LYKNCTF 2026 pwn writeup — three binary exploitation challenges solved covering non-PIE ret2win, signed-integer length bypass with byte truncation, and off-by-one UAF chained into tcache poisoning, arbitrary read/write, and stack RIP overwrite

LYKNCTF 2026 Pwn Writeup: 3 Binary Exploitation Challenges (ret2win, Signed Length Bypass, Off-by-One UAF Heap)

LYKNCTF 2026’s pwn track is short but well-graduated: three challenges that climb from a textbook non-PIE ret2win with no canary, through a signed-integer length check that survives negation and byte truncation before it reaches read(), and up to an off-by-one UAF in a note manager that composes into heap-safe-linking leak, unsorted-bin libc leak, glibc 2.39 tcache poisoning, PIE recovery through a stack scan for a .rodata string pointer, notes-table hijack for arbitrary read/write, upper-stack dump, saved-RIP identification, and a system("/bin/sh") ROP chain, all one binary, one exploit run. ...

July 11, 2026 · 22 min · 4493 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap