15 items with this tag.
Exploiting Python object internals to hijack the __repr__ function pointer, redirecting execution to system("/bin/sh") for a shell, with adjustments for version-specific memory layouts.
A seccomp-restricted binary forces the use of only safe syscalls—openat, preadv2, dup2, and writev—to craft shellcode that reads flag.txt and prints its contents despite strict syscall filtering.
Used a side channel attack to deduce the flag byte-by-byte.
Reverse a 64-bit ELF that reads a 10-char password from a tar.gz, then exploit a 0.5s-per-correct-char delay (timing side-channel) with a pwntools solver to recover the flag.
Exploitation of a Rust-based Wi-Fi management service by cracking a hardcoded MD5 password and leveraging an unrestricted command injection vulnerability to retrieve the flag through remote shell access and TCP redirection.
Exploited a 64-bit ELF with full RELRO, stack canary, and PIE protections.
Exploited a timing side-channel to leak libc base address and executed ROP to retrieve the flag.
Reverse engineering a custom ELF binary with a unique memory leak mechanism. The challenge involved identifying and exploiting a subtle memory leak to retrieve the flag.
Reverse-engineered a 64-bit ELF with no stack or LIBC leaks, bypassed seccomp, and exfiltrated the flag.
A 64-bit Linux ELF with no canary or PIE—use heap allocations, overflow the code buffer pointer, and trigger a ret2win to call win() and retrieve the flag.
Exploiting a 64-bit Linux binary with seccomp restrictions using the ORW (Open, Read, Write) technique. The challenge involves leaking addresses encoded as double-precision floats and constructing ROP chains to bypass security measures and retrieve the flag.
Exploit a hidden menu via stamina and weight tweaks, use format string overflow and ROP to leak canary, ELF base, write '/bin/sh', then execve shell to grab the flag.
a heap overflow in a 64-bit ELF (with partial RELRO, Canary, NX, no PIE) lets you corrupt metadata and force malloc to return a chunk containing “Ez W” to trigger flag leakage.
Leveraged heap vulnerabilities like Use-After-Free and tcache poisoning to leak libc and stack addresses, then exploited arbitrary write to execute system('/bin/sh').
Leverage a format string vulnerability and buffer overflow to leak libc addresses, then use ROP and a second payload to read the flag from a file.