Skip to main content

CTF Challenges

This page catalogs real CTF challenges that demonstrate practical applications of heap exploitation techniques. Each challenge is linked to the specific technique(s) used and includes references to writeups where available.
Studying CTF challenge writeups is one of the best ways to understand how heap exploitation techniques are applied in practice. These challenges often combine multiple techniques and require creative problem-solving.

Challenges by Technique

Challenges are organized by the primary heap exploitation technique they demonstrate.

Fastbin Attacks

9447 CTF 2015

search-engine - Fastbin dup into stack

0ctf 2017

babyheap - Fastbin dup techniques

9447 CTF 2015: search-engine

Challenge Name: search-engine
CTF: 9447 CTF 2015
Category: Exploitation
Technique: fastbin_dup_into_stack Writeup: https://github.com/ctfs/write-ups-2015/tree/master/9447-ctf-2015/exploitation/search-engine
Overview
This challenge requires exploiting a search engine application with a heap vulnerability. The solution uses fastbin duplication to get malloc to return a stack address.
Vulnerability
  • Use-after-free in search result handling
  • Allows double free of fastbin chunks
  • Stack address leak available
Exploitation Steps
  1. Trigger double free - Free the same fastbin chunk twice
  2. Corrupt fastbin freelist - Overwrite fd pointer to point to stack
  3. Allocate from stack - Make malloc return stack address
  4. Overwrite return address - Gain code execution
Key Techniques
  • Fastbin duplication
  • Freelist manipulation
  • Stack address targeting
  • Return-oriented exploitation

0ctf 2017: babyheap

Challenge Name: babyheap
CTF: 0ctf 2017 Quals
Category: Pwnable
Technique: fastbin_dup_into_stack, fastbin_dup Writeup: https://web.archive.org/web/20181104155842/http://uaf.io/exploitation/2017/03/19/0ctf-Quals-2017-BabyHeap2017.html
Overview
A heap management application with allocation, deallocation, and viewing functionality. Classic heap note-style challenge.
Vulnerability
  • Off-by-one overflow
  • Leads to chunk consolidation
  • Enables fastbin attacks
Exploitation Strategy
  1. Trigger off-by-one - Overflow into next chunk’s size field
  2. Consolidate chunks - Create overlapping chunks
  3. Fastbin dup - Duplicate fastbin entries
  4. Target critical structure - Overwrite function pointers
Learning Points
  • Combining multiple primitive vulnerabilities
  • Chunk consolidation techniques
  • Fastbin freelist manipulation
  • Heap grooming for reliable exploitation
This challenge demonstrates how simple vulnerabilities (off-by-one) can lead to complex heap exploitation chains.

Fastbin Dup with Consolidation

Hitcon 2016: SleepyHolder

Challenge Name: SleepyHolder
CTF: Hitcon CTF 2016
Category: Pwnable
Technique: fastbin_dup_consolidate Writeup: https://github.com/mehQQ/public_writeup/tree/master/hitcon2016/SleepyHolder
Overview
A secret management application that allocates and frees chunks of different sizes.
Vulnerability
  • Use-after-free on fastbin chunks
  • Chunk consolidation trigger
  • Allows fastbin chunk to be in both fastbin and top chunk
Exploitation Technique
  1. Allocate fastbin chunk - Create chunk in fastbin range
  2. Free to fastbin - Place chunk in fastbin freelist
  3. Trigger consolidation - Consolidate chunk into top
  4. Allocate overlapping chunks - Get same memory twice
  5. Exploit overlap - Overwrite critical data
Why It’s Notable
Demonstrates a subtle heap state confusion where a chunk exists in multiple malloc structures simultaneously.

HITCON 2014

stkof - Classic unsafe unlink

Insomni'hack 2017

Wheel of Robots - Modern unlink

HITCON 2014: stkof

Challenge Name: stkof
CTF: HITCON CTF 2014
Category: Pwnable
Technique: unsafe_unlink Writeup: http://acez.re/ctf-writeup-hitcon-ctf-2014-stkof-or-modern-heap-overflow/
Overview
Stack and heap exploitation challenge combining multiple techniques.
Vulnerability
  • Heap overflow
  • Allows chunk metadata corruption
  • Enables unsafe unlink exploitation
Exploitation Steps
  1. Overflow chunk - Corrupt next chunk’s metadata
  2. Set up fake chunk - Create controlled chunk structure
  3. Trigger unlink - Free the corrupted chunk
  4. Arbitrary write - Unlink gives write-what-where
  5. Overwrite GOT - Hijack control flow
Key Concepts
  • Chunk metadata manipulation
  • Unlink macro exploitation
  • GOT overwrite technique
  • Heap overflow to code execution
This challenge is a classic example of unsafe unlink exploitation, a foundational heap technique.

Insomni’hack 2017: Wheel of Robots

Challenge Name: Wheel of Robots
CTF: Insomni’hack 2017
Category: Exploitation
Technique: unsafe_unlink Writeup: https://gist.github.com/niklasb/074428333b817d2ecb63f7926074427a
Overview
Modern take on unsafe unlink with additional mitigations to bypass.
Challenges
  • Modern glibc with consistency checks
  • RELRO (partial/full) protection
  • PIE enabled
  • Requires information leak
Exploitation Strategy
  1. Information leak - Leak heap and libc addresses
  2. Construct fake chunk - Satisfy consistency checks
  3. Trigger unlink - Carefully crafted unlink operation
  4. Arbitrary write primitive - Use unlink result
  5. Control execution - Overwrite function pointer
Modern Considerations
  • Safe unlink checks must be bypassed
  • Heap grooming more critical
  • Multiple information leaks often required

House of Spirit

hack.lu CTF 2014: OREO

Challenge Name: OREO
CTF: hack.lu CTF 2014
Category: Exploitation
Technique: house_of_spirit Writeup: https://github.com/ctfs/write-ups-2014/tree/master/hack-lu-ctf-2014/oreo
Overview
Cookie management application with heap exploitation vulnerability.
Vulnerability
  • Buffer overflow on stack
  • Allows creation of fake chunk on stack
  • Free of user-controlled pointer
Exploitation Technique
  1. Create fake chunk on stack - Craft chunk metadata
  2. Free fake chunk - Add to fastbin freelist
  3. Allocate from fastbin - Get stack address from malloc
  4. Overwrite return address - Control execution flow
Why House of Spirit?
Demonstrates “tricking” malloc into managing fake chunks, allowing malloc to return attacker-controlled addresses.
House of Spirit is particularly useful when you can control a pointer that gets freed but can’t directly corrupt heap structures.

Poison Null Byte

PlaidCTF 2015

plaiddb - Null byte overflow

BalsnCTF 2019

PlainNote - Modern null byte

PlaidCTF 2015: plaiddb

Challenge Name: plaiddb
CTF: PlaidCTF 2015
Category: Pwnable
Technique: poison_null_byte Writeup: https://github.com/ctfs/write-ups-2015/tree/master/plaidctf-2015/pwnable/plaiddb
Overview
Database application with single null byte overflow vulnerability.
Vulnerability
  • Off-by-one null byte write
  • Corrupts chunk size field
  • Leads to chunk consolidation issues
Exploitation Steps
  1. Overflow null byte - Corrupt chunk size
  2. Free chunk - Trigger incorrect consolidation
  3. Create overlap - Allocate overlapping chunks
  4. Leak information - Extract libc addresses
  5. Arbitrary write - Overwrite critical structures
Technique Significance
Poison null byte is a subtle technique that demonstrates how even a single byte overflow can lead to complete compromise.

BalsnCTF 2019: PlainNote

Challenge Name: PlainNote
CTF: BalsnCTF 2019
Category: Pwnable
Technique: poison_null_byte Writeup: https://gist.github.com/st424204/6b5c007cfa2b62ed3fd2ef30f6533e94
Overview
Note-taking application with modern protections.
Modern Challenges
  • Newer glibc with additional checks
  • Requires more careful heap grooming
  • Multiple stages of exploitation
Exploitation Strategy
  1. Leak addresses - Bypass ASLR
  2. Poison null byte - Corrupt chunk metadata
  3. Overlap chunks - Create controlled overlap
  4. Tcache poisoning - Leverage overlap for tcache attack
  5. Arbitrary allocation - Get malloc to return arbitrary address

Overlapping Chunks

hack.lu 2015

bookstore - Chunk overlap

Nuit du Hack 2016

night-deamonic-heap - Advanced overlap

hack.lu CTF 2015: bookstore

Challenge Name: bookstore
CTF: hack.lu CTF 2015
Category: Exploitation
Technique: overlapping_chunks Writeup: https://github.com/ctfs/write-ups-2015/tree/master/hack-lu-ctf-2015/exploiting/bookstore
Overview
Bookstore management application with heap manipulation vulnerability.
Vulnerability
  • Heap overflow into freed chunk
  • Allows corruption of chunk size in unsorted bin
  • Leads to overlapping allocations
Exploitation Process
  1. Free chunk to unsorted bin - Get chunk in unsorted bin
  2. Overflow size field - Increase chunk size
  3. Allocate large chunk - Malloc uses corrupted size
  4. Create overlap - New allocation overlaps with existing chunks
  5. Exploit overlap - Modify in-use chunk data

Nuit du Hack 2016: night-deamonic-heap

Challenge Name: night-deamonic-heap
CTF: Nuit du Hack CTF Quals 2016
Category: Exploitation
Technique: overlapping_chunks Writeup: https://github.com/ctfs/write-ups-2016/tree/master/nuitduhack-quals-2016/exploit-me/night-deamonic-heap-400
Overview
Advanced heap challenge with multiple exploitation stages.
Complexity Factors
  • Multiple heap operations
  • Requires precise heap grooming
  • Timing-sensitive exploitation

House of Force

Boston Key Party 2016

cookbook - Top chunk exploitation

BCTF 2016

bcloud - House of Force

Boston Key Party 2016: cookbook

Challenge Name: cookbook
CTF: Boston Key Party 2016
Category: Pwnable
Technique: house_of_force Writeup: https://github.com/ctfs/write-ups-2016/tree/master/boston-key-party-2016/pwn/cookbook-6
Overview
Recipe management application with top chunk corruption vulnerability.
Vulnerability
  • Heap overflow into top chunk
  • Allows corruption of top chunk size
  • Enables arbitrary malloc return addresses
Exploitation Strategy
  1. Corrupt top chunk size - Set to very large value (0xffffffffffffffff)
  2. Calculate distance - Compute distance to target address
  3. Request specific size - Make malloc allocate at target
  4. Arbitrary allocation - Next malloc returns target address
  5. Overwrite data - Control critical structure
Why It Works (Pre-2.29)
Older glibc didn’t validate top chunk size, allowing attackers to make malloc return almost any address.
House of Force is patched in glibc 2.29+, but understanding it helps comprehend top chunk management.

BCTF 2016: bcloud

Challenge Name: bcloud
CTF: BCTF 2016
Category: Pwnable
Technique: house_of_force Writeup: https://github.com/ctfs/write-ups-2016/tree/master/bctf-2016/exploit/bcloud-200
Overview
Cloud storage application with heap exploitation.
Additional Challenges
  • Limited primitives
  • Information leak required
  • Heap grooming essential

Unsorted Bin Attack

0ctf 2016: zerostorage

Challenge Name: zerostorage
CTF: 0ctf 2016
Category: Pwnable
Technique: unsorted_bin_attack Writeup: https://github.com/ctfs/write-ups-2016/tree/master/0ctf-2016/exploit/zerostorage-6
Overview
Storage management application with unsorted bin exploitation.
Vulnerability
  • Use-after-free on unsorted bin chunk
  • Allows corruption of bk pointer
  • Enables large value write to arbitrary address
Exploitation Technique
  1. Free chunk to unsorted bin - Get chunk in unsorted bin
  2. Corrupt bk pointer - Overwrite bk to target address
  3. Trigger allocation - Malloc processes unsorted bin
  4. Arbitrary write - Target address gets large value (libc address)
  5. Leverage write - Use to bypass checks or gain control
Use Cases
  • Overwriting global_max_fast
  • Corrupting authentication variables
  • Bypassing security checks

Large Bin Attack

0ctf 2018: heapstorm2

Challenge Name: heapstorm2
CTF: 0ctf 2018
Category: Pwnable
Technique: large_bin_attack Writeup: https://dangokyo.me/2018/04/07/0ctf-2018-pwn-heapstorm2-write-up/
Overview
Complex heap challenge requiring large bin exploitation.
Vulnerability
  • Use-after-free on large bin chunks
  • Allows corruption of large bin metadata
  • Enables arbitrary write primitive
Exploitation Strategy
  1. Create large bin chunks - Allocate chunks > 1024 bytes
  2. Free to large bin - Get chunks in large bin
  3. Corrupt metadata - Overwrite bk_nextsize pointer
  4. Trigger sorting - Make malloc sort large bin
  5. Arbitrary write - Get write-what-where primitive
Why Large Bin?
Large bins use additional pointers (fd_nextsize, bk_nextsize) for size-ordered lists, providing more exploitation opportunities.
Large bin attacks are more complex but still work on modern glibc, making them valuable for current exploitation.

House of Einherjar

Seccon 2016: tinypad

Challenge Name: tinypad
CTF: Seccon CTF 2016
Category: Pwnable
Technique: house_of_einherjar Writeup: https://gist.github.com/hhc0null/4424a2a19a60c7f44e543e32190aaabf
Overview
Note-taking application with off-by-one vulnerability.
Vulnerability
  • Off-by-one null byte write
  • Allows PREV_IN_USE flag corruption
  • Triggers backward consolidation
Exploitation Technique
  1. Craft fake prev_size - Set up fake chunk metadata
  2. Off-by-one overflow - Clear PREV_IN_USE flag
  3. Free chunk - Trigger backward consolidation
  4. Overlapping allocation - Get overlapping chunks
  5. Arbitrary write - Use overlap to corrupt data
Technique Significance
House of Einherjar demonstrates how metadata bit manipulation can lead to chunk consolidation attacks.

House of Orange

Hitcon 2016: houseoforange

Challenge Name: houseoforange
CTF: Hitcon CTF 2016
Category: Pwnable
Technique: house_of_orange Writeup: https://github.com/ctfs/write-ups-2016/tree/master/hitcon-ctf-2016/pwn/house-of-orange-500
Overview
The challenge that gave House of Orange its name! No explicit free() in the binary.
Unique Constraints
  • No free() function available
  • Must trigger free through other means
  • Requires _IO_FILE structure exploitation
Exploitation Strategy
  1. Corrupt top chunk - Trigger sysmalloc
  2. Old top to unsorted bin - Get free without free()
  3. Unsorted bin attack - Write to _IO_list_all
  4. Craft fake FILE stream - Create fake _IO_FILE
  5. Trigger FILE operation - Get code execution via vtable
Why It’s Significant
Demonstrates advanced heap exploitation combined with FILE stream exploitation - a multi-stage attack requiring deep understanding.
House of Orange is patched in glibc 2.26+ (vtable validation), but the top chunk manipulation technique remains relevant.

Tcache Poisoning

Hitcon 2019: one punch man

Challenge Name: one punch man
CTF: Hitcon CTF 2019
Category: Pwnable
Technique: tcache_stashing_unlink_attack Writeup: https://github.com/xmzyshypnc/xz_files/tree/master/hitcon2019_one_punch_man
Overview
Modern heap challenge using tcache-specific techniques.
Technique
  • Tcache stashing unlink attack
  • Exploits interaction between tcache and small bins
  • Enables arbitrary allocation with calloc
Exploitation Flow
  1. Fill tcache - Fill specific size tcache
  2. Chunks to small bin - Get chunks in small bin
  3. Corrupt small bin - Overwrite bk pointer
  4. Trigger calloc - Calloc uses small bin (not tcache)
  5. Stash to tcache - Small bin chunks moved to tcache
  6. Arbitrary allocation - Corrupted chunk now in tcache
Modern Context
Demonstrates post-tcache exploitation techniques that leverage interactions between old and new allocator features.

Modern Challenges (2023-2024)

37c3 Potluck 2023

Tamagoyaki - Safe-linking bypass

PicoCTF 2024

high frequency troubles - House of Tangerine

37c3 Potluck: Tamagoyaki

Challenge Name: Tamagoyaki
CTF: 37c3 Potluck CTF 2023
Category: Pwnable
Techniques: house_of_water, safe_link_double_protect Repository: https://github.com/UDPctf/CTF-challenges/tree/main/Potluck-CTF-2023/Tamagoyaki
Overview
Cutting-edge challenge demonstrating latest techniques on modern glibc.
Techniques Used
House of Water:
  • Exploit UAF to control tcache metadata
  • Leakless tcache exploitation
  • Link libc pointers in tcache without leaks
Safe-link Double Protection:
  • Bypass PROTECT_PTR (safe-linking)
  • Protect pointer twice to cancel out protection
  • Link arbitrary pointers in tcache
Modern Challenges
  • glibc 2.36+ with full protections
  • Safe-linking enabled
  • Tcache hardening active
  • Requires novel bypass techniques
Why It Matters
Demonstrates that heap exploitation continues to evolve. Even with modern mitigations, creative attackers find new techniques.
This challenge represents the cutting edge of heap exploitation research as of 2024.

PicoCTF 2024: high frequency troubles

Challenge Name: high frequency troubles
CTF: PicoCTF 2024
Category: Binary Exploitation
Technique: house_of_tangerine Challenge Link: https://play.picoctf.org/practice/challenge/441
Overview
Modern reinterpretation of House of Orange for glibc 2.26+.
Technique: House of Tangerine
  • Top chunk manipulation (like House of Orange)
  • Exploits tcache instead of _IO_FILE
  • Works on modern glibc (2.26+)
  • Completely arbitrary pointer via tcache
Exploitation Flow
  1. Corrupt top chunk - Trigger sysmalloc
  2. Old top chunk freed - Top chunk freed to bins
  3. Allocate overlapping - Create overlapping chunks
  4. Tcache poisoning - Use overlap to poison tcache
  5. Arbitrary allocation - Get malloc to return arbitrary address
Educational Value
Shows how classic techniques are adapted for modern systems. Understanding the evolution from House of Orange to House of Tangerine teaches adaptation skills.

Challenges by CTF

By Year

  • PicoCTF 2024: high frequency troubles (house_of_tangerine)
  • 37c3 Potluck: Tamagoyaki (house_of_water, safe_link_double_protect)
  • Hitcon 2019: one punch man (tcache_stashing_unlink_attack)
  • BalsnCTF 2019: PlainNote (poison_null_byte)
  • 0ctf 2018: heapstorm2 (large_bin_attack)
  • 0ctf 2017: babyheap (fastbin_dup_into_stack)
  • Insomni’hack 2017: Wheel of Robots (unsafe_unlink)
  • Hitcon 2016: houseoforange (house_of_orange)
  • Hitcon 2016: SleepyHolder (fastbin_dup_consolidate)
  • Seccon 2016: tinypad (house_of_einherjar)
  • 0ctf 2016: zerostorage (unsorted_bin_attack)
  • Boston Key Party 2016: cookbook (house_of_force)
  • BCTF 2016: bcloud (house_of_force)
  • Nuit du Hack 2016: night-deamonic-heap (overlapping_chunks)
  • 9447 CTF 2015: search-engine (fastbin_dup_into_stack)
  • PlaidCTF 2015: plaiddb (poison_null_byte)
  • hack.lu 2015: bookstore (overlapping_chunks)
  • HITCON 2014: stkof (unsafe_unlink)
  • hack.lu 2014: OREO (house_of_spirit)

Practice Recommendations

For Beginners

  1. Start with solved challenges - Read writeups first
  2. Reproduce exploits - Run provided exploits to understand
  3. Modify exploits - Change targets to test understanding
  4. Study technique - Match challenge to how2heap example

For Intermediate

  1. Attempt before reading - Try solving without writeup
  2. Compare solutions - See how your approach differs
  3. Optimize exploits - Make exploits more reliable
  4. Combine techniques - Practice using multiple techniques

For Advanced

  1. Zero-day challenges - Solve new challenges without writeups
  2. Create variations - Modify challenges to add constraints
  3. Develop novel techniques - Find new exploitation methods
  4. Contribute writeups - Help the community
Many of these challenges are available on archived CTF platforms or can be found in GitHub repositories. Search for “[CTF name] [challenge name] archive” to find them.

Study Strategy

Technique-Based Approach

  1. Learn technique - Study how2heap example
  2. Find CTF challenge - Use table above to find real challenge
  3. Read writeup - Understand practical application
  4. Reproduce exploit - Run the exploit yourself
  5. Understand differences - See how real challenge differs from example

Challenge-Based Approach

  1. Choose challenge - Pick from list above
  2. Analyze binary - Understand functionality
  3. Identify vulnerability - Find the bug
  4. Match to technique - Link to how2heap example
  5. Develop exploit - Create working exploit
  6. Compare writeup - See intended solution

Next Steps

Tutorials

Study comprehensive heap exploitation tutorials

Techniques

Explore how2heap technique examples

Build docs developers (and LLMs) love

Get started for freeTalk to us