https://blog.k1nt4r0u.site/tags/pwn/Recent content in PWN on k1nt4r0u's siteHugo -- gohugo.ioenCopyright (c) k1nt4r0uMon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/throughthewall/writeup/Mon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/throughthewall/writeup/<ul> <li>Event: b01lers CTF 2026</li> <li>Category: <code>pwn</code></li> <li>Challenge: <code>pwn/throughthewall</code></li> <li>Files: <code>bzImage</code>, <code>initramfs.cpio.gz</code>, <code>start.sh</code></li> <li>Remote: <code>ncat --ssl throughthewall.opus4-7.b01le.rs 8443</code></li> <li>Flag: <code>bctf{spray_those_dirty_pipes}</code></li> </ul> <p>This challenge was a kernel pwn packaged as a bootable QEMU image. The archive gave a kernel, an initramfs, and a launcher script. The remote service wrapped the same VM behind TLS and a proof-of-work gate, then dropped us into a BusyBox shell as the unprivileged <code>ctf</code> user. The only real goal was to turn that shell into root and read <code>/flag.txt</code>.</p>