PWN methodology — LINUX

Karol Mazurek
4 min readAug 11, 2021

This is my current methodology for approaching targets during binary exploitation on Linux OS.

  • It is being maintained cheatsheet-like so that it is concise and not too long at the same time.
  • The methodology is being used for manual exploitation.
    There are no tools such as AFL etc. being described.
  • I will update this article from time to time with new notes.

0. Find suid targets:
find / -perm -u=s -type f 2>/dev/null

1. Basic binary security checks and some bypasses:
a) ASLR — Partial Overwrite / Info Disclosure / Brute Force
b) DEP— mprotect() / re2libc() / ROP / Egghunter
c) RELRO — GOT overwrite / .fini_array overwrite / .dtors overwrite
d) PIE — Address leak / NOP Slide
e) Stack Canaries — Brute Force / Heap Overflows / Arbitrary Write
f) Architecture — OS 32/64 ?
g) Library linking — Dynamically / statically linked ?
h) Debugging info — Stripped / not stripped ?

Source: own study

2. Run the binary with:
a) no arguments
b) one argument
c) two and more arguments
d) data on stdin
e) buffer overflow string
f) format string
g) format string in a loop
h) remote format string or buffer overflow

Source: own study

3. Run the binary with:
a) ltrace library call tracer
b) strace system calls and signals tracer
c) gdbThe GNU Project Debugger

4. Decompile & disassembly of the binary:
a) using IDA / Ghidra / Hopper / Binary Ninja
b) disassembly text section
c) check sections
d) check

Karol Mazurek

Offensive Security Engineer