Full chain challenge which has two parts: get userland code execution and then exploit a vulnerability within the custom piccall syscall handler!
A look back at my first year in pwn ... story of how I started, lessons learned and where I want to go from here.
Forcing recv() to return early by sending urg tcp packet!
Leaking stack via partial format strings %*N$
Abused the server misconfiguration in the user-namespace mapping which gave us effective root inside the container to escape chroot by using a exploit that chroots inside the chroot to escape the jail.