pwn Challenge Rankings
I love ranking things. Let's rank some pwn challs!
I won't rank every single pwn chall I do, there's really no rhyme or reason to if I rank it, it's just if I feel like it. Similarly, the rankings themselves are very experience-based, not an attempt at an objective value rating.
I like pwn challenges that require creative thinking rather than tedious incremental grind coding. Minus points for a required brute force. I'll rate problems along:
- Overall: this is the metric that the list is sorted on, how high quality it is, how good in general, strongly correlates with fun
- Difficulty: how hard/arcane it feels
- Creativity: if it is novel or ingenious in some way
Most file assets can be found in this repo: https://git.sr.ht/~sourque/ctf/tree
FGASLR by LMS @ US Cyber Open (2025)
FGASLR is so unique. It's so close to peak puzzle solving through the medium of computers. It's based on Andrew Kramer's PhD, and you have to reconstruct a tree of pointers based on a mem corruption bug.
- Overall: 9.1/10
- Difficulty: 8/10
- Creativity: 8.6/10
A Child's Dream by davezero and church @ srdnlen CTF (2025)
NES pwn?! The payload was deployed by my fingers! A fun and interesting chall, I really liked seeing the tools NES emulation had available. This problem rewarded noticing and exploring strange things rather than trudging through 50k lines of asm. Talking to the authors though and having to perform the exploit was probably the best part. i
Writeup- Overall: 8.5/10
- Difficulty: 7/10
- Creativity: 9/10
Verified C by moratorium08 @ ICC Tokyo (2025)
I love SMT solvers so this was a great crossover. It's a C-like domain specific language that can do if/elses and array indexes, but only if they are "verified". I spent a lot of time looking for bugs in the SMT handling, but there were none that I found.
The only bug I found was in the if/else branches, variables declared in the if were not removed from the context in the else, even though they should have been. You can abuse this by using a name collision with a global var. I got memory corruption but didn't solve it during the event due a personal skill issue (thank you to nico/flocto for helping, if I reached out before we had more than 30 mins left we surely would have gotten it). Super fun chall!
- Overall: 8.5/10
- Difficulty: 8/10
- Creativity: 9/10
Arcane Link by CINI @ ICC (2023)
Awesome challenge. CINI quality doesn't disappoint. It was a QEMU patch that added a hardware device that had some race conds and an info leak. Loading QEMU in Ghidra was quite the time intensive process...
- Overall: 8.6/10
- Difficulty: 8.5/10
- Creativity: 8/10
tiny-rop by redford @ ECSC Poland (2025)
tiny-rop was fun, and tiny. I worked on this with eth007. The key insight was to overflow rdx backwards for the read size, but with edx, since read errors out on a 64 bit val but not a 32 bit max val. This challenge is sloppable, as of 2026-02-22 :(
- Overall: 7.3/10
- Difficulty: 7/10
- Creativity: 8.8/10
exfil by LMS @ US Cyber Open (2024)
exfil was fun. Silly glibc!
- Overall: 7.8/10
- Difficulty: 7/10
- Creativity: 8.5/10
quicker by LMS @ US Cyber Open (2025)
quicker was a injected bug for Bellard's QuickJS. It was fun! LMS's intended was way more insane that what I found though.
- Overall: 7.5/10
- Difficulty: 8/10
- Creativity: 7/10
BabyQEMU by ShiftCrops @ SECCON CTF 13 (2024)
BabyQEMU was a qemu escape with a PCI device that basically gave you arbitrary read/write. It was fun though, since I hadn't done a hypervisor escape before, and I learned a lot :)
- Overall: 7.4/10
- Difficulty: 7.5/10
- Creativity: 6/10
leapfrog by LMS @ US Cyber Open (2024)
leapfrog as an application of LMS's PhD thesis. It was good but kind of a slog LOL since it was all implementation, and I skipped right to the intended when there were some unintended solutions.
- Overall: 7.3/10
- Difficulty: 7/10
- Creativity: 8.8/10