2026-01-01
In December 2025, we hosted our latest hxp CTF at 39C3. This is a writeup including backstory of how how my best web challenge (so far) came to be.
About
I'm a freelance developer / hacker who plays CTF in his spare time.
Mail: mail @ this domain
PGP: F92B EDE7 9FEB 3815 CDE4 6BFA 3281 79BC 7013 805C
| k | 
| 
| 
Mail: mail @ this domain
PGP: F92B EDE7 9FEB 3815 CDE4 6BFA 3281 79BC 7013 805C
| k | | |
Blog
From Bug Bounty to CTF Challenge
tirreno - how to respectfully treat researchers
2025-03-15
In January 2025, I found an XSS in tirreno. The response was objectively the best I ever got to a security report: Quick, high quality and respectful.
Technical Writeup for CVE-2023-28158
2024-04-07
In March 2023, I got the opportunity to identify and report a stored XSS vulnerability in Apache Archiva 2.2.9. The vulnerability got awarded CVE-2023-28158.
Redacted Pentest Report of a PHP Web App
2023-08-01
In February 2023, I got hired to do a whitebox pentest of a PHP web app. The redacted report can be found here [PDF].
Personal Projects
CTF Writeups
Stuff I created for 
CatGPT
A web challenge for hxp 39C3 CTF focusing on a bug in device-detector where it allowed a 1-byte arbitrary match. [challenge, writeup]
sponsored
A pyjail challenge for hxp 39C3 CTF focusing on hardening the challenge excepython from SECCON 14 Qualifiers by removing exceptions and loops. [challenge]
shell(de)coding
A simple shellcoding challenge for hxp 39C3 CTF to code "base64 decode" in the shortest bytes possible on order to decode random 32 bytes. The current shortest known (feasible, only support A-Za-z) solution for this challenge is b104ac2c413c1976022c06c1e30608c7e2f089d80fc8abffcfebe5 (by "Tethys"). [challenge]
algorave
A reversing challenge for hxp 39C3 CTF displaying the flag via the pianoroll feature of strudel.cc. The flag consists of notes which are picked based on a modified recursive (and therefore unperformant) fibonacci like algorithm. [challenge]
NeedForSpeed
A miscellaneous challenge for hxp 38C3 CTF focusing on insecure default behaviour of the Network File System server. The challenge was created as a collaboration with philipp-tg and edermi. [challenge, writeup, further research]
HaRlEm ShAkE
A Rust reversing challenge for hxp 38C3 CTF focusing on funny and weird X11 features. [challenge, writeup]
archived
A zero-day web challenge for hxp CTF 2022 targeting Apache Archiva 2.2.9. The challenge is based on a vulnerability I discovered which was assigned CVE-2023-28158. [challenge, writeup]
required
A challenge for hxp CTF 2022 using the prototype pollution discussed in the challenge 2linenodejs as a way to obfuscate NodeJS code. [challenge, writeup]
sqlite_web
A web challenge for hxp CTF 2022 focusing on a insecure design choice in sqlite-web leading to remote code execution. Remains unfixed. [challenge, writeup]
valentine
A web challenge for hxp CTF 2022 exploring ejs 3.1.8 after CVE-2022-29078 was fixed. [challenge, short writeup, extended writeup]
baba is you
A misc challenge for hxp CTF 2021 inspired by baba is you written in C for Gameboy. [challenge, scoreboard, source, writeup]
find the chicken
A gameboy challenge for hxp CTF 2020 written in C. Reverse the game and find the chicken. [challenge, scoreboard, source, solution run]
Stuff I broke with (excerpt)
PDF-Xfiltration
My writeup to a challenge from Insomni'hack 2022 about breaking PDF signatures using JavaScript.
pypypypy
My writeup to a python sandbox escape from 0CTF 2021 Quals.
Cloud Computing
My writeup for a PHP sandbox escape from 0CTF 2020 Quals.
Bonzi Scheme
My totally serious guide of how to "hack hex with hyx" solving a challenge of PlaidCTF 2020.
PlayCAP
My writeup for a challenge at Teaser Dragon CTF 2019 about reversing a PCAP to find pressed buttons of an XBOX controller.
Fun
Don't like the style of my website? Redesign it yourself!