In February 2023, I got hired to do a whitebox pentest of a PHP web app. The redacted report can be found here [PDF].
In February 2023, I got hired to do a whitebox pentest of a PHP web app. The redacted report can be found here [PDF].
In March 2023, I got the opportunity to identify and report a stored XSS vulnerability in Apache Archiva 2.2.9. The vulnerability got awarded CVE-2023-28158.
In January 2025, I found an XSS in tirreno. The response was objectively the best I ever got to a security report: Quick, high quality and respectful.
A miscellaneous challenge for hxp CTF 2024 focusing on insecure default behaviour of the Network File System server. The challenge was created as a collaboration with philipp-tg and edermi. [challenge, writeup, further research]
A Rust reversing challenge for hxp CTF 2024 focusing on funny and weird X11 features. [challenge, writeup]
A zero-day web challenge for hxp CTF 2022 targeting Apache Archiva 2.2.9. The challenge is based on a vulnerability I discovered which was assigned CVE-2023-28158. [challenge, writeup]
A challenge for hxp CTF 2022 using the prototype pollution discussed in the challenge 2linenodejs as a way to obfuscate NodeJS code. [challenge, writeup]
A web challenge for hxp CTF 2022 focusing on a insecure design choice in sqlite-web leading to remote code execution. Remains unfixed. [challenge, writeup]
A web challenge for hxp CTF 2022 exploring ejs 3.1.8 after CVE-2022-29078 was fixed. [challenge, short writeup, extended writeup]
A misc challenge for hxp CTF 2021 inspired by baba is you written in C for Gameboy. [challenge, scoreboard, source, writeup]
A gameboy challenge for hxp CTF 2020 written in C. Reverse the game and find the chicken. [challenge, scoreboard, source, solution run]
My writeup to a challenge from Insomni'hack 2022 about breaking PDF signatures using JavaScript.
My writeup to a python sandbox escape from 0CTF 2021 Quals.
My writeup for a PHP sandbox escape from 0CTF 2020 Quals.
My totally serious guide of how to "hack hex with hyx" solving a challenge of PlaidCTF 2020.
My writeup for a challenge at Teaser Dragon CTF 2019 about reversing a PCAP to find pressed buttons of an XBOX controller.
Don't like the style of my website? Redesign it yourself!