https://frederik353.github.io/writeups/ Recent content on Frederik353 Hugo -- gohugo.io en © 2026 Frederik Tokle Negård Sat, 25 Apr 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/umd-26/velvet-table/ Sat, 25 Apr 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/umd-26/velvet-table/ Glibc 2.32+ heap note manager wrapped in heavy XOR obfuscation. An inverted size check in the cashout handler turns the dev’s careful tcache bookkeeping into a free UAF, with a slightly longer smallbin attack waiting behind it as the intended path. https://frederik353.github.io/writeups/ctfs/0xfunctf-26/phantom/ Sat, 14 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/0xfunctf-26/phantom/ Physical page UAF in a kernel module: reclaim the freed page as a PMD, forge 2MB huge page entries for arbitrary physical memory R/W, and overwrite modprobe_path to read the flag. https://frederik353.github.io/writeups/ctfs/lactf-26/blogler/ Sun, 08 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/lactf-26/blogler/ YAML anchor aliasing creates a shared reference that bypasses path validation via display_name mutation. https://frederik353.github.io/writeups/ctfs/lactf-26/narnes-bobles-and-bobles-narnes/ Sun, 08 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/lactf-26/narnes-bobles-and-bobles-narnes/ Two type confusion bugs in a Bun bookstore: string price NaN trick, then batch INSERT column inference. https://frederik353.github.io/writeups/ctfs/lactf-26/tcademy/ Sun, 08 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/lactf-26/tcademy/ Heap exploitation on glibc 2.35: integer underflow to massive heap overflow, and two paths to shell: libc GOT overwrite or House of Apple 2 FSOP. https://frederik353.github.io/writeups/ctfs/pascal-26/ahc/ Sun, 01 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/ahc/ Tcache bin confusion via chunk size corruption. https://frederik353.github.io/writeups/ctfs/pascal-26/wordy/ Sun, 01 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/wordy/ Recovering MT19937 state from partial outputs using Z3 SAT solving. https://frederik353.github.io/writeups/ctfs/pascal-26/curly-crab/ Sat, 31 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/curly-crab/ Reversing Rust serde deserialization to recover a JSON schema. https://frederik353.github.io/writeups/ctfs/pascal-26/grande-inutile-tool/ Sat, 31 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/grande-inutile-tool/ Buffer overflow corrupts path validation flag, enabling path traversal. https://frederik353.github.io/writeups/ctfs/pascal-26/pdfile/ Sat, 31 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/pdfile/ XXE injection with blacklist bypass via URL encoding. https://frederik353.github.io/writeups/ctfs/pascal-26/strangevm/ Sat, 31 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/strangevm/ Reverse a simple VM to understand its character transformation. https://frederik353.github.io/writeups/ctfs/pascal-26/travel-playlist/ Sat, 31 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/travel-playlist/ Path traversal via unsanitized file path parameter. https://frederik353.github.io/writeups/ctfs/pascal-26/zazastore/ Sat, 31 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/zazastore/ NaN comparison bypass in a Node.js shopping cart. https://frederik353.github.io/writeups/ctfs/scarlet-26/ruid_login/ Sat, 10 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/scarlet-26/ruid_login/ Exploiting predictable RUIDs, buffer overflow, and executable stack for shellcode execution. https://frederik353.github.io/writeups/ctfs/scarlet-26/speedjournal/ Sat, 10 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/scarlet-26/speedjournal/ Exploiting a TOCTOU race condition to bypass authentication checks. https://frederik353.github.io/writeups/ctfs/ept-25/encryptor/ Sat, 08 Nov 2025 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/ept-25/encryptor/ Leaking a stack canary using RC4 keystream bias, then ret2win.