A collection of my CTF notes and walkthroughs.
Exploit an AArch64 stack overflow with ret2csu to leak libc and execute system().
Exploit a stack overflow with canary bypass to ret2win and read the flag.
Exploit Python Insecure Deserialization in a YAML parser to bypass a blind RCE environment and exfiltrate data via static files.
Solve a Diophantine system of equations involving primes and perfect squares to bypass 19 levels of a weird machine.
Exploit a case-sensitive filter bypass leading to SSRF and LFI to read the flag from /tmp/flag.txt.
CREATE2 + constructor-call bypass to precompute wins and drain the NullCTF casino.
Deterministic Fisher–Yates permutation and XOR window reversed to rebuild the file.
Use-after-free leak to bypass Safe Linking and poison tcache into a win path.
Crack MD5 preimage then XOR the blob to recover the M*CTF flag.
SQLi in GraphQL login to mint a flagOwner JWT and unlock /admin.
Format-string size mismatch flips is_admin via scanf overrun for instant shell.
Seccomp-only shellcode read/write exploit with bad-byte evasion for V2.
Exploit signed-char array index OOB read to leak the global flag bytes.
Single-byte srand/rand brute-force to reconstruct the 29-byte FlagCasino string.
Reverse the four-input transistor logic gate, brute-force its truth table, and decode the flag.
Classic gets() overflow to pivot into the hidden joshua function and print the flag.
Automation script plus SQL queries to pull every EpicSales flag in order.
