Offical wp

Writeup.pdf

https://github.com/la0t0ng/d3ctf2022-shorter

Pwn:

d3fuse:

easy filesystem in userspace

<http://d3ctf-attachments.n3ko.co/Pwn/d3fuse_attachment_f9dc7b23bd7492cb7f6ca8d6d2f3578f2ad4d69c5f7005e3b7cc6b96feb8920d.zip>

nc 1-lb-pwn-challenge-cluster.d3ctf.io 30671

d3fuse.zip

d3bpf:

easy usercode in kernelspace

attachment: <http://d3ctf-attachments.n3ko.co/Pwn/d3bpf-fe89139cf452491fc88158f672848c50a372e2ce6811644b28035361ea4fbd01.zip>

nc 1-lb-pwn-challenge-cluster.d3ctf.io 31227

d3bpf.zip

d3guard:

A harmless challenge for your D^3 tour.

Exp: `cat /flag` (*^_^*).

Hint: There is a little vulnerability that can complete information leak. This is very helpful for the progress of some teams.Hint: The builtin `Print()` function accept multi args, what could this mean? or you can just read [<https://github.com/tianocore/edk2>](<https://github.com/tianocore/edk2>) to find some directions

****<http://d3ctf-attachments.n3ko.co/Pwn/d3guard_release_e32d19c82115c9018a12c7415c29cdf3.zip>

nc 1-lb-pwn-challenge-cluster.d3ctf.io 32659

d3guard.zip

d3kheap:

baby heap in kernel space, just sign me in plz :)

attachment: <http://d3ctf-2022.oss-cn-shanghai.aliyuncs.com/Pwn/d3kheap_release_013ae9c3ade2eb0a338be954db4a6d43692c5f1c.7z>

nc 1-lb-pwn-challenge-cluster.d3ctf.io 30597

d3kheap.7z