CryptoCat

Look What You Made Us Patch: 2025 Zero-Days in Review | Google Cloud Blog Our analysis of 90 zero-day vulnerabilities tracked in 2025, focusing on techniques and how AI will accelerate the vulnerability landscape.

"For the first time since we began tracking zero-day exploitation, we attributed more zero-days to commercial surveillance vendors than to traditional state-sponsored cyber espionage groups."

Love to see the stats backing up my hunch.

cloud.google.com/blog/topics/...

CVE-2026-1731 | AttackerKB On February 6, 2026, BeyondTrust published an advisory for a new critical command injection vulnerability, CVE-2026-1731, affecting their products Remote Suppo…

Check out the full @rapid7.com technical analysis! attackerkb.com/topics/jNMBc...

CVE-2026-1731 Metasploit module demo

My first @metasploit-r7.bsky.social module is live! You can now exploit CVE-2026-1731 (BeyondTrust command injection) with the latest version 😎

Stored XSS + JSONP Callback Injection to Cookie Exfiltration | Intigriti 02-26: InkDrop | CryptoCat's Blog Intigriti 02-26 writeup: unsafe markdown rendering leads to stored XSS, which is executed via a client-side script reinjection gadget loading /api JSONP, allowing CSP bypass and bot flag cookie exfilt...

My writeup for @intigriti.com's "InkDrop" challenge 🖋

cryptocat.me/blog/ctf/mon...

🚨 In conducting 0 day research against #Grandstream GXP1600 VoIP phones, Rapid7 Labs discovered CVE-2026-2329.

The unauthenticated stack-based buffer overflow vulnerability ultimately allows an attacker to intercept phone calls and eavesdrop on audio. Read on: r-7.co/4tIzope

Ruby Object Injection to RCE via Oj Deserialization | YesWeHack Dojo: RubitMQ | CryptoCat's Blog YesWeHack Dojo #48 writeup: exploiting unsafe Oj.load deserialization to inject a Node gadget and achieve command execution via find -exec.

My writeup for the "RubitMQ" challenge by @yeswehack.bsky.social 🐇

cryptocat.me/blog/ctf/mon...

#ctf #capturetheflag #bugbounty #ethicalhacking #cybersecurity #infosec #yeswehack

Top 10 web hacking techniques of 2025 Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...

CryptoCat x Rapid7 🧡

Couldn't be more excited to announce I'm joining the vulnerability research team at @rapid7.com next week! 🥳

Really looking forward to teaming up with some seriously talented researchers and digging into real-world threats and vulnerabilities. Stay tuned 😎

Race Condition via GraphQL Aliases | YesWeHack 11-25: APICrash | CryptoCat's Blog YesWeHack Dojo 11-25 writeup: exploiting unsynchronised threaded TinyDB writes via GraphQL aliases to corrupt storage and trigger error-based flag disclosure.

My writeup for the "APICrash" challenge from @yeswehack.bsky.social 💥

cryptocat.me/blog/ctf/mon...

At least four videos show what really happened when ICE shot a woman in Minneapolis on Wednesday. DHS has established itself as an agency that cannot be trusted to live in or present reality. @evystadium.bsky.social has more.

Full story by @josephcox.bsky.social: www.404media.co/dhs-is-lying...

Happy new year!! 🥳🎉

I'm already glad I did this, but honestly I would have been happy to leave my content on Gitbook.

The problem was that Google refused to index a single page in the 1+ year since I connected my own [sub]domain to Gitbook.

Up until then, indexing worked without any issues 😫

New blog live @ https://cryptocat.me/blog/ 💜

I've been working hard to move my written content from gitbook over to my own website 👷‍♂️

It's still a work in progress, but I'm pretty happy with the results so far 🙂

🔗 cryptocat.me/blog/

Hacky Christmas 🎄

Wishing a very hacky christmas to all the hacker fam! 🎅

Manipulating Memory with Cheat Engine - Hacky Christmas [NahamCon 2025 CTF] YouTube video by CryptoCat

Video walkthrough for the Hacky Christmas challenge I made for #NahamCon2025 😇

youtu.be/fs9WeNkUB4M

Hacky Christmas Challenge [gamepwn]

The #NahamCon2025 CTF is over ✅ Writeups for my challs 👇

🎮 Hacky Christmas ➡ book.cryptocat.me/blog/ctf/202...

💥 VulnBank ➡ book.cryptocat.me/blog/ctf/202...

💥 Snorex 2K CCTV ➡ book.cryptocat.me/blog/ctf/202...

Stay tuned for a video walkthrough of Hacky Christmas 🎅🎄

I made a couple of [easy-med] challenges for #NahamCon2025 - you've got 24 hours! 💜

🎮 ctf.nahamcon.com/hubs/hacky-c...
💥 ctf.nahamcon.com/hubs/vuln-bank
💥 ctf.nahamcon.com/hubs/snorex-...

Here's a sneak peek at Hacky Christmas 🎅 Can you escape the ice box and take out 1 MILLION gingerbread men? 🎄

I also made some challenges for #NahamCon2025, hope you will check them out! 🎅

Awww thank you! For now you'll have to find me at a hacking con 😉 Next time I run a CTF challenge, I'll send some out as prizes too 👀

🌈✨️

New stickers 😼

Mother Printers (Print2Own) - Full Exploit Chain Walkthrough [HackingHub] YouTube video by CryptoCat

New video covering the solution to the Mother Printers challenge I created for @hackinghub.bsky.social 💜

Tried to make it as beginner friendly as possible as I know many players aren't familiar with rev/pwn 😇

youtu.be/ebNYtX_8lOY

You can still play the challenge for free! app.hackinghub.io/hubs/mother-...

GitHub - sfewer-r7/BrotherVulnerabilities: Multiple Brother Devices: Multiple Vulnerabilities (CVE-2024-51977, CVE-2024-51978, CVE-2024-51979, CVE-2024-51980, CVE-2024-51981, CVE-2024-51982, CVE-2024-... Multiple Brother Devices: Multiple Vulnerabilities (CVE-2024-51977, CVE-2024-51978, CVE-2024-51979, CVE-2024-51980, CVE-2024-51981, CVE-2024-51982, CVE-2024-51983, CVE-2024-51984) - sfewer-r7/Broth...

Shout-out to @stephenfewer.bsky.social and STAR Labs - their awesome research was the inspiration behind the theme of this challenge 💜

github.com/sfewer-r7/Br...
starlabs.sg/blog/2025/11...

Mother Printers challenge PoC 💜

Didn't get chance to solve my "Mothers Printers" challenge on @hackinghub.bsky.social? 🖨

Here's the official writeup ➡ book.cryptocat.me/blog/ctf/mon...

Prefer video? Stay tuned for a beginner-friendly walkthrough on YT next week ▶

Time to drop a couple of hints for my @hackinghub.bsky.social challenge!

1️⃣ First flag is on the website (you need to find it before flag 3/4/5)
2️⃣ The chall is inspired by some cool research I read (go find it)

Writeups will be published once we hit 10 solves ➡ app.hackinghub.io/hubs/mother-...

First blood on https://app.hackinghub.io/hubs/mother-printers

Congratulations to Bhavya for being the first to capture all 5 flags on my @hackinghub.bsky.social challenge! 🥳🎉

We've released a small patch. If you were stuck on flag 3, please re-download files! Good time to practice your patch-diffing 👀

app.hackinghub.io/hubs/mother-...

Honestly I never bothered working out how to use ghidra with debugger 😅 I just use it for reversing then run gdb (pwndbg) for the breakpoints and debugging

Yayyy 🥰

So, who's gonna blood my new @hackinghub.bsky.social challenge? 😼

Challenge 🔗 app.hackinghub.io/hubs/mother-...

First 3 solves will earn the "Hacker Cat" role in my discord server ➡️ discord.cryptocat.me

#ctf #capturetheflag #ethicalhacking #cybersecurity #infosec #offsec