Security researcher and CTF player focusing on boot2root, web, and pwn. Sharing the solution, fixes, and lessons from each run.
CREATE2 + constructor-call bypass to precompute wins and drain the NullCTF casino.
Deterministic Fisher–Yates permutation and XOR window reversed to rebuild the file.
Use-after-free leak to bypass Safe Linking and poison tcache into a win path.
Crack MD5 preimage then XOR the blob to recover the M*CTF flag.
SQLi in GraphQL login to mint a flagOwner JWT and unlock /admin.
Format-string size mismatch flips is_admin via scanf overrun for instant shell.
Seccomp-only shellcode read/write exploit with bad-byte evasion for V2.
Exploit signed-char array index OOB read to leak the global flag bytes.
Single-byte srand/rand brute-force to reconstruct the 29-byte FlagCasino string.
Reverse the four-input transistor logic gate, brute-force its truth table, and decode the flag.
Classic gets() overflow to pivot into the hidden joshua function and print the flag.
Automation script plus SQL queries to pull every EpicSales flag in order.
