{"id":17293038,"url":"https://github.com/macmod/pwnable-writeups","last_synced_at":"2026-03-27T02:37:18.449Z","repository":{"id":88881592,"uuid":"75558597","full_name":"Macmod/pwnable-writeups","owner":"Macmod","description":"Pwnable tips \u0026 writeups.","archived":false,"fork":false,"pushed_at":"2016-12-11T00:01:06.000Z","size":49,"stargazers_count":22,"open_issues_count":1,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-13T01:45:19.914Z","etag":null,"topics":["ctf","pwnable","writeup"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Macmod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-12-04T19:19:52.000Z","updated_at":"2024-11-12T17:07:15.000Z","dependencies_parsed_at":"2023-06-12T23:15:14.988Z","dependency_job_id":null,"html_url":"https://github.com/Macmod/pwnable-writeups","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Macmod/pwnable-writeups","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Macmod%2Fpwnable-writeups","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Macmod%2Fpwnable-writeups/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Macmod%2Fpwnable-writeups/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Macmod%2Fpwnable-writeups/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Macmod","download_url":"https://codeload.github.com/Macmod/pwnable-writeups/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Macmod%2Fpwnable-writeups/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31010879,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-27T02:33:22.146Z","status":"ssl_error","status_checked_at":"2026-03-27T02:33:21.763Z","response_time":164,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","pwnable","writeup"],"created_at":"2024-10-15T10:45:03.871Z","updated_at":"2026-03-27T02:37:18.431Z","avatar_url":"https://github.com/Macmod.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Pwnable Writeups\nMy personal writeups for [pwnable.kr](http://pwnable.kr/play.php).\n\nOnly Toddler's Bottle challenges are included ~~because I didn't solve the others yet~~ out of respect for Rule 3:\n\n\u003e 3\\. Challenges in Toddler's Bottle are allowed to freely post the solutions online. However, please refrain from posting solution for challenges in other categories. But if you insist, post easy ones (solved by many people) and do not spoil too much details for the sake of fun.\n\n## Disclaimer\n\nAll examples using `python` refer to versions *2.** of the language. Python *3.** won't work out-of-the-box because of the way it handles encoding with utf-8.\n\n## Todo\n\n1. Do `unlink` and its writeup.\n2. Translate to portuguese.\n\n----\n## Tips\n\nSuppose you are stuck but don't want to spoil all the fun.\n\nHere are some quick tips that may help you along the way:\n\n### fd\nRead wikipedia's article on [file descriptors](https://en.wikipedia.org/wiki/File_descriptor).\n\n### collision\nFind values that result in the hash after being summed up. Remember to input the result as [little endian](https://en.wikipedia.org/wiki/Endianness).\n\n### bof\nRead about buffer overflows in the classic [Smashing the Stack for Fun and Profit](http://insecure.org/stf/smashstack.html). Also, LiveOverflow's [playlists](https://www.youtube.com/watch?v=T03idxny9jE\u0026index=13\u0026list=PLhixgUqwRTjxglIswKp9mpkfPNfHkzyeN) are awesome.\n\n### flag\nYou can't reverse a packed binary.\n\n### passcode\nRead about the Procedure Linkage Table (PLT) and the Global Offset Table (GOT).\n\n[This article](http://blog.isis.poly.edu/exploitation%20mitigation%20techniques/exploitation%20techniques/2011/06/02/relro-relocation-read-only/) and [this entry on exploit-db](https://www.exploit-db.com/papers/13203/) are also very enlightening.\n\n### random\nRandom values need proper seeding, otherwise they become [predictable](http://stackoverflow.com/questions/1108780/why-do-i-always-get-the-same-sequence-of-random-numbers-with-rand).\n\n### input\nRead about [command substitution](http://www.tldp.org/LDP/abs/html/commandsub.html), [I/O redirection](http://www.tldp.org/LDP/abs/html/io-redirection.html) and [netcat](https://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples/).\n\n### leg\nLearn a bit about [ARM](http://simplemachines.it/doc/arm_inst.pdf) to figure out the return values. Here's a [great manual](http://www.keil.com/support/man/docs/armasm/armasm_dom1361289850039.htm).\n\n### mistake\nAs the site says, read about [C operator's precedence](http://www.difranco.net/compsci/C_Operator_Precedence_Table.htm) to find out the mistake.\n\n### shellshock\nRead wikipedia's article on [shellshock](https://en.wikipedia.org/wiki/Shellshock_(software_bug)).\n\n### coin1\nRead about [binary search](https://en.wikipedia.org/wiki/Binary_search_algorithm) (for the problem) and [sockets](https://docs.python.org/2/library/socket.html) (to programatically interact with the game).\n\n### blackjack\nIt's nothing fancy, just a common logic mistake. Try to trick the game.\n\n### lotto\nIt's nothing fancy, just a common logic mistake. Some very simple bruteforcing is needed (less than 50 tries).\n\n### cmd1\nRead wikipedia's article on [$PATH](https://en.wikipedia.org/wiki/PATH_(variable)).\n\n### cmd2\nBe creative with [bash](http://ss64.com/bash/). There's more than one solution.\n\n### uaf\nRead [this beginner's guide on Use-After-Free](http://garage4hackers.com/content.php?r=143-Beginners-Guide-to-Use-after-free-Exploits-IE-6-0-day-Exploit-Development) and [this whitepaper on Dangling Pointers](https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf).\n\n### codemap\nRead about daehee's [codemap](http://codemap.kr/) plugin for IDA.\n\n### memcpy\nRead about the [MOVNTPS](http://www.felixcloutier.com/x86/MOVNTPS.html) instruction and [Alignment in C](https://wr.informatik.uni-hamburg.de/_media/teaching/wintersemester_2013_2014/epc-14-haase-svenhendrik-alignmentinc-paper.pdf).\n\n### asm\nRead about shellcode creation. If you feel you don't quite get the SmashTheStack article yet, read this newbie-friendly guide:\n\n[Writing 64-Bit Shellcode (Part 1)](http://null-byte.wonderhowto.com/how-to/writing-64-bit-shellcode-part-1-beginner-assembly-0161593/) \u0026 [Writing 64-Bit Shellcode (Part 2)](http://null-byte.wonderhowto.com/how-to/writing-64-bit-shellcode-part-2-removing-null-bytes-0161591/)\n\n### unlink\nWatch LiveOverflow's videos on [malloc()/free()](https://www.youtube.com/watch?v=gL45bjQvZSU) \u0026 [unlink() exploitation](https://www.youtube.com/watch?v=HWhzH--89UQ) and read [Exploiting the Heap](http://www.win.tue.nl/~aeb/linux/hh/hh-11.html).\n\n[Once upon a free()](http://phrack.org/issues/57/9.html) is also very informative.\n\n----\n## Thanks\n![pusheen](https://media.tenor.co/images/550650fe51ac8b77091ce7292b7641ee/raw)\n\nSpecial thanks to Ingrid Spangler for introducing me to this great hobby.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacmod%2Fpwnable-writeups","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmacmod%2Fpwnable-writeups","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmacmod%2Fpwnable-writeups/lists"}