-
Sep 1, 2025
Odoo is a widely-used ERP platform with a complex backend. It’s a juicy target but also tricky due to its layered system, detailed user access controls, and extensive API usage. To pentest Odoo effectively, you need to combine automation with manual verification.
-
Aug 1, 2025
I just performed a fresh offline install of Ubuntu Desktop 24.04.2, deliberately preventing any automatic updates during setup.
Shortly after logging in, I discovered that my VM was vulnerable to CVE-2025-32463, a local privilege escalation flaw in sudo.
-
Jul 3, 2025
I recently got 2nd place in Defensy’s Scooby Cyber Chase CTF with my team CrémeTartinéFabuleuse, and we managed to solve all the CTF’s challenges. There was plenty of web though, so I picked two challenges for this writeup; The first one is inspired by CVE-2024-56145 affecting Craft CMS, and the other one is essentially an IDOR.
-
May 5, 2025
These are the writeups for 3 of the web challenges presented in CyberTEK 2025. The first one is a chain of vulnerabilities; SSRF, a library “flaw”, and a Race Condition. The second challenge requires a considerably tweaked SQLi payload, and the 3rd one is a bit of a classic. Let’s get started!
-
Feb 25, 2025
These are the writeups for 3 of the web challenges presented in SparkCTF 2025. The first one is an SSTI vulnerability in ASP.NET with Razor, and the second one is about using Blind SQL Injection to bruteforce some kind of token, and requires more logical thinking. The third one is a surprise! Let’s get into it.
-
Oct 14, 2024
I took part in Securinets Quals CTF this weekend and my team Alashwas settled 12th out of 336 teams. I got first blood on the one and only web challenge in this CTF.