ponbaby

volgactf2026

Task: Heap exploitation on glibc 2.42 with 2-byte overflow, limited allocations (16), limited overflows (4), no UAF read, no output primitive. Solution: Corrupt tcache_perthread_struct via overlapping chunks to bypass safe-linking, partial overwrite stdout for leak (12-bit brute force), then House of Apple 2 for RCE.

brute_force heap tcache safe_linking house_of_apple_2 glibc_2_42 stdout_leak ubuntu_26_04

safe_linking_bypasstcache_metadata_corruptionstdout_file_structure_corruptionoverlapping_chunkshouse_of_apple_2partial_overwrite_brute_force

$ ls tags/ techniques/

brute_force heap tcache safe_linking house_of_apple_2 glibc_2_42 stdout_leak ubuntu_26_04

safe_linking_bypasstcache_metadata_corruptionstdout_file_structure_corruptionoverlapping_chunkshouse_of_apple_2partial_overwrite_brute_force

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn9_mc5 — Mic Check: leak and pwn 2!— spbctf
[pwn][Pro]pwn9_mc4 — Mic Check: leak and pwn!— spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf
[pwn][Pro]Threadweaver Challenge Scenario— hackthebox
[pwn][free]Funkynator— hackthebox