corCTF 2024: Its Just a Dos Bug Bro - Leaking Flags from Filesystem with Spectre v1

This write-up describes a corCTF 2023 challenge that introduces a vulnerable Linux syscall (corctf_read_note) with an unchecked index allowing an out-of-bounds read and, more importantly, enabling a Spectre v1 speculative-execution cache side-channel. The author presents a full PoC exploit chain: user-space timing and flush primitives, branch-training to induce transient OOB accesses, and techniques to leak kernel KASLR and physmap bases and then exfiltrate file data from initramfs. The exploit is a sophisticated, platform- and configuration-dependent PoC (requires Intel 8th–10th gen behaviour, performance governor, and specific kernel boot options) and was implemented for a CTF scenario rather than observed active malicious use.