Since joining CertiK as a Security Engineer, my articles(write-ups, vulnerability analysis, etc) are now posted on CertiK’s website and medium. I also regularly attend conferences and meetups, where I present talks and share insights from my research and expertise. Talks DEFCON 32 AppSec Village: Web2 Meets Web3 – Hacking Decentralized Applications https://www.certik.com/resources/blog/web2-meets-web3-hacking-decentralized-applications https://x.com/wisp_fly/status/1822126402994671809 ================================================================ DEFCON […]

Note: This write-up doesn’t explain all the steps. Feel free to email me at peipei123gt@gmail.com if you’re not sure how I got X.‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ #BabyCSP: 1. Bad CSP rule: ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ 2. Submit a post with the payload and report to admin: […]

The detail about Apache Struts S2-057 Vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2018-11776 ‌‌ ‌‌ ‌‌ ‌‌ ‌‌ Ubuntu: 1. Setup the environment 1.1 System version: ubuntu 14.04. 1.2 Install apache tomcat: sudo apt-get install tomcat7 sudo apt-get install tomcat7-docs tomcat7-admin tomcat7-examples sudo apt-get install default-jdk 1.3 Download the vulnerable Apache struts from: https://archive.apache.org/dist/struts/2.3.34/ 1.4 Extra files from the Zip […]

I went to Tampa, Florida last weekend to participate Raymond James CTF. My team got 3rd place with $2500 award. The weather in Florida is so0O gO0od: 24 degrees C, meanwhile it’s like 3 degrees C in Baltimore. The team photo: My eyes were closed lol. The trophy: The coin from gam3z: The onsite-CTF was 70% […]

picoCTF is a CTF hosted by CMU targeted at high school students, which is a great opportunity for beginner to improve their skill. I enjoy this CTF a lot.Not really a Team, just me.  This is the Writeup for Flaskcards serial: “Flaskcards”, “Flaskcards Skeleton Key” and “Flaskcards and Freedom”. All three problems have the same interface: first […]