RaceCar: use the format-string bug for a leak or write, then redirect execution to the flag path.
pwn
Linux
134 postspwn
El Mundo
El Mundo: calculate the overflow offset, redirect control flow, and land a reliable flag read.
pwn
El Pipo
El Pipo: calculate the overflow offset, redirect control flow, and land a reliable flag read.
machinemachine
LinkVortex
LinkVortex: use CVE-2023-40028 where it fits the service, gain a shell, and escalate to root.
machinemachine
Bizness
Bizness: use CVE-2023-49070 and CVE-2023-51467 where it fits the service, gain a shell, and escalate to root.
machinemachine
Inject
Inject: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.
machinemachine
Unrested
Unrested: use CVE-2024-36467 and CVE-2024-42327 where it fits the service, gain a shell, and escalate to root.
machinemachine
Vintage
Vintage: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.
pwn
Kernel Adventures 2
Kernel Adventures 2: build the shellcode path, control execution, and read the flag.
pwnlocked
Execute
machinemachinelocked
Alert
rev
Dont't Panic
Dont't Panic: trace the binary, isolate the validation routine, and invert it to recover the flag.
pwn
El Teteo
El Teteo: build the shellcode path, control execution, and read the flag.
pwn
Mathematricks
Mathematricks: build the exploit primitive, stabilize the payload, and use it to read the flag.
pwn
Que Onda
Que Onda: build the exploit primitive, stabilize the payload, and use it to read the flag.
pwn
Regularity
Regularity: build the exploit primitive, stabilize the payload, and use it to read the flag.
pwn
SpellBrewery
SpellBrewery: build the exploit primitive, stabilize the payload, and use it to read the flag.
machinemachinelocked
BlockBlock
machinemachinelocked
Ghost
revlocked
WayBack
machinemachine
Administrator
Administrator: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.
machinemachine
Certified
Certified: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.
machinemachine
Blazorized
Blazorized: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.
machinemachine
Epsilon
Epsilon: enumerate the services, turn the exposed weakness into a shell, and escalate to root.
rev
Shattered Tablet
Shattered Tablet: trace the binary, isolate the validation routine, and invert it to recover the flag.
machinemachine
Mist
Mist: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.
machinemachine
Axlle
Axlle: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.
machinemachine
Beep
Beep: use CVE-2012-4869 where it fits the service, gain a shell, and escalate to root.