Featured
Phantom
Physical page UAF in a kernel module: reclaim the freed page as a PMD, forge 2MB huge page entries for arbitrary physical memory R/W, and overwrite modprobe_path to read the flag.
Tcademy
Heap exploitation on glibc 2.35: integer underflow to massive heap overflow, and two paths to shell: libc GOT overwrite or House of Apple 2 FSOP.
AHC - Average Heap Challenge
Tcache bin confusion via chunk size corruption.
Recent
Velvet Table
Glibc 2.32+ heap note manager wrapped in heavy XOR obfuscation. An inverted size check in the cashout handler turns the dev’s careful tcache bookkeeping into a free UAF, with a slightly longer smallbin attack waiting behind it as the intended path.
Blogler
YAML anchor aliasing creates a shared reference that bypasses path validation via display_name mutation.
Narnes and Bobles & Bobles and Narnes
Two type confusion bugs in a Bun bookstore: string price NaN trick, then batch INSERT column inference.
Wordy
Recovering MT19937 state from partial outputs using Z3 SAT solving.
Curly Crab
Reversing Rust serde deserialization to recover a JSON schema.
Grande Inutile Tool
Buffer overflow corrupts path validation flag, enabling path traversal.
Pdfile
XXE injection with blacklist bypass via URL encoding.
StrangeVM
Reverse a simple VM to understand its character transformation.
Travel Playlist
Path traversal via unsanitized file path parameter.
Zazastore
NaN comparison bypass in a Node.js shopping cart.
Ruid_login
Exploiting predictable RUIDs, buffer overflow, and executable stack for shellcode execution.
speedjournal
Exploiting a TOCTOU race condition to bypass authentication checks.
Encryptor
Leaking a stack canary using RC4 keystream bias, then ret2win.