> ESC
↑↓ navigate select esc close
Posts

Cosmic Components Co. - UniVsThreats26 Quals Web

2026-03-06 Writeup ⏱ 5 min read

Stacking alternating coupons, abusing negative quantities and session-persistent discounts lets us buy every product for pennies, farm loyalty rewards, hit Elite tier, and grab the flag.

WebBusiness LogicCouponsNegative QuantitySSTICTFUniVsThreats26

Starlink - UniVsThreats26 Quals Pwn

2026-03-06 Writeup ⏱ 3 min read

Chaining a 7-byte format string leak with a strcpy heap overflow to redirect atoi@GOT to system and pop /bin/sh on a non-PIE, partial RELRO Starlink node manager.

PWNBinary ExploitationFormat StringHeap OverflowGOT Overwriteglibc 2.39CTFUniVsThreats26

Stellar Gateway - UniVsThreats26 Quals Web

2026-03-06 Writeup ⏱ 3 min read

Abusing a JWT kid path lookup to /dev/null lets us sign our own admin token with an empty key, unlock the USS Threads Command Center, and capture the flag.

WebJWTkid Header InjectionPath TraversalCTFUniVsThreats26

Cheezify - VulnByDefault

2026-02-28 Writeup ⏱ 8 min read

Full writeup for the Cheezify machine on VulnByDefault — mobile app reverse engineering leaks hidden subdomains and API keys, leading to SSTI → RCE in a Flask management portal, container pivoting via IMAP email exfiltration, and SSH privilege escalation to root.

VulnByDefaultBoot2RootSSTIRCEMobile ReversingDocker

HackTheBox #1 Jordan

2026-01-01 Platform ⏱ 1 min read

Achieved #1 ranking on HackTheBox in Jordan through consistent machine pwning, ProLab completions, and challenge solving.

HackTheBoxHTBBoot2RootPenetration Testing

FlagYard #1 Jordan

2025-11-01 Platform ⏱ 1 min read

Achieved #1 ranking on FlagYard in Jordan through CTF challenge solving and consistent performance in competitive cybersecurity.

FlagYardCTFCompetitive