ctf and security terms defined.

binary exploitation

buffer overflow

writing more data into a fixed-size buffer than it can hold, overflowing into adjacent memory. on the stack, this can overwrite the saved return address and redirect code execution.

heap overflow

a buffer overflow occurring in heap-allocated memory (malloc/new). overwrites adjacent heap metadata or object fields rather than stack return addresses.

stack canary

a random value placed on the stack between local variables and the return address. checked before the function returns — if modified by an overflow, the program aborts.

format string bug

passing user-controlled input directly to printf as the format string (printf(user_input)). allows reading stack values with %p and writing to arbitrary memory addresses with %n.

use-after-free (UAF)

accessing a heap-allocated object after it has been freed. if the allocator reuses that memory, the attacker can control what the freed pointer now points to.

double free

calling free() on the same heap chunk twice. corrupts the allocator's internal free-list, enabling heap manipulation attacks.

ret2libc

a return-oriented attack that calls libc functions (usually system()) instead of injecting shellcode. used when the stack is non-executable (NX/DEP enabled).

ROP (Return-Oriented Programming)

chaining small instruction sequences ending in ret (gadgets) to build arbitrary computation without injecting new code. bypasses NX/DEP.

shellcode

position-independent machine code injected into a process and executed to gain a shell or perform other actions. requires executable memory (NX must be off or bypassed).

ASLR (Address Space Layout Randomization)

OS feature that randomizes the base addresses of the stack, heap, and libraries at each process start. requires an address leak to bypass.

PIE (Position-Independent Executable)

binary compiled to load at a random base address each run. combined with ASLR, all addresses in the binary are randomized.

NX / DEP

Non-Executable stack / Data Execution Prevention. marks memory regions (stack, heap) as non-executable so injected shellcode cannot be run.

GOT (Global Offset Table)

a writable table in ELF binaries holding resolved addresses of external library functions. overwriting a GOT entry redirects calls to that function.

PLT (Procedure Linkage Table)

a table of stubs that performs lazy binding for external function calls. first call resolves the address via the dynamic linker; subsequent calls go directly through the GOT.

one_gadget

a single gadget in libc that calls execve("/bin/sh", NULL, NULL) when reached with the right register state. faster than a full ROP chain when constraints match.

tcache

thread-local cache in glibc malloc (added in glibc 2.26). stores recently freed small chunks for fast reuse. vulnerable to double-free attacks due to limited integrity checks.

cryptography

RSA

asymmetric encryption using the difficulty of factoring large integers. public key (n, e), private key (n, d). CTF attacks: small e, common factors between moduli, Wiener's attack, padding oracle.

ECDSA (Elliptic Curve Digital Signature Algorithm)

digital signature scheme using elliptic curves. vulnerable to nonce reuse: if the same k is used in two signatures, the private key can be recovered algebraically.

AES (Advanced Encryption Standard)

symmetric block cipher operating on 128-bit blocks with 128/192/256-bit keys. CTF attacks target the mode: ECB mode (identical blocks = identical ciphertext), CBC bit-flipping, padding oracle.

ECB mode

AES block mode that encrypts each block independently. identical plaintext blocks produce identical ciphertext blocks — reveals patterns and enables chosen-plaintext attacks.

padding oracle

side-channel attack on CBC mode encryption. by observing whether decryption fails with a padding error, an attacker can decrypt ciphertext byte-by-byte without the key.

XOR cipher

encryption via bitwise XOR with a key. single-byte key is trivially brute-forced. repeated-key XOR is vulnerable to frequency analysis once key length is known (Kasiski / index of coincidence).

hash function

one-way function mapping arbitrary data to a fixed-size digest. CTF attacks: length extension (MD5/SHA1/SHA2), hash collision (MD5), rainbow tables for weak passwords.

length extension attack

attack on Merkle-Damgård hash functions (MD5, SHA1, SHA2). an attacker who knows H(secret || data) can compute H(secret || data || padding || extra) without knowing the secret.

Diffie-Hellman

key exchange protocol. CTF attacks target weak parameters: small prime p (discrete log solvable), g=1, or small subgroup attacks.

classical cipher

historical ciphers: Caesar (shift), Vigenère (repeating key XOR on letters), Rail Fence (transposition), Playfair (digraph substitution). identified by letter-only ciphertext; solved by frequency analysis.

web exploitation

SQL injection (SQLi)

inserting SQL syntax into application input to manipulate database queries. payloads like ' OR 1=1-- modify query logic. use sqlmap after manual confirmation.

XSS (Cross-Site Scripting)

injecting JavaScript into a page that executes in other users' browsers. stored XSS persists in the database; reflected XSS appears in the response immediately.

SSRF (Server-Side Request Forgery)

inducing the server to make HTTP requests to internal or external URLs. used to access internal services (metadata endpoints, Redis, SMTP) not reachable from outside.

SSTI (Server-Side Template Injection)

injecting template syntax ({{7*7}}, ${7*7}) that the server evaluates. full RCE is possible in Jinja2, Freemarker, and others via template object traversal.

LFI (Local File Inclusion)

including local server files via a path parameter. payloads like ../../../etc/passwd traverse directories. PHP LFI can achieve RCE via log poisoning or php:// wrappers.

IDOR (Insecure Direct Object Reference)

accessing another user's resource by manipulating a predictable identifier (user ID, order number) in a request. server fails to verify authorization.

command injection

input passed unsanitized to a shell command. separators like ; && | ` $() inject additional commands. look for upload handlers, ping forms, and DNS lookup features.

JWT (JSON Web Token)

signed token used for authentication. CTF attacks: alg:none (remove signature verification), HS256 with weak secret (brute-force), RS256-to-HS256 confusion (sign with public key).

deserialization

converting serialized objects back to language objects. if user-controlled, can execute arbitrary code via gadget chains. common in Java, PHP, Python pickle, Ruby Marshal.

forensics

steganography

hiding data within a carrier file (image, audio, video) in a way that is not visually apparent. common methods: LSB encoding, appended data, color plane manipulation.

LSB steganography

replacing the least significant bit of each pixel's color value with a bit of the hidden message. changes are imperceptible but extractable with tools like zsteg or stegsolve.

file carving

recovering files from a disk image or stream by identifying file signatures (magic bytes) without relying on filesystem metadata. binwalk and foremost are standard tools.

magic bytes

the first few bytes of a file that identify its format. PNG files begin with \x89PNG, ZIP files begin with PK, JPEG files begin with \xff\xd8. used to identify misnamed files.

entropy

a measure of randomness in data. compressed or encrypted data has high entropy (near 8 bits/byte). low-entropy regions in a file may contain readable text or structured data.

PCAP

packet capture file format. stores raw network traffic. analyzed with Wireshark or tshark. protocols including HTTP, FTP, DNS, and SMTP often transmit credentials and files in cleartext.

memory forensics

analysis of a memory dump to recover process information, network connections, encryption keys, and file contents. Volatility is the standard framework.