Challenges

Clear
All 96 Web 10 Pwn 7 Crypto 7 Forensics 7 Rev 6 Misc 7 OSINT 6 network 7 Mobile 10 Cloud 10 web3 10 Linux 9
Linux Easy

Cron Wildcard Injection

A root cron job runs 'tar czf backup.tar.gz *' in a user-writable directory. Creating filenames that look like tar flags causes arbitrary command execution as root.

150 pts
Linux Easy

SUID Binary PATH Hijack

The viewlog utility runs as SUID root and calls 'cat' without an absolute path. Whoever controls $PATH controls which binary executes — as root.

100 pts
Linux Medium

Stack Buffer Overflow

feedparser reads a URL into a 64-byte stack buffer using gets() with no bounds check. Stack canaries and PIE are disabled. Redirect execution to success_handler() to print the flag.

250 pts
Linux Medium

Sudo vim Escape

A misconfigured sudoers rule allows ctfplayer to run vim on a log file as root with no password. vim can be used to escape to a shell.

200 pts
Linux Hard

Format String Exploit

logd passes user input directly to printf() as the format string. Overwrite the access_level global variable using %n writes to unlock flag output.

350 pts
Linux Hard

Kernel Module /proc Interface

A kernel module creates /proc/sysaudit. The read handler only reveals its data when a magic string has been written to the file first. Read the source to find it.

400 pts
Linux Hard

Ret2Libc + ASLR Bypass

authd leaks a libc puts() address in its banner. Use the leak to compute libc base, then build a ret2libc ROP chain to execute system('/bin/sh') and read the flag.

400 pts
Linux Insane

Heap UAF (tcache)

ticketd stores a function pointer in each heap-allocated ticket struct. Freeing a ticket without clearing the pointer creates a use-after-free. Overwrite the callback pointer to redirect execution to flag_print().

500 pts
1 solve 🩸
Linux Insane

ROP Chain + PIE Bypass

apid is PIE-enabled and leaks a code pointer in its banner. Use the leak to calculate PIE base, then build a ROP chain to jump to flag_handler().

450 pts