Pwn on Frederik353

Pwn on Frederik353 https://frederik353.github.io/writeups/topics/pwn/ Recent content in Pwn on Frederik353 Hugo -- gohugo.io en © 2026 Frederik Tokle Negård Sat, 25 Apr 2026 00:00:00 +0000 Velvet Table https://frederik353.github.io/writeups/ctfs/umd-26/velvet-table/ Sat, 25 Apr 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/umd-26/velvet-table/ Glibc 2.32+ heap note manager wrapped in heavy XOR obfuscation. An inverted size check in the cashout handler turns the dev’s careful tcache bookkeeping into a free UAF, with a slightly longer smallbin attack waiting behind it as the intended path. Phantom https://frederik353.github.io/writeups/ctfs/0xfunctf-26/phantom/ Sat, 14 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/0xfunctf-26/phantom/ Physical page UAF in a kernel module: reclaim the freed page as a PMD, forge 2MB huge page entries for arbitrary physical memory R/W, and overwrite modprobe_path to read the flag. Tcademy https://frederik353.github.io/writeups/ctfs/lactf-26/tcademy/ Sun, 08 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/lactf-26/tcademy/ Heap exploitation on glibc 2.35: integer underflow to massive heap overflow, and two paths to shell: libc GOT overwrite or House of Apple 2 FSOP. AHC - Average Heap Challenge https://frederik353.github.io/writeups/ctfs/pascal-26/ahc/ Sun, 01 Feb 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/ahc/ Tcache bin confusion via chunk size corruption. Grande Inutile Tool https://frederik353.github.io/writeups/ctfs/pascal-26/grande-inutile-tool/ Sat, 31 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/pascal-26/grande-inutile-tool/ Buffer overflow corrupts path validation flag, enabling path traversal. Ruid_login https://frederik353.github.io/writeups/ctfs/scarlet-26/ruid_login/ Sat, 10 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/scarlet-26/ruid_login/ Exploiting predictable RUIDs, buffer overflow, and executable stack for shellcode execution. speedjournal https://frederik353.github.io/writeups/ctfs/scarlet-26/speedjournal/ Sat, 10 Jan 2026 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/scarlet-26/speedjournal/ Exploiting a TOCTOU race condition to bypass authentication checks. Encryptor https://frederik353.github.io/writeups/ctfs/ept-25/encryptor/ Sat, 08 Nov 2025 00:00:00 +0000 https://frederik353.github.io/writeups/ctfs/ept-25/encryptor/ Leaking a stack canary using RC4 keystream bias, then ret2win.