Kryptor2 is a Linux kernel exploitation challenge featuring a custom kernel module (/dev/k2) that implements user credential management with SHA-256 and SHA-384 hashing. The module exposes ioctl commands for registering users, updating credentials, and restoring old credentials. A hash length mismatch vulnerability in the credential update path produces a 16-byte heap overflow in kmalloc-64, which is escalated through IPC message queue spraying into arbitrary kernel read, task list traversal, and finally a SLUB freelist corruption + stack pivot ROP chain for root.

The exploit is written entirely in C (not Python) due to the need for kernel-level IPC primitives, SHA-384 constraint solving, and precise timing. It runs inside a QEMU VM with a custom kernel and initramfs.

The module exposes five ioctl commands through /dev/k2:

#define REGISTER_USER     0x11111111
#define UNREGISTER_USER   0x22222222
#define UPDATE_CREDS      0x55555555
#define RESTORE_OLD_CREDS 0x66666666
#define IMPERSONATE_USER  0x44444444

Each user's credentials are stored in a kmalloc-64 slab object containing the hash type and the hash digest. The UPDATE_CREDS command allows changing from one hash type to another, recomputing the hash in place.