Writeups

29 curated writeups across 2 years. Pulled from my CTF_writeup repo.

browse by category browse by tag 2026 2025

Categories

Binary Exploitation· 17 Reverse Engineering· 8 Web· 2 OSINT· 1 Cryptography· 1

All writeups

heapn⊕te-ic
Midnight Flag CTF 2026 · 2026 · Mar 15, 2026
Binary Exploitation

Signed-length bug on glibc 2.39 turns into a heap primitive. Safe-linking leak, unsorted-bin libc leak, tcache poisoning through an XOR cipher, and a forged exit handler chain.

#heap #glibc-2.39 #tcache #safe-linking
hard
Canvas of Fear
Midnight Flag CTF 2026 · 2026 · Mar 15, 2026
Web

Stored XSS → localhost admin → heap underflow in a native canvas manager → libc leak → arbitrary R/W → libc ROP → flag. A full web-to-pwn chain.

#xss #heap #glibc-2.34 #ROP
hard
1 Minecraft image osint
BITS CTF · 2025
OSINT

7 (87% liked) 1 Go back in time maybe a decade or so, And play Geoguessr from a world you may or may not know.

#osint
Overview
K17 CTF · 2025
Binary Exploitation

category: reversing (with a light pwn twist)

#pwn #ghidra #pwntools
stacked
ImaginaryCTF · 2025
Reverse Engineering

Return oriented programming is one of the paradigms of all time. The garbled output is `94 7 d4 64 7 54 63 24 ad 98 45 72 35`

#rev #crypto
CTF Write-up — abnormaleak (Format String + Stack Leak)
Hackthebooctf · 2025
Binary Exploitation

Binary: abnormaleak (ELF 64-bit, x86-64, dynamically linked, not stripped)

#pwn #format-string
CTF Write-up — abnormaleak (Format String + Stack Leak)
Hackthebooctf · 2025
Reverse Engineering

Binary: abnormaleak (ELF 64-bit, x86-64, dynamically linked, not stripped)

#rev #format-string
Midnight Relay - BITSCTF Pwn Writeup
BITS CTF · 2025
Binary Exploitation

---

#pwn #rop #heap #crypto
CTF Write-up — Mauryan Royal Archive (Format String → Flip Globals → Print Flag)
H7 CTF · 2025
Binary Exploitation

- **Category:** Pwn / Binary Exploitation - **Difficulty:** Medium - **Binary:** `imperial_archive` (ELF 32-bit, i386, dynamically linked, not stripped) - **Protections:** NX, Part

#pwn #format-string
SilentOracle (rev/pwn) — Timing Side-Channel (fail-slow) Attack
Neurogrid CTF · 2025
Reverse Engineering

**Flag:** `HTB{Tim1ng_z@_h0ll0w_t3ll5}`

#rev #heap #pwntools
Writeup — PointerOverflow CTF: A Micromachine (exploit / writeup)
Pointeroverflowctf · 2025
Binary Exploitation

**Challenge:** A Micromachine — read-only device/OTP/flag combined challenge (web / queuer helper). **Target:** get `/app/public/playlist.txt` to contain `/flag/flag.txt` content.

#pwn #crypto
POCTF — Through a Glass Darkly (rev300-1) — Write-up
Pointeroverflowctf · 2025
Reverse Engineering

Goal: recover the correct flag string.

#rev
Challenge Overview
Pointeroverflowctf · 2025
Reverse Engineering

**Name:** rev200-1.apk **Category:** Reverse Engineering **Platform:** Android (Kotlin / Java)

#rev #android #crypto
Echo
Srdnlenctf · 2025
Binary Exploitation

`Echo` is a small remote pwn challenge:

#pwn #format-string #rop #pwntools
bss-bof writeup
TKB CTF · 2025
Binary Exploitation

The exploit is the same core idea as `stack-bof`: the useful bug is not the final `gets()` alone, but the pair:

#pwn #fsop #docker
Very Simple FSB Writeup
TKB CTF · 2025
Binary Exploitation

- Name: `Very Simple FSB` - Category: `pwn` - Remote: `35.194.108.145:13840`

#pwn #format-string
stack-bof writeup
TKB CTF · 2025
Binary Exploitation

The bug is not the final `gets()` by itself. The real primitive is:

#pwn #rop #fsop #docker
Secure Gate Writeup
TKB CTF · 2025
Web

I made a simple note app protected by a secure gateway.

#web
Root-Me – Root-Me's Xmas List (Rev/Crypto) – Write-up
XMAS CTF · 2025
Cryptography

* **Category:** Reverse Engineering / Cryptography * **Target Binary:** `listviewer` (Linux ELF, GTK GUI) * **Extra File:** `dump.pcapng` (Captured network traffic) * **Goal:** Rec

#crypto #ghidra
Favorite Potato — REV CTF Writeup
B01lersctf · 2025
Binary Exploitation

**Flag:** `bctf{Nev3r_underst00d_why_we_n33d_TSX_and_TXS_unt1l_n0w..:D}`

#pwn #crypto
priority-queue writeup
B01lersctf · 2025
Binary Exploitation

Source first:

#pwn #heap
spelling-bee writeup
B01lersctf · 2025
Binary Exploitation

The bug is a use-after-free in the Forth dictionary.

#pwn #heap
encrypter
QnQSec · 2025 · Sep 20, 2025
Reverse Engineering

AES-256-CBC with the key produced by embedded shellcode. Break on EVP_EncryptInit_ex at runtime, read the key/IV out of registers, decrypt offline.

#aes #openssl #gdb #shellcode
medium
username-checker
Osu CTF · 2025 · Sep 1, 2025
Binary Exploitation

ret2win with a stack-alignment twist — hop through a single ret gadget before calling win() so system() sees a 16-byte-aligned stack.

#ret2win #stack-alignment #rop
easy
Feather Maker
V1T CTF · 2025 · Aug 10, 2025
Binary Exploitation

32-bit ret2dlresolve — Partial RELRO, NX on, no libc leak, only read@plt. Force the linker to resolve system("/bin/sh").

#32-bit #ret2dlresolve #rop #pwntools
medium
wakecall
V1T CTF · 2025 · Aug 10, 2025
Binary Exploitation

Two-stage SROP without libc. pop rax; ret + syscall are enough. First frame does read + stack pivot, second frame executes execve("/bin/sh").

#srop #sigreturn #rop #pwntools
medium
cascade
ImaginaryCTF 2025 · 2025 · Jul 5, 2025
Binary Exploitation

Stack overflow into ret2dlresolve — force the dynamic linker to resolve system at runtime and run system("sh").

#stack-overflow #ret2dlresolve #rop #pwntools
medium
weird-app
ImaginaryCTF 2025 · 2025 · Jul 5, 2025
Reverse Engineering

Android APK that applies a position-dependent substitution over letters/digits/specials. Invert it in Python.

#android #apk #jadx #substitution
easy
nimrod
ImaginaryCTF 2025 · 2025 · Jul 5, 2025
Reverse Engineering

Stripped Nim binary that XORs input with a keystream derived from a hard seed. Extract the keystream at runtime with gdb and XOR out the flag.

#nim #xor #gdb #keystream
easy