CVE-2025-4664: Exploiting a Chrome 0day to Leak Session Tokens

A while ago, I stumbled across this intriguing tweet from security researcher Vsevolod Kokorin (@slonser_): slonser_’s tweet The three-line snippet was almost boring - create an <img> element, point the src at a user-controlled URL, drop it into the DOM. The thread that followed caught the attention of Google security engineer @terjanq, who replied: terjanq’s reply I checked the NIST page and found this in the linked Chrome release notes: ...

June 22, 2025 · 4 min · Amal Murali

Fooling Parsers: Achieving Code Execution Using echo Command — Google CTF 2024 Writeup

Google releases some really cool CTF challenges every year. This year was no exception. onlyecho was one of the relatively easier ones, but it ended up being a lot of fun to solve. I was intrigued by the challenge and decided to dive right in. This was the challenge description: I like echo because my friends told me it’s safe. I made a shell that only allows you to run echo, how cool is that? ...

July 1, 2024 · 9 min · Amal Murali

This CTF is Still on IRC — IRCPuzzles 2024 Writeup

IRCPuzzles is an IRC-based puzzle game hosted every year on April 1st. The event lasts for several days. The answers are keys to channels, and contestants progress from the first level to the final level. Since I enjoy solving puzzles and challenges, I participate in this event every year. Cluelessly staring at a vague hint for hours, relentlessly going down multiple rabbit holes, the joy of finally finding a solution—what’s not to love? It’s a delightful blend of frustration and fascination, much like a typical day in information security. If you’re curious, check out my writeup from the 2022 event. ...

June 25, 2024 · 63 min · Amal Murali

Pwning Tetris: Exploiting a Weak RNG

IRCPuzzles is an annual IRC-based puzzle game that I eagerly anticipate every year. The challenges span a wide array of domains, including logical puzzles, cryptography, steganography, and much more. This year’s event, which took place in April, provided its usual assortment of engaging challenges. Although it’s been a couple months, the experiences remain vivid in my memory. I’ll be sharing write-ups for other levels too, but I wanted to start with a particularly elegant challenge that warranted a blog post of its own. ...

June 19, 2024 · 5 min · Amal Murali

Exploiting CVE-2024-32002: RCE via git clone

A new RCE in Git caught my attention on a recent security feed, labeled CVE-2024-32002. The idea of an RCE being triggered through a simple git clone command fascinated me. Given Git’s ubiquity and the widespread use of the clone command, I was instantly intrigued. Could something as routine as cloning a repository really open the door to remote code execution? My curiosity was piqued, and I had to investigate. Plus, who doesn’t want an excuse to break stuff in the name of research? ...

May 19, 2024 · 9 min · Amal Murali