Blog | Fep Blog

blog / tags / modules / projects /

2026

Module

Procfs Dmesg Challenge

A variation of the procfs challenge where the flag is leaked to the kernel log.
Module

Procfs Indirect Call Challenge

Documentation of a kernel challenge involving an arbitrary indirect call to user-space.
Module

Procfs Ioctl Challenge

Documentation of a kernel challenge that uses ioctl for authentication and privilege escalation.
Module

Procfs Ioctl Struct Challenge

Documentation of a kernel challenge that executes shellcode passed via a structure in an ioctl call.
Module

Procfs Overflow Challenge

Documentation of a kernel-space stack overflow via procfs.
Module

Procfs Shellcode Challenge

Documentation of a kernel challenge that allows executing arbitrary shellcode in kernel-space.
Module

Procfs Rooting Challenge

Documentation of a kernel challenge that provides a rooting primitive via procfs.
Module

Secret Procfs Challenge

A deep dive into kernel procfs interaction and simple authentication mechanisms.
Module

Mount Namespace Escape via Procfs

Escaping a hardened mount namespace by mounting procfs and accessing the host's root directory through process 1's root link.
Module

Mount Namespace Escape via Pre-mounted Procfs

Escaping a mount namespace sandbox where procfs is already provided, by traversing process 1's root link to reach the host filesystem.
Module

Mount Namespace Escape via Manual Procfs Mount

Escaping a hardened mount namespace sandbox by manually mounting procfs from within the jail to access the host's root filesystem.
Module

Chroot without chdir

A common mistake when implementing jails is forgetting to change the working directory after calling chroot(). Exploit this oversight to escape the jail and read the flag.
Module

Mount Namespace and pivot_root Escape

Escaping a mount namespace sandbox by accessing the old root filesystem which was not unmounted after pivot_root.
Module

Mount Namespace Escape via FD Leak

Escaping a mount namespace sandbox by leveraging a file descriptor to the host root directory leaked before the sandbox was initialized.
Module

Sandboxing Overview

Introduction to Linux sandboxing techniques including chroot, seccomp, and namespaces, and how to test them locally.
Module

Arbitrary Read

Corrupting the _IO_FILE structure to leak data from arbitrary memory addresses.
Module

Arbitrary Write

Corrupting the _IO_FILE structure to write data to arbitrary memory addresses.
Module

Hijacking Control Flow

Abusing the FILE structure vtable pointer to hijack execution and jump to arbitrary functions.
Module

Hijacking with Argument

Advanced FSOP hijacking: passing arguments to functions by leveraging register states during the vtable dispatch.
Module

Overlapping Structures

Exploiting FSOP with limited space by overlapping the FILE structure with the wide data structure using stable offset alignment.
Module

FSOP

Resources and write-ups on File Stream Oriented Programming.
Module

Overview

Resources and write-ups on File Stream Oriented Programming.
Module

Device Driver Lifecycle

Understanding the lifecycle of a Linux character device driver and how to interact with it.
Module

Kernel

Resources and write-ups on kernel exploitation.
Module

Proc Filesystem Interaction

Creating and interacting with kernel modules via the /proc filesystem.
Module

IOCTL Interaction

Understanding and exploiting IOCTL interfaces in Linux kernel drivers.
Module

Environment Setup

Setting up a minimal kernel pwn environment.
Module

Escaping via Pre-opened File Descriptor

Writeup for Sandboxing Level 2
Module

Cross-Arch Syscall Confusion

Writeup for Sandboxing Level 9
Module

Sandboxing

Escape the jail! A series of challenges focusing on chroot, seccomp, and other sandboxing mechanisms.
Module

Chdir('/') after chroot

Writeup for Sandboxing Level 3

2025

Module

Side-Channel Leak via Exit Code

Leaking data from a restricted sandbox by using the process exit code as a communication channel.
Module

Sandbox Bypass via Parent-Child IPC

Bypassing a restricted sandbox by leveraging privileged commands provided by the parent process through a socketpair connection.
Module

Bypassing flag-string check with openat

Using a pre-opened directory handle to the root directory to open the flag, bypassing a simple string check on the input path.
Module

Bypassing chroot with linkat

Using the linkat syscall to create a hard link to the real flag inside the jail, bypassing chroot restrictions.
Module

Chroot Escape via fchdir

Using the fchdir syscall on a pre-opened directory descriptor to move the process's current working directory outside of the chroot jail.
Module

Chroot Escape via openat and ..

Escaping a chroot jail by using openat with '..' relative to a pre-opened directory handle, or leveraging similar path traversal.
Module

Classic Chroot Escape

Using the classic double-chroot technique to escape a jail when the chroot syscall is allowed within the sandbox.
Module

Stack Pivoting to ROP

Exploiting a stack buffer overflow to pivot the stack pointer to a controlled area and execute a ROP chain.
Module

Heap (from how2heap)

A collection of resources and write-ups on heap exploitation.
Module

Decrypting Safe-Linking

A technique to recover the original pointer from a Safe-Linking-protected value in glibc 2.32+.
Module

Foundations

Core concepts, algorithms, and primitive techniques of the glibc heap allocator.
Module

Safe-Linking Double Protection Bypass

A technique to bypass Safe-Linking by protecting a pointer twice, effectively canceling the obfuscation.
Module

House of Io

A technique for glibc 2.29-2.33 that exploits the tcache 'key' field to leak and corrupt the tcache_perthread_struct via Use-After-Free.
Module

Tcache Attacks

Exploiting the Thread Local Cache (tcache) for fast and effective heap corruption.
Module

Tcache House of Spirit

A variation of House of Spirit that targets the tcache, which has fewer integrity checks than fastbins.
Module

Tcache Metadata Poisoning

Gaining full control over tcache by corrupting the tcache_perthread_struct metadata, allowing for immediate arbitrary allocations.
Module

Tcache Poisoning

Tricking malloc into returning an arbitrary pointer by overwriting the next pointer of a freed tcache chunk.
Module

Fastbin Attacks

Classical heap exploits targeting the fastbins, the original LIFO caching mechanism.
Module

Unsorted Bin Attacks

Exploiting the unsorted bin's removal logic to achieve powerful write primitives.
Module

Small & Large Bin Attacks

Techniques targeting the sorted small and large bins for complex heap manipulation.
Module

Fastbin Reverse into Tcache

Abusing the fastbin-to-tcache refill mechanism to achieve an arbitrary allocation or write a heap pointer to a target location.
Module

Stashing & Hybrid Attacks

Exploiting the interaction between different bin types, such as fastbin-to-tcache refill.
Module

Tcache Stashing Unlink Attack

Exploiting the tcache stashing mechanism in the small bin to gain an arbitrary allocation and create a fake chunk.
Module

House of Storm

A powerful attack combining unsorted bin and large bin vulnerabilities to gain an arbitrary allocation, even without a size field at the target.
Module

Consolidation & Overlap

Abusing the allocator's merging logic to create overlapping chunks and cross-allocation control.
Module

Top Chunk Attacks

Techniques targeting the wilderness (top chunk) and the sysmalloc extension mechanism.
Module

House of Gods

An arena hijacking technique that replaces the thread_arena with a fake arena by exploiting binmap and unsorted bin attacks.
Module

House of Mind

An attack that abuses the non-main arena flag and heap alignment to trick free() into using a fake arena, creating a write-what-where primitive.
Module

Arena & Metadata Hijacking

High-level attacks that target the allocator's internal state structures and multi-arena management.
Module

House of Roman

A leakless heap exploitation technique that uses relative overwrites to hijack __malloc_hook, requiring 12 bits of brute force.
Module

Advanced & Leakless

Specialized exploitation techniques that bypass modern hardening or work without memory leaks.
Module

House of Orange

Exploiting the glibc allocator by corrupting the top chunk to trigger a sysmalloc that frees the old top chunk into an unsorted bin, followed by FSOP (File Stream Oriented Programming).
Module

House of Tangerine

A modernized version of House of Orange that corrupts the heap without calling free() directly, utilizing _int_free on the top chunk in sysmalloc and tcache poisoning.
Module

Pwn Cheatsheet

A quick reference for binary exploitation commands, tools, and techniques.
Module

AI BadBots: Authentication Bypass via NaN

An explanation of the floating-point logic error in AI BadBots allowing authentication bypass.
Module

Bazaar: Authentication Bypass via HMAC Signature Verification Flaw

Exploiting improper input handling and weak secret initialization to bypass HMAC signature verification in the Bazaar plugin.
Module

Super Malware Scanner: RCE via Insecure Deobfuscation Logic

Exploiting a regex-based deobfuscation routine to execute arbitrary functions in the Super Malware Scanner plugin.
Module

Heap Vulnerability Cheatsheet

Summary of common heap exploitation techniques, conditions, and targets.
Module

House of Water

A complex technique to achieve tcache metadata control by leveraging overlapping tcache counts and small bin reverse refilling.
Module

Unsafe Unlink

Exploiting the unlink macro to achieve arbitrary write by corrupting pointers.
Module

Unsorted Bin Attack

Exploiting the Unsorted Bin removal logic to write a large libc address to an arbitrary location.
Module

House of Lore

An advanced heap exploitation technique targeting the SmallBin to achieve arbitrary allocation by corrupting the BK pointer.
Module

Large Bin Attack

Exploiting the Large Bin sorting logic to achieve an arbitrary write of a heap address.
Module

Unsorted Bin into Stack

Tricking the Unsorted Bin into returning a stack address by corrupting the BK pointer and size of a freed chunk.
Module

House of Einherjar

Abusing an off-by-one null byte to clear the PREV_INUSE bit and trigger backward consolidation with a forged fake chunk.
Module

mmap Overlapping Chunks

Exploiting large mmap-allocated chunks by corrupting their size to trigger overlapping munmap/mmap sequences.
Module

Overlapping Chunks (Consolidation)

A variation of the overlapping chunks attack that leverages forward consolidation to swallow a non-adjacent chunk.
Module

Overlapping Chunks

Abusing a size field overwrite to trick the allocator into returning a chunk that overlaps with another active allocation.
Module

Poison Null Byte

Exploiting an off-by-one null byte to trigger backward consolidation and chunk overlapping.
Module

House of Force

Abusing the top chunk (wilderness) size to achieve arbitrary allocation by forcing malloc to wrap around the address space.
Module

sysmalloc: _int_free on Top Chunk

Exploiting sysmalloc to trigger an implicit _int_free on the top chunk by corrupting its size metadata.
Module

T-Cache Index Calculation

An explanation of how the t-cache index is calculated in glibc's memory allocator.
Module

Overview: Chunk Anatomy

A visual overview of what allocated and freed chunks look like in different glibc bins.
Module

Fastbin Double-Free

Tricking malloc into returning an already-allocated heap pointer by abusing the fastbin freelist.
Module

Fastbin Dup with malloc_consolidate

Leveraging malloc_consolidate and a double free to duplicate a pointer to a tcache-sized chunk.
Module

House of Spirit

An attack that tricks free() into adding a non-heap pointer (e.g., a stack address) to a fastbin, leading to an arbitrary allocation.
Module

Fastbin Dup into Stack

Extending the fastbin double-free to trick malloc into returning a pointer to a controlled location on the stack.
Module

Pwn

A collection of resources and write-ups on binary exploitation (pwn).
Module

Stack

A collection of resources and write-ups on stack exploitation.
Module

Codename Neigh

Exploit writeup for 'Codename Neigh', a web challenge from nullCTF
Module

Codename Neigh 2

Exploit writeup for 'Codename Neigh 2', a web challenge from nullCTF
Module

First-Fit Algorithm

An explanation of the first-fit algorithm used by glibc's memory allocator.
Module

Next Jason

Exploit writeup for 'Next Jason', a web challenge from nullCTF
Module

sketchy

Exploit writeup for 'sketchy', a pwn challenge from nullCTF
Blog

Low Level C

Cheatsheet
Blog

Binex Stack

Cheatsheet
Blog

Test page

lmaoo
Blog

Axum Cheatsheet

From its examples
Blog

Frustated with Windows? Here's a Linux Setup with All the Apps You Need!

with essential alternative applications for productivity, development, and entertainment.
Blog

Vimium Black Hint

Better than the default Vimium hint
Blog

Thesis Template conf.typ

Adjust it with your own uni, dont forget to change the image
Blog

Rust Cheatsheet

From LetsGetRusty
Blog

Recovery Tools Cheatsheet

At least, it works. With .dd image demo
Blog

SSL Setup Cheatsheet

At least, it works. With Apache as a demo

2023

Module

Fun

A collection of CTF write-ups and other fun challenges.
Blog

A Cool 'cat' Alternative as a Text Printer in Terminal

With syntax highlighting and git integration

© 2026 • Fep Blog 🔬

Press Esc or click anywhere to close