My name is Amal Murali. I currently work as a Team Lead - Security Operations at Bugcrowd. I’m interested in web application security and occasionally write about security and CTFs. You can learn more about me here.
Fooling Parsers: Achieving Code Execution Using echo Command — Google CTF 2024 Writeup
Google releases some really cool CTF challenges every year. This year was no exception. onlyecho was one of the relatively easier ones, but it ended up being a lot of fun to solve. I was intrigued by the challenge and decided to dive right in. This was the challenge description: I like echo because my friends told me it’s safe. I made a shell that only allows you to run echo, how cool is that?...
This CTF is Still on IRC — IRCPuzzles 2024 Writeup
IRCPuzzles is an IRC-based puzzle game hosted every year on April 1st. The event lasts for several days. The answers are keys to channels, and contestants progress from the first level to the final level. Since I enjoy solving puzzles and challenges, I participate in this event every year. Cluelessly staring at a vague hint for hours, relentlessly going down multiple rabbit holes, the joy of finally finding a solution—what’s not to love?...
Pwning Tetris: Exploiting a Weak RNG
IRCPuzzles is an annual IRC-based puzzle game that I eagerly anticipate every year. The challenges span a wide array of domains, including logical puzzles, cryptography, steganography, and much more. This year’s event, which took place in April, provided its usual assortment of engaging challenges. Although it’s been a couple months, the experiences remain vivid in my memory. I’ll be sharing write-ups for other levels too, but I wanted to start with a particularly elegant challenge that warranted a blog post of its own....
Exploiting CVE-2024-32002: RCE via git clone
A new RCE in Git caught my attention on a recent security feed, labeled CVE-2024-32002. The idea of an RCE being triggered through a simple git clone command fascinated me. Given Git’s ubiquity and the widespread use of the clone command, I was instantly intrigued. Could something as routine as cloning a repository really open the door to remote code execution? My curiosity was piqued, and I had to investigate....
What a CTF on IRC looks like — IRCPuzzles AFPC 2022
IRCPuzzles is an IRC-based puzzle game hosted every year on April 1st. The event lasts for several days. The answers are keys to channels and contestants progress from the first level to the final level. The levels usually get progressively harder. Each level is solvable with the original clue alone, but additional hints are added later if the contestants are stuck on a level for long. Picture showing a jigsaw puzzle map, with one piece missing Since I enjoy solving puzzles and challenges, I usually participate in this event every year....