picoCTF Solutions
Binary ExploitationAdvanced

Advanced Binary Exploitation

Once a simple ret2win stops working because of stack canaries, PIE, and ASLR, exploitation becomes a craft of leaks and chains. You will brute-force and leak canaries, build return-oriented programs, poison the heap allocator, turn format strings into arbitrary writes, and escape seccomp sandboxes. This path assumes you understand stack layout, basic overflows, and format strings.

New to this category? Start withBinary Exploitationfirst.
6 steps·20 challenges
  1. Step 01

    Defeating Canaries and PIE

    Modern binaries ship with a stack canary and randomized base addresses. To overwrite a return address you first have to defeat both, either by brute-forcing the canary one byte at a time or by leaking it (and the PIE and libc bases) through a format string before you ever send your overflow.

    buffer overflow 3

    picoCTF 2022

    Hard

    Guessing Game 2

    picoCTF 2020 Mini-Competition

    Hard

    stack cache

    picoCTF 2022

    Hard
  2. Step 02

    Return-Oriented Programming

    When there is no convenient win function and the stack is non-executable, you build your payload out of gadgets already in the binary. ropfu makes you chain gadgets to call execve, Here's a LIBC adds a libc leak under ASLR for a ret2libc, and function overwrite redirects a call through an out-of-bounds pointer table.

    ropfu

    picoCTF 2022

    Hard

    Here's a LIBC

    picoCTF 2021

    Hard

    function overwrite

    picoCTF 2022

    Hard
  3. Step 03

    Heap Exploitation

    The heap is where allocator metadata becomes your weapon. These challenges teach tcache poisoning to redirect a malloc, use-after-free to reclaim a freed struct and overwrite a function pointer, and heap overflows that corrupt chunk metadata into an arbitrary write.

    Cache Me Outside

    picoCTF 2021

    Hard

    Unsubscriptions Are Free

    picoCTF 2021

    Hard

    Horsetrack

    picoCTF 2023

    Hard

    sice_cream

    picoCTF 2019

    Hard
  4. Step 04

    Format String to Arbitrary Write

    A single uncontrolled format string is a read and write primitive over the whole address space. Using %p chains to leak and %n to write, these challenges escalate from leaking stack values to overwriting saved pointers and GOT entries to hijack control flow.

    Stonk Market

    picoCTF 2021

    Hard

    fermat-strings

    picoMini by redpwn

    Hard

    The Office

    picoCTF 2021

    Hard
  5. Step 05

    Shellcode and Sandbox Escapes

    When the binary executes bytes you supply, the challenge shifts to writing shellcode that survives the constraints: a tiny input window, a byte filter, or a seccomp policy that forbids the syscalls you need. These force you to craft minimal, alphanumeric, or syscall-restricted payloads.

    handoff

    picoCTF 2025

    Hard

    filtered-shellcode

    picoCTF 2021

    Hard

    SaaS

    picoMini by redpwn

    Hard

    lockdown-horses

    picoMini by redpwn

    Hard
  6. Step 06

    JIT and Modern Targets

    The frontier of binary exploitation is browser and engine internals. Turboflan and Kit Engine hand you a patched JavaScript engine where a JIT type confusion or bounds-check removal gives you out-of-bounds memory access, the same primitive real browser exploits are built on.

    Turboflan

    picoCTF 2021

    Hard

    Kit Engine

    picoCTF 2021

    Hard

    high frequency troubles

    picoCTF 2024

    Hard
All guided paths