Blog

Two Go binaries: a process that turns 15 OS signals into VM opcodes via signal.Notify, and a driver that sends it 1817 signals. Recover the ISA from the dispatch, scrape the unrolled signal list, and since the VM is straight-line, let z3 hand you the flag.

The name baits you toward symbolic execution. But a 'maze of gotos' built from literal cmp-imm → jmp edges is a static CFG. Parse the disassembly, BFS room 0 to the win room, replay 72 moves. No SMT, instant.

A PIE binary disguised as a rev chal. Both branches call printf(buf) with no format string. Leak the PIE base via %39$p, then a manual %hn GOT overwrite points puts@got at win(), and the very next puts() fires the shell.

Looks like a format-string bug, but printf uses a fixed %s. The real flaw: read() never null-terminates, so 32 bytes of padding bridge the gap to the flag buffer and %s over-reads straight into the secret.

A 'hex converter' with a signed table index and idx*4 addressing turns 'expand the table' into an arbitrary 4-byte write. Partial RELRO means a writable GOT, so point exit@got at win() and trigger it from the menu. Classic ret2win, no leak.

A C++ button app with a 16-byte %s overflow and a never-reachable WinnerButton::push that calls system("/bin/sh"). tcache reuse drops a Custom button right before a live Hype button, turning a forward-only overflow into a vtable-pointer overwrite. No leak, all constants.

A GraphQL login mutation that signs whatever username you hand it. The DB layer concatenates strings into SQL. The flag gate just compares your JWT to your own input.

The engineer left a TODO in the HTML. He never came back to finish it.

The browser followed the redirect. Burp didn't.

The staff portal trusts the browser to tell the truth about who's logged in. It shouldn't.

Subdomain enumeration challenge on TryHackMe. Finding a hidden subdomain via SSL certificate inspection to grab the flag.

Breaking AES-128 without touching the algorithm — Correlation Power Analysis on a black-box hardware target using power traces and Hamming weight correlation.

Exploiting a TOCTOU race condition in a SQLite-backed Express session store to bypass balance checks and chain key purchases to get the flag.

Privilege escalation from guest to admin by decoding and modifying an unsigned Base64 session cookie. A classic case of client-side trust gone wrong.

Solving a black-box neural network challenge at TAMU CTF (gigem) by treating the ONNX model as an oracle and applying simulated annealing to find the winning input.