posts

Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks.

This weekend I participated in BRICS+ CTF Qualifications, organized by C4T BuT S4D alongside other members of Friendly Maltese Citizens team where we managed to qualify for the finals 🎉.

This year, I was asked to write some Web challenges for the Serbian Cybersecurity Challenge Qualifications - it was a really fun experience hosting a CTF after a long time :)

Last week, I participated in the Nullcon HackIM CTF 2023 with 1/0 (formerly team zh3r0).

• This was a collaboration blog post, feel free to give it a read at Hacktus’s blog :)

The goal of this writeup is to give a quick walkthrough of practical scenarios of Deserialization vulnerabilities that arise in many programming languages, specifically Java in our case, and how we can go from using a simple pre-built gadget chain to writing our own custom gadget chains and eventually gaining code execution on a target server.

The Intigriti July XSS challenge was a great challenge created by antonvroemans which included a quite funny bug de-escalation from an SQL injection to an XSS with a CSP bypass. Leaving that aside, it was a great chance to practice skills in multiple attack vectors and improve.

This issue was found back in around november 2020 by me and my friend who would rather not come out publicly with his name, so let’s call him purpl3 (his wish :D).