Challenges

Clear
All 138 Web 14 Pwn 11 Crypto 11 Forensics 11 Rev 10 Misc 11 OSINT 10 network 11 Mobile 14 Cloud 14 web3 12 Linux 9
Linux Easy

Cron Wildcard Injection

A root cron job runs 'tar czf backup.tar.gz *' in a user-writable directory. Creating filenames that look like tar flags causes arbitrary command execution as root.

150 pts
Linux Easy

SUID Binary PATH Hijack

The viewlog utility runs as SUID root and calls 'cat' without an absolute path. Whoever controls $PATH controls which binary executes — as root.

100 pts
Linux Medium

Stack Buffer Overflow

feedparser reads a URL into a 64-byte stack buffer using gets() with no bounds check. Stack canaries and PIE are disabled. Redirect execution to success_handler() to print the flag.

250 pts
Linux Medium

Sudo vim Escape

A misconfigured sudoers rule allows ctfplayer to run vim on a log file as root with no password. vim can be used to escape to a shell.

200 pts
Linux Hard

Format String Exploit

logd passes user input directly to printf() as the format string. Overwrite the access_level global variable using %n writes to unlock flag output.

350 pts
Linux Hard

Kernel Module /proc Interface

A kernel module creates /proc/sysaudit. The read handler only reveals its data when a magic string has been written to the file first. Read the source to find it.

400 pts
Linux Hard

Ret2Libc + ASLR Bypass

authd leaks a libc puts() address in its banner. Use the leak to compute libc base, then build a ret2libc ROP chain to execute system('/bin/sh') and read the flag.

400 pts
Linux Insane

Heap UAF (tcache)

ticketd stores a function pointer in each heap-allocated ticket struct. Freeing a ticket without clearing the pointer creates a use-after-free. Overwrite the callback pointer to redirect execution to flag_print().

500 pts
1 solve 🩸
Linux Insane

ROP Chain + PIE Bypass

apid is PIE-enabled and leaks a code pointer in its banner. Use the leak to calculate PIE base, then build a ROP chain to jump to flag_handler().

450 pts