以要修這台 VM 自定義了一個 masm 的檔案格式整個 masm 檔案格式就是 4 bytes MASM 作為 magic number 被 load 進去後共有 3 個 segments，code、data、stack 檔案 header 有三段，分別是 code、data、arch_table 每段的 heade

2025-06-30 2k words 10 mins

Linux Kernel Patched - exec remove legacy custom binfmt modules autoloading

Linux Kernel Patched - exec: remove legacy custom binfmt modules autoloading Author : 堇姬 Naup Patchedhttps://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fa1bdca98d74472dcdb79cb948b54f63b5886c04 搜尋執行檔處理器（binary handler）的邏輯中，包含了遺留下來的舊程式碼，用來在系統遇到不支援的執行檔格式時，自動載入對應的核心模組。這段邏

2025-05-31 5.6k words 28 mins

2025 AIS3 pre-exam & My First CTF - official writeup

2025 AIS3 pre-exam & My First CTF official writeup Author: 堇姬Naup 前言這次在 AIS3 出了 4 題，分別是 1 web、1 misc、2 pwn分別是 Tomorin db 🐧 (web, 282/473 solve) ♖ PyWars ♖ (Misc, 1/473 solve) MyGO schedule manager α (Pwn, 12/473 solve) MyGO schedule manager β (Pwn, 0/473 solve) source cod

2025-05-30 1.6k words 8 mins

alpacahack round 11 web - Jackpot & Tiny Note

alpacahack round 11 web - Jackpot & Tiny Note Author : 堇姬 Naup 前言那天在忙，只打了第一題，這篇順便補另外一題 (窩不會 XSS) Jackpot12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758from flask import Flask, request, render_template, jsonifyfrom werkzeug.exceptions i

2025-05-22 1.6k words 8 mins

Page Fault handle on userspace - Userfaultfd

Page Fault handle on userspace - Userfaultfd Author : 堇姬 Naup What is userfaultfduserfaultfd 是一種 syscall (syscall table rax = 388)user 可以去自訂 user pagefault handler 來去處理 userspace 的缺頁異常 (https://zh.wikipedia.org/wiki/%E9%A1%B5%E7%BC%BA%E5%A4%B1) https://chromium.googlesource.com/chromiumos/docs

2025-05-19 1.5k words 7 mins

2025 TRX CTF - /dev/mem - part 2

2025 TRX CTF - /dev/mem - part 2 Author : 堇姬 Naup 前言繼承上一篇https://naupjjin.github.io/2025/04/11/Linux-Kernel-2025-TRX-CTF-devmem/ 這邊來講講另一個思想 analyze這次主要針對 /usr/sbin/chall，先放一下他的保護機制，沒有開 PIE並且他是 static linking 再來去檢查這個 binary 發現他有 SUID 12~ # ls -l /usr/sbin/chall-rwsr-x--x

2025-05-14 3.2k words 16 mins

XHLJ 2021-easykernel - writeup

XHLJ 2021-easykernel - writeup Author : 堇姬 Naup analyze一樣的題目給了三個文件 12345naup96321@naup96321-virtual-machine:~/Desktop/ekernel$ tree.├── bzImage├── rootfs.img.gz└── start.sh 先解包 file system 123mkdir -p sysfilegunzip rootfs.img.gzcpio -idmv -D sysfile < rootfs.img 順便寫 pack.sh 打包 1find . | cpio -

2025-05-12 1.2k words 7 mins

San Diego CTF 2025 - all pwn challenge

San Diego CTF 2025 - all pwn challenge Author: 堇姬 Naup PrefaceThis CTF play with Bing Chilling AcademiesThis CTF’s pwn is so easy, I just spend an hour and a half to solve all pwn challenge. But I still recorded it We got rank 9. Shellphone It let you input shellcode (shellcode need to < 0x19

2025-04-18 6 words 1 min

Linux Kernel - Traversal of CPU and physical memory management

Here's something encrypted, password is required to continue reading.

2025-04-11 6.5k words 33 mins

2025 TRX CTF - /dev/mem

2025 TRX CTF - /dev/mem Author : 堇姬 Naup 前置123mkdir -p sysfilegunzip initramfs.cpio.gzcpio -idmv -D sysfile < initramfs.cpio 把 cpio 解壓後，先把 pack.sh 寫好之後來修 run.sh 123456789101112131415161718192021222324252627282930313233naup@naup-virtual-machine:~/Desktop/pwn/devmem$ cat run.sh #!/bin/