Posts

A while ago, I stumbled across this intriguing tweet from security researcher Vsevolod Kokorin (@slonser_): slonser_’s tweet The three-line snippet was almost boring - create an <img> element, point the src at a user-controlled URL, drop it into the DOM. The thread that followed caught the attention of Google security engineer @terjanq, who replied: terjanq’s reply I checked the NIST page and found this in the linked Chrome release notes: ...

Google releases some really cool CTF challenges every year. This year was no exception. onlyecho was one of the relatively easier ones, but it ended up being a lot of fun to solve. I was intrigued by the challenge and decided to dive right in. This was the challenge description: I like echo because my friends told me it’s safe. I made a shell that only allows you to run echo, how cool is that? ...

IRCPuzzles is an IRC-based puzzle game hosted every year on April 1st. The event lasts for several days. The answers are keys to channels, and contestants progress from the first level to the final level. Since I enjoy solving puzzles and challenges, I participate in this event every year. Cluelessly staring at a vague hint for hours, relentlessly going down multiple rabbit holes, the joy of finally finding a solution—what’s not to love? It’s a delightful blend of frustration and fascination, much like a typical day in information security. If you’re curious, check out my writeup from the 2022 event. ...

IRCPuzzles is an annual IRC-based puzzle game that I eagerly anticipate every year. The challenges span a wide array of domains, including logical puzzles, cryptography, steganography, and much more. This year’s event, which took place in April, provided its usual assortment of engaging challenges. Although it’s been a couple months, the experiences remain vivid in my memory. I’ll be sharing write-ups for other levels too, but I wanted to start with a particularly elegant challenge that warranted a blog post of its own. ...

A new RCE in Git caught my attention on a recent security feed, labeled CVE-2024-32002. The idea of an RCE being triggered through a simple git clone command fascinated me. Given Git’s ubiquity and the widespread use of the clone command, I was instantly intrigued. Could something as routine as cloning a repository really open the door to remote code execution? My curiosity was piqued, and I had to investigate. Plus, who doesn’t want an excuse to break stuff in the name of research? ...