2025
| CTF name | Challenge name | Bug | Technique | Note |
|---|---|---|---|---|
| KCSC Recruitment | AAA | Buffer Overflow |
||
| KCSC Recruitment | babyROP | Buffer Overflow |
ROP |
Use a quirk of printf that placed a pointer to funlockfile in rdi after returning |
| KCSC Recruitment | ccrash | Buffer Overflow |
Return to Shellcode |
|
| KCSC Recruitment | Chodan | Shellcode |
Use padding + jump to bypass every next 8 bytes are zero'ed out. Use dup2 syscall to points stdin to stderr (dup2 will duplicate old_fd to new_fd) and this just works in remote -> When you run locally, fd 0 1 2 is stdin, stdout and stderr, but when you run remotely, stdin, stdout and stderr share a random fd, so when you duplicate, it's just duplicating that fd, meaning each process will have 3 fds 0 1 2 and those 3 fds are symlinks pointing to bash or socket. I noticed that fd 0 1 2 are all symlinks to sockets then sockets transmit data through a single pipe different from when running bash locally, each fd will be a pipe each pipe so when running locally, turning off stdin is always turning it off if I dup stdout through stdin, that pipe is still stdout but when remote, stdin, stdout and stderr are all in the same pipe now I turn off stdin and dup stdout through stdin, it is also in the same pipe |
|
| KCSC Recruitment | darktunnel | Buffer Overflow |
Using trick to bypass canary |
|
| KCSC Recruitment | KCSC Shop | Buffer Overflow, Format String |
GOT Overwrite |
ARM64 is so complicated |
| KCSC Recruitment | Welcome | Format String |
||
| :---: | :---: | :---: | :---: | :---: |
| x3CTF | devnull-as-a-service | Buffer Overflow |
SROP, Shellcode |
|
| :---: | :---: | :---: | :---: | :---: |
| VSL | asm machine | Shellcode Injection |
||
| VSL | Beginner | Buffer Overflow |
||
| VSL | Interesting Functions | Format String, Buffer Overflow |
The strcat() function appends the src string to the dest string, overwriting the terminating null byte ('\0') at the end of dest and then adds a terminating null byte. |
|
| VSL | Present | Buffer Overflow |
Return to Libc |
|
| :---: | :---: | :---: | :---: | :---: |
| UoftCTF | babypwn1 | Buffer Overflow |
||
| UoftCTF | babypwn2 | Buffer Overflow |
Return to Shellcode |
2024
| CTF name | Challenge name | Bug | Technique | Note |
|---|---|---|---|---|
| 0xL4ughCTF | Wanna play a game? | OOB |
||
| :---: | :---: | :---: | :---: | :---: |
| 1337UP Live CTF | retro2win | Buffer Overflow |
ROP |
|
| :---: | :---: | :---: | :---: | :---: |
| ångstromCTF | bap | Format String |
||
| ångstromCTF | og | Format String, Buffer Overflow |
||
| ångstromCTF | bap | Integer Overflow |
||
| :---: | :---: | :---: | :---: | :---: |
| World Wide Flag CTF | white rabbit | ROP, Shellcode |
| Difficult | Challenge name | Bug | Technique | Note |
|---|---|---|---|---|
| Easy | Bad grades | Buffer Overflow |
ROP, GOT Overwrite |
|
| Easy | Execute | Shellcode |
||
| Easy | Restaurant | Buffer Overflow |
ROP |
|
| Easy | You know 0xDiablos | Buffer Overflow |
Level 1
| Challenge name | Bug | Technique | Note |
|---|---|---|---|
| oob | Out of Bounds |
||
| p_rho | Integer Overflow, Buffer Overflow |
||
| Return Address Overwrite | Buffer Overflow |
Return to win |
|
| shell basic | Shellcode |
||
| stack aligne test | Buffer Overflow |
ROP |
Level 2
| Challenge name | Bug | Technique | Note |
|---|---|---|---|
| basic_exploitation_0 | Shellcode |
||
| basic_exploitation_1 | Buffer Overflow |
||
| basic_rop_x64 | Buffer Overflow |
ROP |
|
| basic_rop_x86 | Buffer Overflow |
ROP |
|
| MSNW | Buffer Overflow |
Stack Pivot |
|
| rs2 | Return to Shellcode |
||
| ret2lib | Buffer Overflow |
Ret2Lib |
|
| rop | Buffer Overflow |
ROP |
|
| ssp_001 | Buffer Overflow |
Use brute force to leak canary value |