Getting Started: calculate the overflow offset, redirect control flow, and land a reliable flag read.
pwnlocked
Bof
8 postspwn
Getting Started
pwn
Questionnaire
Questionnaire: use the format-string bug for a leak or write, then redirect execution to the flag path.
pwn
Wizard's Diary
Wizard's Diary: calculate the overflow offset, redirect control flow, and land a reliable flag read.
pwn
El Mundo
El Mundo: calculate the overflow offset, redirect control flow, and land a reliable flag read.
pwn
El Pipo
El Pipo: calculate the overflow offset, redirect control flow, and land a reliable flag read.
pwnlocked
Execute
pwn
DearQA
DearQA: shape the heap state, gain the needed write or leak, and pivot to flag access.