ARM Exploitation Challenges

lab Challenge series

Dive deep into low-level Reversing & Exploitation techniques on ARM architectures.

Write your awesome label here.

Explore the Challenges

Welcome to the wonderful (and dangerous) world of heap exploitation where one forgotten pointer can lead to a full system compromise. In this challenge, you’re dealing with a vulnerable program that manages a simple user structure with a name field and a function pointer (callback).

Your goal is to overwrite the freed callback pointer with the address of a hidden win() function. If you succeed, calling the callback will hand you a shell on a silver platter — and a flag to go with it 🎯

Can you control the heap layout, overwrite the function pointer, and execute your payload before the system catches on?

You’ve seen printf(name) in wild CTFs and war stories, and now it’s your turn to exploit it.

This binary greets you by asking for your name… then recklessly echoes it back.

This opens the door to a powerful format string vulnerability, giving you the ability to leak memory, dump stack contents, and possibly even control execution, depending on your skills.

Your mission: abuse this format string bug to leak critical addresses from the stack. The win() function is already sitting there, and your job is to find a way to get to it.

Most format string challenges are loud. This one? Completely silent.

In this challenge, the program takes your input and passes it directly to fprintf(stderr, input), creating a classic format string vulnerability, except there’s a twist.

This is a blind format string bug, meaning you’ll have to get clever. No printed stack dumps, no visual feedback. You’ll need to leak memory, discover offsets, and potentially redirect execution, all without seeing a single %p.

But if you figure it out, there’s a hidden win() function waiting to reward your effort with a shell and a flag.

After You Upload Your Solution:

Review

We’ll review your submission to confirm correct exploitation. This may take up to 5 business days

Certification

Successfully completing the challenges earns you a verified digital certificate to showcase your skills

03

Recognition

Add your certificate to your LinkedIn profile and portfolio, validating your hands-on skills in ARM64 exploitation

Hands-On Exploitation Skills
Practice reverse engineering, static and dynamic analysis, and bypassing security controls that apply to real ARM based binaries.

Real-World Scenarios
Work with multiple binaries that have vulnerabilities ranging from classic heap overflows to subtle use-after-free bugs that simulate the challenges you'd face in real world cases for ARM64 exploitation.

Tool Proficiency
Get comfortable using tools like pwndbg, radare2, Ghidra, and more in practical settings.

Security Mindset
Train yourself to think like an attacker: identify weaknesses, understand threat models, and build intuition around ARM binary attack strategies and defense evasion.

Portfolio-Ready Experience
Build a strong foundation that you can showcase, whether you are applying for security roles or contributing to embedded environments.

Are you ready to test your ARM Security skills?

At 8kSec, we Empower businesses with Cutting-Edge Mobile Security Training, Pioneering Vulnerability research, and Innovative product offerings

Senior Lead Security Engineer - Mobile*

A Global Banking Corporation

$147,700 - $190,000 a year

- Formal training or certification on Mobile Development concepts and 5+ years applied experience
- Strong understanding of mobile application security risks and mitigation strategies for both Android and iOS platforms
- Experience in implementing or managing mobile security operations
- Familiarity with CI/CD pipelines, DevSecOps methodologies, and secure software development practices
- Ability to collaborate with development teams on security functions & resolutions
- Hands-on practical experience delivering enterprise level cybersecurity solutions and controls
- Strong collaboration and communication skills are essential for working effectively with teams on security implementations
- Ability to evaluate current and emerging technologies to select or recommend the best solutions for future state architecture & enterprise integrations
- Proven experience leading projects from scoping to delivery

- Working closely with in-house mobile development teams, providing guidance on secure coding practices, threat mitigation strategies, and optimal use of mobile security solutions.
- Utilize our mobile security vendors and tools to drive proactive security measures, ensuring optimal configuration, monitoring, and maintenance to safeguard our mobile applications.
- Oversee the deployment, integration, and ongoing support of mobile security tools, ensuring they are effectively utilized and updated.
- Provide technical leadership in securing mobile applications and infrastructure, ensuring compliance with industry standards and best practices.
- Manage the lifecycle of mobile security tools, including planning and executing upgrades to maintain optimal performance and security.
- Work closely with cross-functional teams to enhance security awareness, provide training, and ensure adherence to security protocols. Additionally, serve as a key feedback conduit to the mobile binary scanning team, risk management, and source scanning teams, ensuring continuous improvements in security posture and alignment with organizational security strategies.

Mobile Implant Software Engineer*

A Cyber-Risk Consulting Firm

$114,000 - $180,000 a year

- Proven experience in CNO and software development, particularly in support of DoD and Intelligence community customers
- Demonstrated ability to perform advanced research and development on embedded systems, Linux, and iOS platforms
- Strong understanding of network protocols and experience in implementing support for TCP, UDP, and TLS
- Experience in designing, developing, and integrating modular cyber capabilities
- Proficiency in using and integrating CI/CD tools and practices
- Excellent problem-solving skills and the ability to design novel solutions to complex security challenges
- Strong leadership skills with the ability to guide and mentor development teams
- Programming Languages: C, C++, Python, Java, x86 Assembly, MIPS Assembly, Microblaze Assembly, ARM Assembly, ARM64 Assembly, VHDL, Verilog, XML, JSON, HTML
- Tools and Technologies: LLDB/LLVM, IDA Pro, Immunity Debugger, Immunity Canvas, Eclipse, Git, Subversion, Embedded Systems, FPGAs, Docker, Intel Performance Primitives (IPP), High Performance Computing (HPC), REDHAWK, OmniORB CORBA, Software Defined Radios (SDR), Signal Processing, MySQL, PostgreSQL, JDBC, Django, ActiveMQ, Jpype, Pyxb, STOMP

- Lead research and development projects focused on mobile vulnerabilities and cyber operations
- Design and implement innovative solutions to address operational security challenges
- Architect and develop flexible, modular cyber capabilities in C, C++, and Python
- Triage and analyze public software vulnerabilities (CVEs) for security concerns
- Provide technical support and custom solutions to high-priority customer needs
- Design and develop new client/server data distribution tools
- Implement support for multiple network protocols, including TCP, UDP, and TLS
- Create custom build systems and ensure portability using Docker
- Integrate new projects with CI/CD services to streamline development processes
- Generate and maintain unit tests to enhance the reliability of client/server applications
- Guide the development team in adhering to industry software engineering standards and best practices

Sr. Android Penetration Tester*

A Gobal Device Company

$130,000 - $166,000 a year

- 5+ years of penetration testing experience, including 2+ years of Android penetration testing and 1+ year of web application penetration testing
- Strong understanding of malware, phishing attacks, attack vectors, and security best practices
- Knowledge of penetration testing tools, threat modeling, and security frameworks
- Ability to conduct security research, CVE analysis, and adversary simulation
- Strong communication skills to work cross-functionally with engineering and security teams
- Experience working in corporate environments with internal penetration testing teams (preferred over agency-based consulting experience)
- Bachelor’s degree in either Cybersecurity, Computer Science, Information Security, or related field
Preferred Qualifications:
- Certifications in offensive security
- Published CVEs, blog posts, or walkthroughs on security research
- Malware development and reverse engineering experience
- Experience working in top security consulting firms or in-house red teams at major tech companies
- Hands-on experience with firmware penetration testing and IoT security.

- Develop expertise in our product solutions, deep diving into design/architecture, & execute white box and black box penetration scenarios
- Plan, scope and conduct vulnerability assessment/ Penetration test on internal / external facing public assets such as Web application, Android platform, Android Apps, Backend APIs, and Cloud services
- Research & and conduct adversary simulation for known security threats and identify novel attack vectors to test a system’s relative security readiness
- Conduct Threat modelling, Threat Intelligence and scoping with stakeholders
- Assist in creating and maintaining internal penetration testing and practice within QA team, managing vulnerabilities and tracking until closure
- Build Test harness & required Automation suites and validate attack vectors in Threat Lab
- Co-ordinate with program management, security architects at Internal & offshore sites
- Stays up to date on current tools, technologies, and vulnerabilities to incorporate into testing practices
- Research and developing exploits for zero-day vulnerabilities
- Conduct penetration test on IOT and Firmware Devices