Pwn
Table of Contents
- Pwn
- PWN Overview (Direction Outline)
- The Goals and Essence of PWN
- The Overall Knowledge Structure of PWN
- The Learning Path for PWN (Recommended Starting Route)
- The Relationship Between PWN and Other Fields
- Secondary Structure Navigation Under PWN (Entering Subsystems)
Pwn
PWN Overview (Direction Outline)
┌────────────────────┐ │ CTF 总览 (Hub) │ └─────────┬──────────┘ │ ▼ ┌──────────────┐ │ PWN │ ← 你在这里 └──────┬───────┘ │ ┌──────────┼──────────┐ ▼ ▼ ▼知识体系 题目复盘 工具索引PWN (Binary Exploitation) is the CTF field that best trains low-level skills. This note serves as the main hub node for the PWN track, used to connect all subfields, knowledge categories, and toolchains.
The Goals and Essence of PWN
The core goals of PWN are:
- Understand how a program can be controlled
- Understand memory layout and Linux runtime mechanisms
- Build attack chains through vulnerabilities to hijack control flow or program behavior
- Bypass various modern security mechanisms
The essence of PWN is a complete reasoning process of “from source code → assembly → memory → control flow”.
The Overall Knowledge Structure of PWN
The PWN knowledge system can generally be divided into the following main lines: Program fundamentals
- Program compilation and linking process
- ELF file structure
- Calling conventions
- Stack frame structure
Common vulnerability types
- Stack overflow
- Format string vulnerability
- Integer overflow
- UAF (Use-After-Free)
- Double Free
- Heap overflow
- Off-by-one
Exploitation techniques
- ret2text
- ret2libc
- ROP chain construction
- Syscall exploitation
- Heap exploitation basics
- GOT/PLT mechanism
- libc leak logic
glibc / ld.so low-level mechanisms
- glibc runtime mechanisms
- Dynamic linking and symbol resolution
- Heap management mechanism (ptmalloc)
Security mechanisms and bypasses
- NX
- PIE
- ASLR
- RELRO
- Stack Canary
- seccomp
Toolchain and workflow
- pwntools
- gdb (including pwndbg / peda)
- IDA
- readelf / objdump
- glibc-all-in-one
- patchelf
The Learning Path for PWN (Recommended Starting Route)
-
Build a low-level foundation:
Learn to use gdb
Understand stack frames and calling conventions
Be able to read disassembly (basic instructions + control flow) -
Master basic vulnerabilities:
Stack overflow → ret2libc
Format string vulnerabilities → leak + hijack -
Go deeper into exploitation chains:
ROP
Syscall
Introductory heap exploitation -
Strengthen heap-related skills:
chunk structure
fastbin and unsortedbin mechanisms
Common heap challenge topics (double free, unlink, etc.) -
Understand the essence of glibc / ld.so:
Dynamic linking
Symbol resolution
libc leak logic
This is a learning path that will run through all your future writeups and reviews.
The Relationship Between PWN and Other Fields
- Deeply overlaps with Reverse: you need to understand function logic and assembly
- Different from Crypto and Web: it tests program logic + low-level security
- Less coupled with Forensic and Misc, but may involve system understanding
You can think of PWN as the CTF field that “most tests your control over systems”.
Secondary Structure Navigation Under PWN (Entering Subsystems)
Under PWN, you will further divide into:
PWN知识体系 (systematic index of all third-level knowledge points)
PWN题目索引 (summary of all challenge writeups)
PWN工具索引 (summary of tool-specific topics)
These three together form the main backbone of all PWN content.