IntroductionIn 2025 I completed an internship at Out of bounds leveraging me to research for roughly 5 months for bugs in the VirtualBox USB stack (xHCI). In this blogpost I will explain mu workflow and how I managed to fuzz this subsystem by using kAFL/nyx. xHCIeXtensible Host Controller Interface (xHCI) is the latest standard for USB host controller devices. It is backward compatible for both USB 1.0 and 2.0 protocols. The xHCI controller is implemented in VirtualBox as a cross-platfor...

window-of-opportunity window-of-opportunity (490 pts) - 11 solvesby Eth007 Description: Sometimes, there is a glimmer of hope, a spark of inspiration, a window of opportunity. Attachmentshttps://imaginaryctf.org/r/izYM0#opportunity_dist.zip nc window-of-opportunity.chal.imaginaryctf.org 1337 window-of-opportunity is a kernel exploitation challenge I did for the ImaginaryCTF 2023. We are given an arbitrary read primitive (and a stack buffer overflow but I didn’t use it), and the goal is basi...

mailman mailman (423 pts) - 31 solves by Eth007 Description I’m sure that my post office is 100% secure! It uses some of the latest software, unlike some of the other post offices out there…Flag is in ./flag.txt. Attachmentshttps://imaginaryctf.org/r/PIxtO#vuln https://imaginaryctf.org/r/c9Mk8#libc.so.6 nc mailman.chal.imaginaryctf.org 1337 mailman is a heap challenge I did for the ImaginaryCTF 2023 event. It was a basic heap challenge involving tcache poisoning, safe-linking and secc...

Write me a book Write me a Book349 Give back to the library! Share your thoughts and experiences! The flag can be found in /flag Elma nc 34.124.157.94 12346 Write me a book is a heap challenge I did during the Grey Cat The Flag 2023 Qualifiers. You can find the tasks and the exploit here. TL;DRTo manage to read the flag we have to: create overlapping chunks due to an oob write vulnerability in rewrite_books tcache poisoning thanks to the overlapping chunks Overwrite the first entry...