Information category: pwn Description Harness the power of FILE structs to arbitrarily read data. Write-up Goal: using an arbitrary write / memory-write primitive to corrupt a FILE (_IO_F...

Information category: pwn Description Abuse built-in FILE structs to bypass a security check. Exploit from pwn import * elf = context.binary = ELF("/challenge/babyfile_level6") global p ...

Information category: pwn Description Abuse built-in FILE structs to leak sensitive information. Exploit from pwn import * elf = context.binary = ELF("/challenge/babyfile_level5") global...

Information category: pwn Description Harness the power of FILE structs to arbitrarily read/write data to hijack control flow. Exploit from pwn import * elf = context.binary = ELF("/chal...

Information category: pwn Description Leverage consolidation to obtain the flag. Write-up Tcache holds up to 7 freed chunks of a given size. Do: allocate N chunks of size S, then free()...

Information category: pwn Description Revisit a prior challenge, now with TCACHE safe-linking. Write-up House of Force to pivot malloc into the stack. Exploit from pwn import * elf = co...

Information category: pwn Description Revisit a prior challenge, now with TCACHE safe-linking. Write-up House of Force to pivot malloc into the stack, and a compact XOR-index → stack pivo...

Information category: pwn Description Leverage TCACHE exploits to obtain the flag. Write-up Goal: leak a return address from the stack, compute PIE base, pivot malloc so a chunk points a...

Information category: pwn Description Leverage calling free() on a stack pointer to read secret data. Write-up Goal: manipulate heap metadata to perform an overwrite of a secret value st...

Information category: pwn Description Leverage TCACHE exploits to cause malloc() to return a stack pointer. Write-up Goal: leak a stack address, pivot malloc to return a pointer into sta...