- Go back to Home page (awesome list)
- See also Exploitation specific content
- "Writing a Debugger From Scratch"
- "A Deep Dive Into Brute Ratel C4 Payloads"
- "A Deep Dive into Penetration Testing of macOS Applications (Part 1)"
- "A look at CVE-2023-29360, a beautiful logical LPE vuln"
- "A Journey Into Hacking Google Search Appliance"
- "A new method for container escape using file-based DirtyCred"
- "A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition"
- "A Potholing Tour in a SoC"
- "A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM"
- "A Red-Teamer diaries"
- "A story about tampering EDRs"
- "Abusing undocumented features to spoof PE section headers"
- "All about LeakSanitizer"
- "All cops are broadcasting: TETRA under scrutiny"
- "All my favorite tracing tools: eBPF, QEMU, Perfetto, new ones I built and more"
- "An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit"
- "Analysis on legit tools abused in human operated ransomware"
- "Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway":
- "Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991"
- "Analyzing a Modern In-the-wild Android Exploit"
- "Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Route"
- "ARM64 Reversing And Exploitation" (8ksec)
- "Attacking an EDR"
- "Audio with embedded Linux training"
- "Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike"
- "Back to the Future with Platform Security"
- "Bash Privileged-Mode Vulnerabilities in Parallel Desktop and CDPATH Handling in MacOS"
- "Bee-yond Capacity: Unauthenticated RCE in Extreme Networks/Aerohive Wireless APs - CVE-2023-35803"
- "Behind the Shield: Unmasking Scudos's Defenses"
- "BlackLotus UEFI bootkit: Myth confirmed"
- "Breaking Fortinet Firmware Encryption"
- "Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability"
- "Breaking Secure Boot on the Silicon Labs Gecko platform"
- "Building a Custom Mach-O Memory Loader for macOS"
- "Building an Exploit for FortiGate Vulnerability CVE-2023-27997"
- "Bypassing PPL in Userland (again)"
- "Bypassing SELinux with init_module"
- "CAN Injection: keyless car theft"
- "chonked"
- "Coffee: A COFF loader made in Rust"
- "Competing in Pwn2Own ICS 2022 Miami: Exploiting a zero click remote memory corruption in ICONICS Genesis64"
- "CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver"
- "CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup"
- "CVE-2023-36844 And Friends: RCE In Juniper Devices"
- "CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent"
- "cURL audit: How a joke led to significant findings"
- "Debugger Ghidra Class"
- "Debugging D-Link: Emulating firmware and hacking hardware"
- "Decompilation Debugging"
- "Deep Lateral Movement in OT Networks: When is a Perimeter not a Perimeter?"
- "Defining the cobalt strike reflective loader"
- "Demystifying bitwise operations, a gentle C tutorial"
- "Detecting and decrypting Sliver C2 – a threat hunter’s guide"
- "Detecting BPFDoor Backdoor Variants Abusing BPF Filters"
- "Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel"
- "Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”"
- "Diving Into Smart Contract Decompilation"
- "Diving into Starlink's User Terminal Firmware"
- "DJI Mavic 3 Drone Research Part 1: Firmware Analysis"
- "Drone Security and Fault Injection Attacks"
- "DualShock4 Reverse Engineering":
- "Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device"
- "Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489)"
- "ENLBufferPwn (CVE-2022-47949)"
- "Escaping the Google kCTF Container with a Data-Only Exploit"
- "Exploitation of Openfire CVE-2023-32315"
- "Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers"
- "Exploiting null-dereferences in the Linux kernel"
- "Exploring UNIX pipes for iOS kernel exploit primitives"
- "EPF: Evil Packet Filter"
- "Escaping from Bhyve"
- "ESP32-C3 Wireless Adventure A Comprehensive Guide to IoT"
- "Espressif ESP32: Breaking HW AES with Electromagnetic Analysis"
- "Espressif ESP32: Breaking HW AES with Power Analysis"
- "Examining OpenSSH Sandboxing and Privilege Separation – Attack Surface Analysis"
- "Executing Arbitrary Code & Executables in Read-Only FileSystems"
- "Exploit Engineering – Attacking the Linux Kernel"
- "Exploiting a Remote Heap Overflow with a Custom TCP Stack"
- "Exploiting HTTP Parsers Inconsistencies"
- "Exploiting MikroTik RouterOS Hardware with CVE-2023-30799"
- "Exploring Android Heap Allocations in Jemalloc 'New'"
- "Exploring Linux's New Random Kmalloc Caches"
- "Fantastic Rootkits: And Where To Find Them":
- "Few lesser known tricks, quirks and features of C"
- "Finding and exploiting process killer drivers with LOL for 3000$"
- "Finding bugs in C code with Multi-Level IR and VAST"
- "Finding Gadgets for CPU Side-Channels with Static Analysis Tools"
- "For Science! - Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation"
- "FortiNAC - Just a few more RCEs"
- "Fortinet Series 3 — CVE-2022–42475 SSLVPN exploit strategy"
- "Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues"
- "From C, with inline assembly, to shellcode"
- "Fuzzing Farm":
- "Getting RCE in Chrome with incomplete object initialization in the Maglev compiler"
- "Ghidra" (Craig Young):
- "Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall"
- "Hacking a Tapo TC60 Camera"
- "Hacking Amazon's eero 6 (part 1)"
- "Hacking Brightway scooters: A case study"
- "Hacking ICS Historians: The Pivot Point from IT to OT"
- "Hacking the Nintendo DSi Browser"
- "Hardware Hacking to Bypass BIOS Passwords"
- "Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges"
- "How a simple K-TypeConfusion took me 3 months long to create a exploit? [HEVD] - Windows 11 (build 22621)"
- "How does Linux start a process"
- "How NATs Work":
- "How I Hacked my Car":
- "How to Emulate Android Native Libraries Using Qiling"
- "How To Secure A Linux Server"
- "Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing"
- "In-depth analysis on Valorant’s Guarded Regions"
- "In-Memory-Only ELF Execution (Without tmpfs)"
- "Intel BIOS Advisory – Memory Corruption in HID Drivers "
- "Intercepting Allocations with the Global Allocator"
- "Introduction to SELinux"
- "IoT Series":
- "JTAG 'Hacking' the Original Xbox in 2023"
- "Kernel Exploit Factory"
- "Learn Makefiles With the tastiest examples"
- "Let's build a Chrome extension that steals everything"
- "Let’s Go into the rabbit hole (part 1) — the challenges of dynamically hooking Golang programs"
- "Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)"
- linux-re-101
- "Linux debugging, profiling and tracing training"
- "Linux Kernel Teaching"
- "Linux Malware: Defense Evasion Techniques"
- "Linux Red Team":
- ["Linux Remote Process Injection - (Injecting into a firefox process)"][569]
- "Linux rootkits explained – Part 1: Dynamic linker hijacking"
- "Linux Shellcode 101: From Hell to Shell"
- "Local Privilege Escalation on the DJI RM500 Smart Controller"
- "Lord Of The Ring0":
- "Low-Level Software Security for Compiler Developers"
- "LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863"
- "Making TOCTOU Great again – X(R)IP"
- "Malware Reverse Engineering for Beginners":
- "Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects"
- "mast1c0re"
- "Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts"
- "Meterpreter vs Modern EDR(s)"
- "MTE As Implemented":
- "mTLS: When certificate authentication is done wrong"
- "MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis"
- "Multiple Vulnerabilities in Qualcomm and Lenovo ARM-based Devices"
- "NetGear Series: Emulating Netgear R6700V3 circled binary ":
- "New HiatusRAT Router Malware Covertly Spies On Victims"
- "NVMe: New Vulnerabilities Made Easy"
- "nftables Adventures: Bug Hunting and N-day Exploitation (CVE-2023-31248)"
- "Obscure Windows File Types"
- "Old Bug, Shallow Bug: Exploiting Ubuntu at Pwn2own Vancouver 2023"
- "OPC UA Deep Dive Series":
- "OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept"
- "OrBit: advanced analysis of a Linux dedicated malware"
- "OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow"
- "P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm"
- "P4wnP1-LTE"
- "Patches, Collisions, and Root Shells: A Pwn2Own Adventure"
- "Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours"
- "Persistence Techniques That Persist"
- "Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500"
- "prctl anon_vma_name: An Amusing Linux Kernel Heap Spray"
- "Producing a POC for CVE-2022-42475 (Fortinet RCE)"
- "Protecting Android clipboard content from unintended exposure"
- "Protecting the Phoenix: Unveiling Critical Vulnerabilities in Phoenix Contact HMI"
- "PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer"
- "PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749"
- "Pwning Pixel 6 with a leftover patch"
- "Pwning the tp-link ax1800 wifi 6 Router: Uncovered and Exploited a Memory Corruption Vulnerability"
- "Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel"
- "Readline crime: exploiting a SUID logic bug"
- "Red vs. Blue: Kerberos Ticket Times, Checksums, and You!"
- "Restoring Dyld Memory Loading"
- "Retreading The AMLogic A113X TrustZone Exploit Process"
- "RISC-V Bytes: Exploring a Custom ESP32 Bootloader"
- "REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB"
- "Revisiting CVE-2017-11176"
- "Rooting the FiiO M6":
- "Rust Binary Analysis, Feature by Feature"
- "Rust to Assembly: Understanding the Inner Workings of Rust"
- "SHA-1 gets SHAttered"
- "Shambles: The Next-Generation IoT Reverse Engineering Tool to Discover 0-Day Vulnerabilities"
- "Shell in the Ghost: Ghostscript CVE-2023-28879 writeup"
- "Shifting boundaries: Exploiting an Integer Overflow in Apple Safari"
- "Smart Speaker Shenanigans: Making the Sonos ONE Sing its Secrets"
- "Smashing the state machine: the true potential of web race conditions"
- "SRE deep dive into Linux Page Cache"
- "Stepping Insyde System Management Mode"
- "THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"
- "The ARM32 Scheduling and Kernelspace/Userspace Boundary"
- "The art of Fuzzing: Introduction"
- "The art of fuzzing: Windows Binaries"
- "The art of fuzzing-A Step-by-Step Guide to Coverage-Guided Fuzzing with LibFuzzer"
- "The Blitz Tutorial Lab on Fuzzing with AFL++"
- "The code that wasn’t there: Reading memory on an Android device by accident"
- "The Dragon Who Sold His camaro: Analyzing Custom Router Implant"
- "The Importance of Reverse Engineering in Network Analysis"
- "The Linux Kernel Module Programming Guide"
- "The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders"
- "The Role of the Control Flow Graph in Static Analysis"
- "The Silent Spy Among Us: Smart Intercom Attacks"
- "The Stack Series: The X64 Stack"
- "The Untold Story of the BlackLotus UEFI Bootkit"
- "Tickling ksmbd: fuzzing SMB in the Linux kernel"
- "Tool Release: Cartographer"
- "Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory"
- "Sshimpanzee"
- "Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was"
- "Your not so "Home Office" - SOHO Hacking at Pwn2Own"
- "Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt"
- "Unauthenticated RCE on a RIGOL oscilloscope"
- "UNCONTAINED: Uncovering Container Confusion in the Linux Kernel"
- "Uncovering a crazy privilege escalation from Chrome extensions"
- "Uncovering HinataBot: A Deep Dive into a Go-Based Threat"
- "Under The Hood - Disassembling of IKEA-Sonos Symfonisk Speaker Lamp"
- "Understanding a Payload’s Life Featuring Meterpreter & Other Guests "
- "Understanding the Heap - a beautiful mess"
- "Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911)"
- "Windows Installer EOP (CVE-2023-21800)"
- "Writing your own RDI /sRDI loader using C and ASM"
- "Zenbleed"
- "Zero Effort Private Key Compromise: Abusing SSH-Agent For Lateral Movement"
- "A journey into IoT":
- "ARM 64 Assembly Series":
- "Attacking Titan M with Only One Byte"
- "Avoiding Detection with Shellcode Mutator"
- "Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu"
- "Bypassing software update package encryption ":
- "Bypassing vtable Check in glibc File Structures"
- "Blind Exploits to Rule Watchguard Firewalls"
- "BPFDoor - An Evasive Linux Backdoor Technical Analysis"
- "CVE-2022-0435: A Remote Stack Overflow in The Linux Kernel"
- "[CVE-2022-1786] A Journey To The Dawn"
- "CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF"
- "CVE-2022-29582 An io_uring vulnerability"
- "DirtyCred Remastered: how to turn an UAF into Privilege Escalation"
- "Dumping the Amlogic A113X Bootrom"
- "Dynamic analysis of firmware components in IoT devices"
- "Embedded Systems Security and TrustZone"
- "EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)"
- "Exploiting CSN.1 Bugs in MediaTek Basebands"
- "exploiting CVE-2019-2215"
- "Firmware key extraction by gaining EL3"
- "Fortigate - Authentication Bypass Lead to Full Device Takeover"
- "How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables"
- "Huawei Security Hypervisor Vulnerability"
- "Hunting for Persistence in Linux"
- "Hacking Some More Secure USB Flash Drives":
- "Intro to Embedded RE":
- "Linux Hardening Guide"
- "Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg"
- "Linux Kernel Exploit (CVE-2022–32250) with mqueue"
- "Linux SLUB Allocator Internals and Debugging":
- "Linternals: Introducing Memory Allocators & The Page Allocator"
- "Linternals: The Slab Allocator"
- "Looking for Remote Code Execution bugs in the Linux kernel"
- "Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys"
- "Missing Manuals - io_uring worker pool"
- "Netgear Orbi":
- "nday exploit: libinput format string bug, canary leak exploit (cve-2022-1215)"
- "Overview of GLIBC heap exploitation techniques"
- "Patching, Instrumenting & Debugging Linux Kernel Modules"
- "pipe_buffer arbitrary read write"
- "Pixel 6 Bootloader"
- "Port knocking from the scratch"
- "Pulling MikroTik into the Limelight"
- "Racing against the clock -- hitting a tiny kernel race window"
- "Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free"
- "Researching Xiaomi’s Tee to Get to Chinese Money"
- "Reversing embedded device bootloader (U-Boot)":
- "Reverse Engineering a Cobalt Strike Dropper With Binary Ninja"
- "Reverse engineering integrity checks in Black Ops 3"
- "Reverse engineering thermal printers"
- "Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage"
- "SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)"
- "Shedding Light on Huawei's Security Hypervisor"
- "Shikitega - New stealthy malware targeting Linux"
- "side channels: power analysis"
- "side channels: using the chipwhisperer"
- "Spoofing Call Stacks To Confuse EDRs"
- "Stealing the Bitlocker key from a TPM"
- "Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat"
- "Tetsuji: Remote Code Execution on a GameBoy Colour 22 Years Later"
- "The Dirty Pipe Vulnerability"
- "The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022"
- "The toddler’s introduction to Heap exploitation":
- "Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability"
- "Turning Google smart speakers into wiretaps for $100k"
- "Vulnerabilities and Hardware Teardown of GL.iNET GL-MT300N-V2 Router"
- "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security":
- "Vulnerabilities in Tenda's W15Ev2 AC1200 Router"
- "Write a Linux firewall from scratch based on Netfilter"
- "Yet another bug into Netfilter"
- "A dive into the PE file format":
- "Breaking 64 bit aslr on Linux x86-64"
- "Bypassing GLIBC 2.32’s Safe-Linking Without Leaks into Code Execution: The House of Rust"
- "Complete Guide to Stack Buffer Overflow (OSCP Preparation)"
- "CVE-2021–20226 a reference counting bug which leads to local privilege escalation in io_uring."
- "Digging into Linux namespaces":
- "Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel"
- "Ghidra 101":
- "GRCON 2021 - Capture the Signal"
- "Learning Linux Kernel Exploitation":
- "Linux Kernel Exploitation":
- "Live Debugging Techniques for the Linux Kernel"
- "New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor"
- "New Old Bugs in the Linux Kernel"
- "Recovering a Full PEM Private key when Half of it is Redacted"
- "Reverse Engineering Bare-Metal Firmware":
- "Reverse Engineering Yaesu FT-70D Firmware Encryption"
- "Syzkaller diving":
- "The Oddest Place You Will Ever Find PAC"
- "Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel"
- "A Deep Dive Into Samsung's TrustZone"
- "BGET Explained Binary Heap Exploitation on OP-TEE":
- "BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution"
- "Detecting Linux memfd_create() Fileless Malware with Command Line Forensics"
- "Exception(al) Failure - Breaking the STM32F1 Read-Out Protection"
- "Hardware Hacking 101: Identifying and Dumping eMMC Flash"
- "House of Muney - Leakless Heap Exploitation Technique"
- "Loading Dynamic Libraries on Mac"
- "Minesweeper - TP-Link Archer C7 LAN RCE"
- "My Methods To Achieve Persistence In Linux Systems"
- "nRF52 Debug Resurrection":
- "NTLM Relay"
- "Patch Diffing a Cisco RV110W Firmware Update"
- "ret2dl_resolve x64: Exploiting Dynamic Linking Procedure In x64 ELF Binaries"
- "SSHD Injection and Password Harvesting"
- "Weekend Destroyer - RCE in Western Digital PR4100 NAS"
- "What're you telling me, Ghidra?"
- "Breaking out of Docker via runC – Explaining CVE-2019-5736"
- "Executable and Linkable Format 101":
- "Hacking microcontroller firmware through a USB"
- "Hardening Secure Boot on Embedded Devices for Hostile Environments"
- "Pew Pew Pew: Designing Secure Boot Securely"
- "Pwn the ESP32 Secure Boot"
- "Reverse Engineering Architecture And Pinout of Custom Asics"
- "Reverse-engineering Broadcom wireless chipsets"
- "Virtualization Internals":
- "A Guide to ARM64 / AArch64 Assembly on Linux with Shellcodes and Cryptography"
- "CVE-2017-11176: A step-by-step Linux Kernel exploitation":
- "eMMC Data Recovery from Damaged Smartphone"
- "My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE"
- "Vectorized Emulation":438
- "HiSilicon DVR hack"
- "How I Reverse Engineered and Exploited a Smart Massager"
- "Linux ptrace introduction AKA injecting into sshd for fun"
- "Bypassing Secure Boot using Fault Injection"
- "munmap madness"
- "Implementation of Signal Handling"
- "Practical Reverse Engineering"
- "Understanding and Hardening Linux Containers"
- "A Noobs Guide to ARM Exploitation"
- "Advanced binary fuzzing using AFL++-QEMU and libprotobuf: a practical case of grammar-aware in-memory persistent fuzzing"
- "Advanced Compilers: The Self-Guided Online Course"
- "ARM TrustZone: pivoting to the secure world"
- Awesome Industrial Protocols
- "Brute Ratel - Scandinavian Defence"
- "Introduction to encryption for embedded Linux"
- "Debugger Ghidra Class"
- DhavalKapil/heap-exploitation
- Diffing Portal
- Ghidriff - Ghidra Binary Diffing Engine
- "Grand Theft Auto A peek of BLE relay attack"
- ice9-bluetooth-sniffer
- "Illustrated Connections":
- "Introduction to Malware Analysis and Reverse Engineering"
- "Laser-Based Audio Injection on Voice-Controllable Systems"
- Linux Kernel CVEs
- "Linux Kernel map"
- "Linux Insides"
- "Linux Syscalls Reference"
- "Lytro Unlock - Making a bad camera slightly better"
- "Minimizing Rust Binary Size"
- "mjsxj09cm Recovering Firmware And Backdooring"
- "Offensive security (0xtriboulet)"
- "Operating System development tutorials in Rust on the Raspberry Pi"
- Red-Team-Infrastructure-Wiki
- "Reverse Engineering For Everyone!"
- "Satellite Hacking Demystified(RTC0007)"
- TEE Reversing
- tmpout.sh: collection of writeups on low-level stuff
- "THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"
- USB-WiFi
- "VSS: Beginners Guide to Building a Hardware Hacking Lab"
- "WinDBG quick start tutorial"