Hey there, I'm Sean and I enjoy doing CTF problems in my spare time. My current position has me doing a lot of binary exploitation and software reverse engineering so I tend to focus on those categories. Most writeups that I see online suck and I hope these do a better job explaining some of the fundamental concepts.

In all of my solutions I try my best to include a reproducible solution written with pwntools. It's not about the flags, but about the journey that got us the flag.

Hopefully this doesn't age like milk, but I've also tried to do some video walkthroughs of some of these CTF problems. You can view them on YouTube.

The following is a list of common Unix Access topics and the CTF challenges that relate to them.

• Write working shellcode from scratch and show all steps to write the shellcode:
  • level-0, level-1
• Stack buffer overflow with and without the following mitigations: address space layout randomization (ASLR), Non-eXecutable memory (NX), and stack canaries:
  • clutter-overflow
  • heres-a-libc
  • stack-cache
  • hidden-flag-function
  • hidden-flag-function-parameters
• Heap buffer overflow using heap grooming and objects with function pointers:
  • are-you-root
• Heap buffer overflow by corrupting heap data structures:
  • unsubscriptions-are-free
• UAF with objects containing function pointers:
  • are-you-root
• UAF with objects that allow an arbitrary read/write primitive:
  • cache-me-outside
• Data type confusion vulnerabilities
• Format string vulnerabilities for arbitrary read/write primitive:
  • stonks
  • got_hax
  • flag-leak
• How uninitialized variables can be used for exploitation:
  • are-you-root
  • stack-cache

• Arbitrary write primitive:
  • got_hax
• Relative write primitive:
  • cache-me-outside
• Arbitrary read primitive:
  • got_hax
• How primitives can be chained to build an exploit
• How a write primitive can be used to escalate privileges/execute arbitrary code:
  • got_hax

• Procedural Linkage Table:
  • got_hax
• Global Offset Table:
  • got_hax

• Partial RELRO:
  • got_hax
• Full RELRO:
  • got_hax

• Find ROP/JOP gadgets:
  • guessing-game-1
• Call libc functions and system calls:
  • heres-a-libc
  • guessing-game-1
• Chain gadgets to execute code:
  • guessing-game-1
• Execute arbitrary shellcode

• ASLR
• Data Execution Prevention (DEP)/NX:
  • heres-a-libc
  • guessing-game-1
• Position Independent Executables (PIEs)
• How PIEs affect exploitation
• Stack canaries:
  • guessing-game-1
• Safe list unlinking

• Static reverse engineering:
  • baby-c
  • wizardlike
• Dynamic reverse engineering:
  • heres-a-libc
  • wizardlike

• Static disassemblers
  • baby-c
  • wizardlike
• Debuggers
  • wizardlike
• Automation techniques using above tools

• Dumb fuzzing techniques
• Code-coverage based fuzzing
• Symbolic execution
  • sum-o-primes

• Executable Stacks