#rop
7 writeups
Midnight Relay - BITSCTF Pwn Writeup
BITS CTF · 2025
---
#pwn #rop #heap #crypto
Echo
Srdnlenctf · 2025
`Echo` is a small remote pwn challenge:
#pwn #format-string #rop #pwntools
stack-bof writeup
TKB CTF · 2025
The bug is not the final `gets()` by itself. The real primitive is:
#pwn #rop #fsop #docker
username-checker
Osu CTF · 2025 · Sep 1, 2025
ret2win with a stack-alignment twist — hop through a single ret gadget before calling win() so system() sees a 16-byte-aligned stack.
#ret2win #stack-alignment #rop
easy Feather Maker
V1T CTF · 2025 · Aug 10, 2025
32-bit ret2dlresolve — Partial RELRO, NX on, no libc leak, only read@plt. Force the linker to resolve system("/bin/sh").
#32-bit #ret2dlresolve #rop #pwntools
medium wakecall
V1T CTF · 2025 · Aug 10, 2025
Two-stage SROP without libc. pop rax; ret + syscall are enough. First frame does read + stack pivot, second frame executes execve("/bin/sh").
#srop #sigreturn #rop #pwntools
medium cascade
ImaginaryCTF 2025 · 2025 · Jul 5, 2025
Stack overflow into ret2dlresolve — force the dynamic linker to resolve system at runtime and run system("sh").
#stack-overflow #ret2dlresolve #rop #pwntools
medium