by saelo

saelo / 35c3ctf

Source code and exploits for some 35c3ctf challenges.

128 Stars 21 Forks Last release: Not found 1 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


Source code, binaries, and example exploits for the 35c3ctf challenges "WebKid", "pillow", and "chaingineering".


A modified WebKit with a new optimization which breaks some invariants of the JavaScript engine. Exploiting these will result in shellcode execution inside the WebContent sandbox. The sandbox was modified to allow read access to /flag1 and IPC lookup of the "pillow" services.


Two custom macOS system services. The challenge was inspired by https://github.com/bazad/blanket and allows one to hijack the IPC connection between the two services to finally run arbitrary code outside of the sandbox. The challenge was hosted on a seperate VM and one could read /flag3 once outside of the sandbox.


The combination of the previous two challenges. One has to combine the WebKit and sandbox escape exploit into a single chain, then read /flag2 from outside the sandbox on the WebKid VM.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.