Tags: linux nginx pwn heap
Rating:
## TL;DR
This challenges requires exploiting a modified nginx (/ɛn dʒɪŋks/, "en jinks") binary which added a handful of new functions, which can be found through the `ngx_http_pp_` prefix.
We can exploit a Heap BOF (Buffer OverFlow) through missing size checks in the nginx function `ngx_decode_base64` to overwrite a destructor inside the nginx Pool struct and get RIP & RDI control, which we use to extract the flag.
## [more ...](https://w0y.at/writeup/2025/11/21/platypwn-2025-pool-party.html)
