Pwn

Leak the stack canary via a controlled print function, then overflow to overwrite the return address without triggering the canary check.

Binary exploitation challenge from Territoriale 2025. Static analysis and attack strategy — no full exploit solved during competition.

Write open-read-write shellcode to exfiltrate /flag.txt when execve is blocked by a seccomp filter.

Write minimal x86 shellcode that sets EAX to 0x13371338 to satisfy the binary’s check and unlock execution flow.

Classic x86-64 ret2win: overflow the return address, use a pop rdi gadget to pass the /bin/cat flag.txt string as argument, jump to system.

The IBAN input field copies 28 bytes into a buffer with room for 49. Appending the control byte 0x03 after the valid IBAN data overflows into an adjacent flag variable and unlocks the ransomware payment path.

Overflow the IBAN field to leak the binary’s own password via puts, then re-login as ADMIN using the leaked credential and repeat the overflow to reach the flag path.

Write /bin/sh into a known writable address, then build a ROP chain that sets rax=59, rdi=/bin/sh, rsi=0, rdx=0 using dedicated pop gadgets and a syscall instruction to get a shell.

Use a format string %n write to overwrite a target variable at a known address and unlock the flag path.

The binary leaks a runtime stack address disguised as a ‘random number’. Add 6 to land inside the shellcode region, then spray that address 800 times to cover the return target and get a shell.