Need help with 35c3ctf?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

134 Stars 20 Forks 1 Commits 0 Opened issues


Source code and exploits for some 35c3ctf challenges.

Services available


Need anything else?

Contributors list


Source code, binaries, and example exploits for the 35c3ctf challenges "WebKid", "pillow", and "chaingineering".


A modified WebKit with a new optimization which breaks some invariants of the JavaScript engine. Exploiting these will result in shellcode execution inside the WebContent sandbox. The sandbox was modified to allow read access to /flag1 and IPC lookup of the "pillow" services.


Two custom macOS system services. The challenge was inspired by and allows one to hijack the IPC connection between the two services to finally run arbitrary code outside of the sandbox. The challenge was hosted on a seperate VM and one could read /flag3 once outside of the sandbox.


The combination of the previous two challenges. One has to combine the WebKit and sandbox escape exploit into a single chain, then read /flag2 from outside the sandbox on the WebKid VM.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.