Links To My Recent Articles and Talk

Talk DEFCON 28 BlockChain Village: Exploit Insecure Crypto Wallet ================================================================ Articles After I join CertiK as a Security Engineer, my articles(write-ups, vulnerability analysis, etc) post under CertiK’s website and medium. Here is a list of them: Blockchain explorer Denial-of-Service (DoS) attacks ================================================================ CVE-2020–5902 Analysis, F5 BIG-IP RCE vulnerability ================================================================ Bug bounty write up: […]


Note:  This write up doesn’t explain all steps, for free to email me at: [email protected] if you not sure how I get X. ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ #BabyCSP: 1. Bad CSP rule: ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ 2. Submit a post with the payload and report […]

Exploit CVE-2017-16088

CVE Detail(Link): The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. Background: On Mar 3, 2017, Github user “odino” opened a security issue in the safeEval GitHub repository and provide a one-line […]

Apache Struts s2-057 POC and dynamic analysis

The detail about Apache Struts S2-057 Vulnerability: ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ Ubuntu: 1. Setup the environment 1.1 System version: ubuntu 14.04. 1.2 Install apache tomcat: sudo apt-get install tomcat7 sudo apt-get install tomcat7-docs tomcat7-admin tomcat7-examples sudo apt-get install default-jdk 1.3 Download the vulnerable Apache struts from: 1.4 Extra files from the Zip […]

Raymond James CTF

I went to Tampa, Florida last weekend to participate Raymond James CTF. My team got 3rd place with $2500 award. The weather in Florida is so0O gO0od: 24 degree C, meanwhile it’s like 3 degree C in Baltimore. The team photo: My eyes were closed lol. The trophy: The coin from gam3z:   The onsite-CTF was 70% forensics, […]

picoctf CTF 2018 Flaskcards serial

picoCTF is a CTF hosted by CMU targeted at high school students, which is a great opportunity for beginner to improve their skill. I enjoy this CTF a lot. Not really a Team, just me.       This is the Writeup for Flaskcards serial: “Flaskcards”, “Flaskcards Skeleton Key” and “Flaskcards and Freedom”. All three problems have […]