Minimize
Maximize
Close
Timeline

Timeline

Security research, CTF writeups, blog posts, CVEs, bug bounties, authored challenges, certificates, talks, and achievements ordered by date.

Year
Filters
Recognition
Difficulty
Severity
Content type
CTF competitions
Repositories
CVEs
CWEs
Categories
Topics, projects, and sources
44 / 44 items

  • 2026

    17 items
    • Scanwich Station A table-side QR reader for hungry guests and suspicious menus. One special order can make the scanner serve more than dinner. 14 min read GPNCTF
    • Scanwich Station Hybrid web and pwn challenge about mass assignment, QR-code decoding, signed integer overflow, and GLIBC dynamic symbol poisoning. Published for GPNCTF 2026. GPNCTF 2026
    • Funny Java Strings? Java Strings are immutable, interned, optimized, and surprisingly easy to misunderstand when secrets are involved. This post digs into String pooling, reflection, Base64 copies, library APIs, and why heap dumps are bad news for secrets. 8 min read Security Research
    • Authenticated blind SQL injection in com_finder Authenticated blind SQL injection in Joomla com_finder. Joomla CMS
    • Authenticated blind SQL injection in com_tags Authenticated blind SQL injection in Joomla com_tags. Joomla CMS
    • Privilege escalation through com_users batch task Privilege escalation through the Joomla com_users batch task. Joomla CMS
    • xmalloc All of our slot machines switched from using the very insecure libc heap implementation to something much more secure internally. Surely this new heap implementation is unbreakable :D 11 min read KITCTF
    • KITCTF Web Intro Introductory web security talk for KITCTF. Slides
    • Authenticated blind SQL injection in PropertyAssign.php Authenticated blind SQL injection in PropertyAssign.php. ChurchCRM
    • Authenticated blind SQL injection in SettingsIndividual.php Authenticated blind SQL injection in SettingsIndividual.php. ChurchCRM
    • Authenticated blind SQL injection in EventNames.php Authenticated blind SQL injection in EventNames.php. ChurchCRM
    • Authenticated SQL injection in MemberRoleChange.php Authenticated SQL injection in MemberRoleChange.php. ChurchCRM
    • Authenticated blind SQL injection in PropertyTypeEditor.php Authenticated blind SQL injection in PropertyTypeEditor.php. ChurchCRM
    • Authenticated blind SQL injection in SettingsUser.php Authenticated blind SQL injection in SettingsUser.php. ChurchCRM
    • Second-order SQL injection via FundRaiserEditor.php Second-order SQL injection via FundRaiserEditor.php. ChurchCRM
    • Hack The Box Certified Penetration Testing Specialist Completed the HTB CPTS path and passed the practical exam on the first attempt, including a full penetration-test report for the exam environment. The work focused on disciplined enumeration, Active Directory attack paths, web findings, and reproducible reporting. Certification
    • HTB CPTS My experience completing the Hack The Box Certified Penetration Testing Specialist (HTB CPTS) certification. I share the journey, rough timeline, exam tips, and tools that helped me succeed. 8 min read Certificate

  • 2025

    19 items
    • KITCTF #3 at GlacierCTF 2025 #3 at GlacierCTF. KITCTF
    • My Flask App I created a Web application in Flask, what could be wrong? 7 min read SEKAICTF
    • Fancy Web The Ministry of Information and Communications Technology of Konoha has recently launched their new official website. While it appears to be a standard government portal showcasing public services and announcements, our intelligence sources have indicated that this WordPress-based website contains hidden information that could expose corruption and human rights violations. The website features a unique table processing system that displays various government data, but our analysts suspect that the developers have hidden sensitive information within the table structures themselves. The site's administrators are known for their sophisticated obfuscation techniques, making it difficult to distinguish between legitimate public data and concealed evidence. Your mission is to investigate this website and uncover the hidden information by looking beyond the surface-level content and examining how the tables are processed and displayed - the truth might be hidden, waiting for someone with the right skills to reveal it. 16 min read SEKAICTF
    • Smile at me Web challenge about URL parser differentials, strict CSP, and an XS-Leak using Scroll-to-Text Fragment behavior with lazy-loaded images. Published for GPNCTF 2025. GPNCTF 2025
    • Smile at me Be careful, others might be able to find out your most sacred secrets! (Flag only consists of emojis surrounded by 'GPNCTF{...}') The remote instance is not deployed via Docker-compose but plain Docker, resulting in the bot URL to be 'localhost:3000' instead of 'bot_service:3000' and the challenge server being 'localhost:9222' instead of 'challenge_service:9222'. 11 min read GPNCTF
    • FluxKITtens #6 at Google CTF 2025 #6 at Google CTF as the FluxKITtens merger team (FluxFingers and KITCTF), qualifying for the Hackceler8 finals in Mexico. KITCTF
    • DHM 2025 participation Participated in the DHM finals after qualifying through CSCG. DHM
    • Leaf I always think leaf ~= tea. Please allow remote to have some time to boot the browser. 6 min read SMILEYCTF
    • Everyone loves canteen food Welcome to the canteen's online menu, where you can check out the daily specials and their prices. But is everything as appetizing as it seems? 5 min read CSCG
    • vidplow We recently stumbled upon an exposed SVN server of a large multimedia corporation, containing some of their backend application and internal tooling code. However, the access keys seem to not be the ones used in production - the real ones should fetch us quite a high price though, if we manage to get our hands on them that is. Just one problem - the tech stack seems to be really obscure, and no one on our team seems to have any clue what the heck is going on. Can you take a look, and maybe find some vulnerabilities in this thing? 4 min read CSCG
    • KDF dream We've managed to insert ourselves into a secure channel between two covert agents, however we overplayed our hand and they have become suspicious that their channel is compromised. Realising that there is no way to restablish trust over the compromised network, Alice called for them to carry out a NIST Certified KDF protocol to generate a symmetric OTP, and then for them to use this to encrypt a physical message at a dead drop location. We want to control the message she leaves, can you influence their conversation to control what Bob reads at the dead drop? 8 min read CSCG
    • CSCG 2025 top 10 global Qualified for DHM again and finished top 10 globally. CSCG
    • Air smeller I found this website where you can rate the smell of the air, after purification. Do you know a good purifier, maybe you can recommend some purifier to the people. 7 min read CSCG
    • Fantastic Doom Doctor Doom, the monarch of Latveria has made many doombots. You working with the Fantastic 4 have to access doombot machine and foil his plans of releasing doombots. 5 min read EHAX
    • Cash Memo I have a really hard time managing my cash, am afraid someone might steal my memos... 10 min read EHAX
    • KITCTF #3 at SwampCTF 2025 #3 at SwampCTF. KITCTF
    • Tar boom Within the Louvre Museum's intranet, there is a service that allows trusted users to upload .tar files and view their content. However, this service has been exploited by a hacker. He was able to retrieve crucial information about the Louvre's security, hidden within the flag.txt. 4 min read DVCTF
    • Gamedev You've heard of rogue-likes, but have you heard of heap-likes? 5 min read LACTF
    • A Minecraft Movie I...AM STEVE! 9 min read UMDCTF

  • 2024

    8 items
    • KITCTF at SnakeCTF 2024 finals Qualified for and participated in the SnakeCTF finals in Italy. KITCTF
    • KITCTF #3 at GlacierCTF 2024 #3 at GlacierCTF, qualifying for DHM 2025 as KITCTF team. KITCTF
    • CORS Playground Perplexed by CORS? Our CORS Playground is your ideal solution. This intuitive and sleek platform lets you effortlessly learn and experiment with CORS policies. Perfect for unraveling the complexities of secure cross-origin requests. Dive in and clarify your CORS concepts! 5 min read FCSC
    • DHM 2024 #1 Placed #1 at the Deutsche Hacking Meisterschaft. DHM
    • Hoster You gained access to a Linux server. Can you also gain privileges? 5 min read CSCG
    • Photoeditor Recently I learned ASP .NET Core and boy, it's so magic! Dependency injection, dynamic routing, interfaces everywhere. But for me, it wasn't dynamic enough. So I extended the framework and now I got all the dynamic in the world I could wish for. That surely didn't introduce any vulnerabilities, right?", 5 min read CSCG
    • CSCG 2024 DHM qualification Qualified for DHM through CSCG. CSCG
    • KITCTF #1 at SwampCTF 2024 #1 at SwampCTF. KITCTF