what i'm i looking for ?

Hi I'm bit from meepwn team. Recently I and my teammates have participated in PwC hackaday contest as team L0s3r and we won first place. Our team is the only team solved this 500 point pwn challenge. Here is my writeup for this challenge. I suggest you should try solving it yourself before reading my writeup. You can download the binary here Tips:  one_gadget  is a greate tool using symbolic execution to find magic gadget in libc. More about heap exploitation techniques below here  and here . Mitigation: Canary: enable Fortify: disable Nx: enable Pie: enable Relo: full Program logic: The program allows us to select, add, delete  , edit and view map. The two most interesting functionality are select and delete.  Using s elect we can choose a specific map to  view . Delete function removes a specific map from memory. Vulnerabilites: - The first vulnerability is a heap overflow in add function where it reads the map's name. - The second ...

Recently I have found my very first bug bounty. An XSS  on  zomato.com . I earn not much money from it  but it means a lot to me. The bug itself is really interesting. Who on earth would think a  lenth extension attack  can lead to an XSS ? You can read more about it  here

This is the second time I participate in HITB and my first time solving pwn challenge on windows. I got first solve for this challenge. It's a really good challenge I suggest you try the challenge yourself first before reading my writeup. You can download the binary  here The challenge consist of two 32bit PE files: - babyshellcode.exe (which have /dynamicbase enable) is the main program logic - scmgr.dll which export 3 functions init_scmgr allocsc getshell_test Tips: I have to use netcat for windows to debug this challenge https://eternallybored.org/misc/netcat/. Really cool piece of software Program logic: We need to find a way to call  getshell_test. The program allow us to create 20 node, each node represents a shellcode in memory. Pointer to these node is store in an Array at offset 0x02B53F8.  We can list, delete and try to execute these shellcode. We can't directly execute our shellcode unless the guard  variable at offset  0x02B5448 is...