Pwntools

Reverse a three-step transformation (reverse + rotate + XOR) applied to a 36-byte target symbol to recover the flag.

Leak the stack canary via a controlled print function, then overflow to overwrite the return address without triggering the canary check.

Classic x86-64 ret2win: overflow the return address, use a pop rdi gadget to pass the /bin/cat flag.txt string as argument, jump to system.

Connect to a server that fires 2049 arithmetic challenges in Italian — SOMMA, DIFFERENZA, PRODOTTO, POTENZA, DIVISIONE_INTERA — and solve each one in under the timeout to receive the flag.

A JSON-framed server demands conversions between base64, hex, and binary in both encode and decode directions. Write a bot that parses the Italian operation description and returns the correct transformed value.

The IBAN input field copies 28 bytes into a buffer with room for 49. Appending the control byte 0x03 after the valid IBAN data overflows into an adjacent flag variable and unlocks the ransomware payment path.

Overflow the IBAN field to leak the binary’s own password via puts, then re-login as ADMIN using the leaked credential and repeat the overflow to reach the flag path.

Write /bin/sh into a known writable address, then build a ROP chain that sets rax=59, rdi=/bin/sh, rsi=0, rdx=0 using dedicated pop gadgets and a syscall instruction to get a shell.

Use a format string %n write to overwrite a target variable at a known address and unlock the flag path.

The binary leaks a runtime stack address disguised as a ‘random number’. Add 6 to land inside the shellcode region, then spray that address 800 times to cover the return target and get a shell.