Junior.Crypt 2026 pwn + reverse writeup — four challenges solved covering negative-index array OOB with cookie-encoded function pointers, session-to-sink UAF type confusion with pipelined race and fake vtable, reclassify-without-realloc heap overflow into adjacent exhibit's routine pointer, and a modified TCC compiler that smuggles a hidden C source with a 512-byte VM blob decrypted by an ELF-relocation-derived key

Junior.Crypt 2026 Pwn + Reverse Writeup: 4 Challenges Solved (Cookie-Encoded Function Pointers, UAF Type Confusion, Heap Overflow with Reclassify, TCC-Injected VM)

Junior.Crypt 2026 (grodno flag prefix) shipped a pwn track with three challenges that each turn a small logic mistake into a controlled indirect call: Clockwork Vault gates its “hidden” slots behind a bounds check that forgets to reject negative indexes, and encodes function pointers with a per-process cookie that leaks through the same primitive; House of Mirage recycles expired session chunks into a sink freelist but leaves the session-table pointer dangling, creating a type-confusion window where a mirror import session profile write rebuilds a live sink’s vtable pointer against a fake vtable planted inside the object; Museum of Echoes reclassifies a small 0x50-byte “whisper” as a large 0xb0-byte “chorus” without reallocating, so the “chorus”-shaped rewrite handler writes 0x5f bytes past the end and stomps the next exhibit’s routine pointer. The reverse challenge, Write The “Кодэ”, ships a statically-linked modified TCC compiler that silently injects a hidden 5884-byte C source containing a 512-byte encrypted vm_blob and a relocation_key() function that derives its decryption key from the compiled binary’s ELF .rela.* entries; recovering the VM and inverting its per-byte state machine yields the flag. ...

July 15, 2026 · 26 min · 5337 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap