Memory Lane
Five 32-bit SUID binaries with no hand-holding. Buffer overflows from ret2win all the way to heap UAF — each machine teaches one binary exploitation primitive, progressively removing protections.
The Machines
Five binaries. Five techniques. The classic progression.
32-bit SUID binary, no stack canary, no PIE, no NX. Find the overflow offset, overwrite the return address with win() at its fixed address. checksec is your starting point.
32-bit SUID with execstack set and ASLR disabled. Print the buffer address at runtime, craft your shellcode, land it. /bin/sh spawned as root.
NX enabled — no shellcode. ret2libc instead. hints.txt gives you system() and /bin/sh addresses. Chain them with the right padding and a dummy return.
printf(user_input) in a SUID 32-bit binary. Use %x/%p to leak stack values, locate the return address, then overwrite it via %n. GOT overwrite also works.
32-bit SUID binary with a struct containing a function pointer allocated on the heap. Free the chunk, reallocate over it with controlled data, overwrite the pointer to redirect execution.
Attack Chain
Recommended order of attack.
Ready to smash the stack?
Five binaries. Five exploitation primitives. The classic pwn curriculum in one series.
Launching 1 August 2026 — binary exploitation series from ret2win to heap UAF, all 32-bit SUID targets.