Adrian "vurlo" Junge

Welcome to my bug collection 🐛

CTF player, vulnerability researcher, and computer science student creating writeups, collecting CVEs, bounties, and notes from real targets and challenges. I poke things politely and occasionally convince software to confess.

Timeline About me

18 Posts 12 CVEs 1 Bug bounties 1 Created Challenges 1 Certificates 11 Achievements

Featured work

CVE

Joomla CMS

Summary

Joomla CMS 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 were affected by an improper access check in the com_users batch task. Authenticated attackers could abuse the batch flow to escalate privileges.

Disclosure timeline

2026-04-03 Reported to the Joomla Security Strike Team.
2026-04-18 Confirmation of the issue and initial patch development.
2026-05-26 Fixed in Joomla CMS 5.4.6 and 6.1.1 and CVE assigned.

Open Hack The Box Certified Penetration Testing Specialist

Certificate

Hack The Box Certified Penetration Testing Specialist

Certification 2026-03-23 Completed the HTB CPTS path and passed the practical exam on the first attempt, including a full penetration-test report for the exam environment. The work focused on disciplined enumeration, Active Directory attack paths, web findings, and reproducible reporting.

Open Smile at me

Created challenge

Smile at me

GPNCTF 2025 2025-06-21 Web challenge about URL parser differentials, strict CSP, and an XS-Leak using Scroll-to-Text Fragment behavior with lazy-loaded images. Published for GPNCTF 2025.

Latest notes

xmalloc

pwn Challenge by ju256

All of our slot machines switched from using the very insecure libc heap implementation to something much more secure internally. Surely this new heap implementation is unbreakable :D

2026-05-25

HTB CPTS

Penetration TestingActive DirectoryPrivilege EscalationWeb Exploitation

My experience completing the Hack The Box Certified Penetration Testing Specialist (HTB CPTS) certification. I share the journey, rough timeline, exam tips, and tools that helped me succeed.

2026-03-23

My Flask App

web Challenge by belugagemink

I created a Web application in Flask, what could be wrong?

2025-09-11