Blog

Building a full interpreter-level exploit chain from a CPython use-after-free to remote code execution, with pwndbg output at each step.

Hands-on lab covering all three classic stack canary bypass techniques: format string leak, fork-based brute force, and GOT overwrite via arbitrary write.

Deep reference on glibc ptmalloc2: chunk layout, free bins, tcache, safe-linking, UAF, double-free, heap overflow, and modern exploitation techniques.

Buffer overflow in a sandboxed child process — overwriting TLS to leak the stack canary, then mmap + shellcode ROP under a strict seccomp filter.

Static binary ret2syscall — working around a pop rdi gadget with a 0x0a byte via a magic gadget, pivoting to BSS first to lay out a clean ROP chain.

Stack shellcode execution without NX — using a re-read trick to stage a larger payload, then write-orw shellcraft to read the flag file.

A working reference built while preparing for OSCP — copy-paste-ready commands and mental models covering recon, web attacks, PE, tunneling, and Active Directory.

Second blood on a USB forensics challenge — extracting numpad HID keycodes from pcapng with tshark, then mapping them to a flag via a decode script.

First blood — bypassing a time-seeded srand passcode with a local ctypes call, then classic ret2libc ROP via puts leak.

First blood heap exploitation — UAF to leak heap base, heap overflow to corrupt unsorted bin for libc leak, then free_hook overwrite for shell.

First blood on a PHP image upload challenge — weaponizing EXIF data with exiftool to inject a webshell via a preg_replace /e backdoor.

Client-side validation bypass on a Go CD-key verification service — flipping a boolean field to trick the server into issuing a flag.

First blood on a Go/Gin web challenge — reverse engineering basic auth credentials and a hidden admin command execution endpoint.

Bypassing a Python AST sandbox with Unicode fullwidth lookalikes applied as decorators — exec and input slip through the keyword filter undetected.

Escaping a restricted mongosh sandbox using constructor.constructor to reach the Function constructor, then loading Node built-ins for arbitrary RCE.

Three-shot format string exploit — leaking libc and stack in the first payload, then writing a one_gadget address in two 2-byte chunks to hit execve.