Kernel::Time_To_Start

Welcome to pwnyOS!!

pwnyOS is a custom x86 operating system that supports link-time kASLR, multitasking and kernel threads, execution of genuine ELF files, a realtime high resolution graphics engine, and a custom hierarchical file system. This OS was written from the ground up with its use as a challenge for UIUCTF 2020 in mind. All source code in the OS is 100% custom handwritten C and assembly- there are no libraries used, and none of its code can be found anywhere online. This competition simulates an unprivileged user with physical access to a keyboard and terminal attempting to gain local privilege escalation on an unfamiliar system.

Documentation: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Getting_Started.pdf

System Calls: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Syscalls.pdf

For your first challenge: Login to the OS with username sandb0x

Password is 4 characters, all lowercase letters. First character is 'p'. I wonder if there's a way to leak the next char, knowing that the first part of the password is right...?

UPDATE ON DEPLOYMENT If your team was registered before midnight CDT on the first day of the competition, you may have received an email with your credentials. If those credentials do not work, or if you did not receive an email, please send us a modmail ASAP and we will get you set up as soon as possible.

If you attempt to connect to another user's VM, or attempt to compromise challenge infrastructure in any way, you will be banned without warning.

This challenge is the result of months of hard work- Please respect the challenge and don't attempt to ruin the experience for others.

Author: ravi

After loading the VM, we are greeted with a login page.

The goal is to login to the account "Sandb0x".

The challenge description states that the password consists of 4 lowercase characters, where the first character is 'p'. As the VM is called pwnyOS, I immediately guessed the password to be "pwny" which surprisingly worked.

This was probably not the intended solution as the flag hints that it is supposed to be a Timing Side Channel attack. But oh well, whatever works I guess.

Flag: uiuctf{t1ming_s1d3_chann3l_g4ng}