pwn writeups

find pwn ctf writeups.

pwn writeups reconstruct a binary exploit end to end — finding the bug, defeating the protections (NX, ASLR, PIE, canary), and chaining primitives into a shell. they usually include the full pwntools script.

search pwn writeups on ctftime

ctftime: pwnctftime: bofctftime: ropctftime: heap

what pwn writeups cover

  • stack overflowwriteups find the offset to the return address with a cyclic pattern and redirect execution.
  • ret2libcwriteups leak a libc address, compute the base, and call system("/bin/sh").
  • ROP chainwriteups build computation from ret-ending gadgets to bypass NX/DEP.
  • format stringwriteups use %p to leak the stack and %n to write a GOT entry or return address.
  • heap UAF / double freewriteups corrupt allocator metadata to gain an arbitrary write near a hook or target.
  • tcache / fastbin dupwriteups overlap chunks by corrupting a freed chunk's fd pointer.

read writeups after you've tried

writeups teach the most when you've already spent real time on a pwnchallenge. if you're stuck mid-solve, get a spoiler-free hint first — then read a writeup to see the gap between your approach and the intended one.

pwn guidepwn hints
all writeupsget hints →