Adrian "vurlo" Junge

Welcome to my bug collection 🐛

CTF player, vulnerability researcher, and computer science student creating writeups, collecting CVEs, bounties, and notes from real targets and challenges. I poke things politely and occasionally convince software to confess.

Timeline About me

19 Posts 139 min read 10 CVEs 0 Bug bounties 1 Created Challenges 1 Certificates 10 Achievements

Featured work

CVE

Joomla CMS

Summary

Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by an improper access check in the com_users batch task. Authenticated attackers could abuse the batch flow to escalate privileges.

Disclosure timeline

2026-04-03 Reported to the Joomla Security Strike Team.
2026-04-18 Confirmation of the issue and initial patch development.
2026-05-26 Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.

Open Hack The Box Certified Penetration Testing Specialist

Certificate

Hack The Box Certified Penetration Testing Specialist

2026-03-23 Certification Completed the HTB CPTS path and passed the practical exam on the first attempt, including a full penetration-test report for the exam environment. The work focused on disciplined enumeration, Active Directory attack paths, web findings, and reproducible reporting. 8 min read

Open Smile at me

Created challenge

Smile at me

2025-06-21 GPNCTF 2025 Web challenge about URL parser differentials, strict CSP, and an XS-Leak using Scroll-to-Text Fragment behavior with lazy-loaded images. Published for GPNCTF 2025. 11 min read

Latest notes

Funny Java Strings?

JavaJVM InternalsSecurity ResearchMemory

Java Strings are immutable, interned, optimized, and surprisingly easy to misunderstand when secrets are involved. This post digs into String pooling, reflection, Base64 copies, library APIs, and why ...

2026-05-27 8 min read

xmalloc

pwn Challenge by ju256

All of our slot machines switched from using the very insecure libc heap implementation to something much more secure internally. Surely this new heap implementation is unbreakable :D

2026-05-25 11 min read

HTB CPTS

Penetration TestingActive DirectoryPrivilege EscalationWeb Exploitation

My experience completing the Hack The Box Certified Penetration Testing Specialist (HTB CPTS) certification. I share the journey, rough timeline, exam tips, and tools that helped me succeed.

2026-03-23 8 min read