Ancient_Interface#

• make read return -1 because of the signal in alarm, which will cause a underflow
• use it to rop and get a shell

Complaint_Conglomerate#

• cause a malloc_consolidate of fastbin chunks to get a unsortedbin chunk (libc leak) then rop

acaan#

• arb write to any file in the system
• two ways, plt overwrite or got overwrite

junior-pwner#

• take controle of rbp using a bof
• overwrite bss section messeges var to address of puts
• leak libc -> one_gadget/system

fact#

• asks you to insert a name, send a small one, then chose the option b to do math, it will leak a pie address
• then chose a for renaming and jump to the win func

riscy#

• riscv64 chall, gives you a stack address and the goal is run shellcode, just find some shellcode online to open a shell and find the offset
• gdb-multiarch

calls#

• small binary, there is no pop gadgets, the trick is to find the hidden /bin/sh string using strings cmd
• use read syscall as a pop rax gadget then do srop

cramped#

• a buffer overflow challenge, we can controle the rbp and the return address
• there is a win function with check for params, we can just jump passed that and if we set rbp to point to a r/w section aka bss we get the flag

doubles#

• standard fastbin dup chall from pwn.college
• use after free in the free function, and a global array with no pie
• just get a write in the global array, make a entry point to __free_hook overwrite it with system, and call free with /bin/sh

filter#

• standard filter challenge with seccomp, just open read write

monGOal#

• first time seeing a binary packed with upx, and also first time doing a go challenge
• other then this, its a simple rop to systell challenge, and uses xchg which is neet