Blog


Search

Featured posts

Web XSS RCE Linux Unintended

Intigriti June RCE Challenge (0625)

A surprising RCE challenge instead of XSS, created by @ToG. I took an unintended approach involving the Preferences file and a chromedriver CSRF RCE issue, a must-know for CTF authors.

Web Scripting Encoding RCE Windows

OBS WebSocket to RCE

Disabling password authentication of your OBS WebSocket server can have devastating consequences. We'll attack from the browser to construct an RCE payload on Windows formed from the pixels of an image, a polyglot.

Web

The Ultimate Double-Clickjacking PoC

Combing a lot of browser tricks to create a realistic Proof of Concept for the Double-Clickjacking attack. Moving a real popunder with your mouse cursor and triggering it right as you're trying to beat your Flappy Bird high score.

External

MCP: May Cause Pwnage - Backdoors in Disguise

Together with @AtomicByte, we found some vulnerabilities in the MCP protocol, debugging tools, and scanned for internet-exposed servers. This resulted in a ton of results ranging from headless browsers, databases or code evaluators.