I'm a freelance developer / hacker who plays CTF in his spare time.

hxp logo | k | GitHub logo | LinkedIn logo | Twitter logo | Mastodon logo


Redacted Pentest Report of a PHP Web App


In February 2023, I got hired to do a whitebox pentest of a PHP web app. The redacted report can be found here [PDF].

Technical Writeup for CVE-2023-28158


In March 2023, I got the opportunity to identify and report a stored XSS vulnerability in Apache Archiva 2.2.9. The vulnerability got awarded CVE-2023-28158.

Personal Projects

recipes.jpg series.jpg find-the-chicken.png gameboy-is-you.png doktor-eisenbarth.jpg michael-konstantin.jpg almenrausch-pirkhof.jpg

CTF Writeups

Stuff I created for hxp CTF logo

hxp CTF icon for zaj challenges archived

A zero-day web challenge for hxp CTF 2022 targeting Apache Archiva 2.2.9. The challenge is based on a vulnerability I discovered which was assigned CVE-2023-28158. [challenge, writeup]

hxp CTF icon for rev challenges required

A challenge for hxp CTF 2022 using the prototype pollution discussed in the challenge 2linenodejs as a way to obfuscate NodeJS code. [challenge, writeup]

hxp CTF icon for web challenges sqlite_web

A web challenge for hxp CTF 2022 focusing on a insecure design choice in sqlite-web leading to remote code execution. Remains unfixed. [challenge, writeup]

hxp CTF icon for web challenges valentine

A web challenge for hxp CTF 2022 exploring ejs 3.1.8 after CVE-2022-29078 was fixed. [challenge, short writeup, extended writeup]

hxp CTF icon for msc challenges baba is you

A misc challenge for hxp CTF 2021 inspired by baba is you written in C for Gameboy. [challenge, scoreboard, source, writeup]

hxp CTF icon for msc challenges find the chicken

A gameboy challenge for hxp CTF 2020 written in C. Reverse the game and find the chicken. [challenge, scoreboard, source, solution run]

Stuff I broke with hxp logo (excerpt)


My writeup to a challenge from Insomni'hack 2022 about breaking PDF signatures using JavaScript.


My writeup to a python sandbox escape from 0CTF 2021 Quals.

Cloud Computing

My writeup for a PHP sandbox escape from 0CTF 2020 Quals.

Bonzi Scheme

My totally serious guide of how to "hack hex with hyx" solving a challenge of PlaidCTF 2020.


My writeup for a challenge at Teaser Dragon CTF 2019 about reversing a PCAP to find pressed buttons of an XBOX controller.


Don't like the style of my website? Redesign it yourself!