Challenges

Clear
All 138 Web 14 Pwn 11 Crypto 11 Forensics 11 Rev 10 Misc 11 OSINT 10 network 11 Mobile 14 Cloud 14 web3 12 Linux 9
Pwn Easy

Buffer Overflow Basic

A classic stack buffer overflow. Overflow the 64-byte buffer to redirect execution to the win() function.

150 pts
4 solves 🩸
Pwn Easy

Stack Overflow - ret2win

A simple buffer overflow challenge. The binary has a win() function that prints the flag, but it's never called. Can you overflow the buffer and redirect execution? Compile: gcc -o stack_overflow stack_overflow.c -fno-stack-protector -no-pie -m32

100 pts
7 solves 🩸
Pwn Medium

Format String

A format string vulnerability. The global 'flag' array is stored in the binary. Leak it from the stack.

300 pts
4 solves 🩸
Pwn Medium

Format String Exploit

This program has a format string vulnerability. Use it to leak the flag from memory. The flag is stored in a global variable. Compile: gcc -o format_string format_string.c -fno-stack-protector -no-pie -m32

250 pts
7 solves 🩸
Pwn Hard

GOT Overwrite via UAF

A task manager binary has a use-after-free: deleting a task frees the chunk but keeps the pointer, allowing a subsequent 'edit' to write into freed memory. Tcache poisoning lets you allocate at an arbitrary address — overwrite the GOT entry for puts() to point to win().

400 pts
Pwn Hard

Heap Overflow

Heap overflow into a function pointer. Overflow heap chunk 1 (freed then reallocated) into chunk 2's function pointer to call print_admin().

450 pts
4 solves 🩸
Pwn Hard

Off-by-One Heap

A menu-driven heap allocator has an off-by-one error: strcpy writes exactly one null byte past the end of a malloc'd chunk. Use this to corrupt the next chunk's size field, triggering a House of Einherjar merge that overwrites a function pointer stored in a neighboring struct.

450 pts
Pwn Hard

ret2libc

Buffer overflow with ASLR disabled. Use ret2libc technique to call system('/bin/sh') and cat the flag.

400 pts
4 solves 🩸
Pwn Insane

FSOP — File Stream Exploit

A binary using glibc 2.35 has a heap overflow that lets you corrupt a FILE* struct on the heap (_IO_FILE). Abuse the _IO_str_overflow vtable path to redirect execution. FSOP (File Stream Oriented Programming) is the path forward — no ret2libc, no rop chain needed.

500 pts
Pwn Insane

ROP Chain

NX enabled, no shellcode. Build a ROP chain using gadgets to call execve('/bin/sh') and read the flag file.

500 pts
4 solves 🩸
Pwn Insane

Shellcode Sandbox Escape

A 'safe' sandbox executes your shellcode but first applies a seccomp-BPF filter blocking execve, execveat, and fork. You can use read/write/open. Write shellcode that opens /flag, reads it into a buffer, and writes it to stdout — all using allowed syscalls only.

500 pts