Adrian "vurlo" Junge

Welcome to my bug collection 🐛

CTF player, vulnerability researcher, and computer science student creating writeups, collecting CVEs, bounties, and notes from real targets and challenges. I poke things politely and occasionally convince software to confess.

Timeline About me

20 Posts 140 min read 12 CVEs 1 Bug bounties 1 Created Challenges 1 Certificates 11 Achievements

Featured work

CVE

Joomla CMS

Summary

Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by an improper access check in the com_users batch task. Authenticated attackers could abuse the batch flow to escalate privileges.

Disclosure timeline

2026-04-03 Reported to the Joomla Security Strike Team.
2026-04-18 Confirmation of the issue and initial patch development.
2026-05-26 Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.

Open Hack The Box Certified Penetration Testing Specialist

Certificate

Hack The Box Certified Penetration Testing Specialist

Certification 2026-03-23 Completed the HTB CPTS path and passed the practical exam on the first attempt, including a full penetration-test report for the exam environment. The work focused on disciplined enumeration, Active Directory attack paths, web findings, and reproducible reporting. 8 min read

Open Smile at me

Created challenge

Smile at me

GPNCTF 2025 2025-06-21 Web challenge about URL parser differentials, strict CSP, and an XS-Leak using Scroll-to-Text Fragment behavior with lazy-loaded images. Published for GPNCTF 2025. 11 min read

Latest notes

Frankendancer

WIP

2026-12-31 1 min read

Funny Java Strings?

JavaJVM InternalsSecurity ResearchMemory

Java Strings are immutable, interned, optimized, and surprisingly easy to misunderstand when secrets are involved. This post digs into String pooling, reflection, Base64 copies, library APIs, and why ...

2026-05-27 8 min read

xmalloc

pwn Challenge by ju256

All of our slot machines switched from using the very insecure libc heap implementation to something much more secure internally. Surely this new heap implementation is unbreakable :D

2026-05-25 11 min read