Textmate grammar to allow Shiki (and other applications using TM format) to highlight Binary Ninja HLIL

boogie-woogie was a pwn challenge in DiceCTF 2024 Quals with a .data relative byte swap primitive. Exploitation takes advantage of weak heap ASLR and a heap corruption technique which can put a chunk into unsorted bins (and thus storing a libc pointer in the heap) during normal malloc/free of the scanf scratch buffer

Time Jump Planner was a pwn challenge from the Battelle booth at Shmoocon 2024. It was a stack buffer overflow challenge with a shadow stack to prevent ROP. Exploitation uses "GOT Oriented Programming", a code-reuse technique which works by chaining together gadgets terminating in a call to a GOT entry.

Cake of Paranoia was a multi-stage docker-inside-nspawn sandbox escape challenge at Potluck CTF 2023 The first stage (docker->nspawn) involves a leaked ssh key from a home directory mapped in both. The second stage (nspawn->vm) is escaped with an unintended solution -- systemd mounts procfs as read-only but with mount capabilities it can be remounted writably.

Blind format string oneshot

I cleared pwn in UTCTF 2022 with the Texas A&M Cybersecurity club placing in 23rd :) There were three challenges -- an automatic exploit challenge, a stack bof+fmt string vuln, and unchecked write kernel driver.

Holy Grail of ROP was an automatic exploitation challenge in the 2022 Battelle Winter CTF. It provided five randomly generated vulnerable binaries and players needed to solve each within a timeout to get the flag. I use the library angr to automatically detect how to trigger buffer overflows and a partial GOT overwrite to access a syscall gadget for leaking.