LYKNCTF 2026 pwn writeup — three binary exploitation challenges solved covering non-PIE ret2win, signed-integer length bypass with byte truncation, and off-by-one UAF chained into tcache poisoning, arbitrary read/write, and stack RIP overwrite

LYKNCTF 2026 Pwn Writeup: 3 Challenges Solved

LYKNCTF 2026’s pwn track is short but well-graduated: three challenges that climb from a textbook non-PIE ret2win with no canary, through a signed-integer length check that survives negation and byte truncation before it reaches read(), and up to an off-by-one UAF in a note manager that composes into heap-safe-linking leak, unsorted-bin libc leak, glibc 2.39 tcache poisoning, PIE recovery through a stack scan for a .rodata string pointer, notes-table hijack for arbitrary read/write, upper-stack dump, saved-RIP identification, and a system("/bin/sh") ROP chain, all one binary, one exploit run. ...

July 11, 2026 · 22 min · 4493 words · CyberSecurity Elite Team
TraceBash CTF 2026 pwn writeup — Banned Bytes badchars ROP and Legacy Ledger format-string %hn writes to stack shellcode

TraceBash CTF 2026 Pwn Writeup: 2 Challenges Solved

Third post in the TraceBash CTF 2026 series on this site. The earlier ones cover crypto (small-subgroup DH, shared RSA prime, harmonic XOR, 16-bit seed brute) and OSINT (geocaching pivot, Plus Codes, NYC DOB open data, cross-platform handle pivoting). This one walks the two pwn challenges in the same step-by-step format. ...

June 27, 2026 · 19 min · 3922 words · CyberSecurity Elite Team
Anti-Slop CTF 2026 pwn writeup — Paper Lantern Bellcore CRT, Graceful Exit leak-and-overwrite, Anchorpoint VM-to-GCM forge chain

Anti-Slop CTF 2026 Pwn Writeup: Paper Lantern, Graceful Exit, Anchorpoint

Third post in the Anti-Slop CTF 2026 series. The web writeup covered HTTP parsers. The reverse writeup covered an ECDSA nonce attack and a SHA-256 length extension. This one walks the three pwn challenges in the same step-by-step format. The order below is roughly easiest to hardest. Paper Lantern is a clean single-chain CRT-fault attack against an RSA-FDH signer. Graceful Exit composes a negative-offset leak with a heap-object overwrite to convert an address disclosure into a controlled read through the legitimate output path. Anchorpoint is the marathon: a tiny stack-VM overflow unlocks ECDSA nonce recovery, a BIP340-style shadow proof, and an AES-GCM nonce-reuse GHASH forge, all chained into one connection. All three rewarded reading the binary and modelling the state machine before writing any exploit code. ...

June 22, 2026 · 24 min · 4913 words · CyberSecurity Elite Team
GPN CTF 2026 writeup — 19 challenges solved across reverse, crypto, web, pwn, and misc

GPN CTF 2026 Writeup: All 19 Challenges Solved

Platform GPN CTF 2026 (kitctf) Difficulty Mixed (Easy → Hard) OS Jeopardy — Reverse, Crypto, Web, Pwn, Misc Tags AVX2 lane-swap miscompilation discovery + Kannan-embedding SIS lattice attack, NTRU mod-q reduction bug (c mod p == m), ECDSA nonce reuse from MD5(uuid3) collisions via fastcoll, eBPF signed-comparison verifier bypass with patched bzImage, JVM AOT cache override of bytecode, PHP 7.4 PHAR deserialization across two TCP races, Pydantic ForwardRef eval in create_model, CSS attribute-selector cookie exfiltration through Link: rel=stylesheet, holpy proof-checker thm re-axiomatization, knitout front/back-bed bitmap, ternary amplitude-modulated UART, Hamiltonian path on 250-node FSM extracted from jump tables, RFC 5424 syslog stream demux, Rust setuid TOCTOU symlink swap GPN CTF 2026 is the Gulaschprogrammiernacht CTF hosted annually by KITCTF at the GPN hacker camp in Karlsruhe, Germany. The 2026 edition runs a Jeopardy board across reverse engineering, crypto, web, pwn, and misc, with a sharp lean toward low-level systems bugs — a missing mod q in an NTRU implementation, a 4-way AVX2 lane-swap in a gcc -O3 -mavx2 build, a deleted BPF_ADJ_END_FROM_* check in a custom kernel, a JVM AOT cache that silently overrides a JAR method. The flavour throughout is kitchen — recipes, ovens, pots — and the flags universally read like Bavarian beer-tent slogans. ...

June 7, 2026 · 32 min · 6647 words · CyberSecurity Elite Team
HASBLCTF 2026 pwn writeup — all 5 binary exploitation challenges (baby-bufferoverflow, candy-store, baby-shellcoder, jumper, padawan-pwn)

HASBLCTF 2026 Pwn Writeup: All 5 Challenges Solved

Platform HASBL CTF 2026 Difficulty Mixed (Easy → Medium) OS Jeopardy — Pwn (Linux x86-64) Tags ret2win with movaps stack alignment, int16 signed overflow, mmap RWX shellcode injection, register-controlled jmp into pre-built gadget chain, classic ROP with SysV-ABI argument-register setup, pwntools payload construction, checksec mitigation analysis HASBL CTF 2026 is a multi-category jeopardy event with Reverse Engineering, Pwn, Web, and Forensics tracks. This writeup is dedicated to the Pwn track — the five pwn challenges (baby-bufferoverflow, candy-store, baby-shellcoder, jumper, padawan-pwn) were all solved, and each one teaches a different beginner-to-intermediate binary-exploitation primitive: ret2win with the movaps 16-byte stack-alignment trap, a signed-vs-unsigned integer-width bug exploitable via menu interaction, direct shellcode execution on an mmap’d RWX page, a 7-byte shellcode budget that has to set rdx for a hard-coded jmp rdx into the binary’s own gadget chain, and a full ROP chain that loads three argument registers before calling a flag-printing function. ...

June 1, 2026 · 21 min · 4423 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap