Blindspot – SAS CTF 2025

Mon, 14 Jul 2025 00:00:00 +0000

0x00 – Prologue
#

I saw “ECDSA nonce reuse” and knew we were about to crack something open real clean. When you’re dealing with ECDSA, one reused k is all it takes to rip the private key wide open. It’s not about breaking the algorithm—it’s about catching the dev slipping. And they slipped.

APISEC-CON CTF – Exception Excavation & Render Bender

Sun, 18 May 2025 00:00:00 +0000

0x00 – The Setup
#

API challenges always make me pause. They’re subtle, often logic-based, and prone to mishandling by developers chasing “RESTful perfection.” When I saw two challenges dropped back-to-back—Exception Excavation and Render Bender—I knew there was potential for mischief.

Haunting the Heap: Use-After-Free in AuthenKey Login Handler (x64)

Mon, 12 May 2025 00:00:00 +0000

Prologue — Heap Echoes in an AuthenKey Login Night
#

It was one of those times when I wasn’t actively hunting—just casually skimming through binaries like I was flipping through a security archive. The target: AuthenKey, a multi-factor login handler used by corporate VPN portals. As I browsed its binary, I found a small routine involved in processing post-login session keys.

Overflow in Silence: Stack Smash in MedBoard Log Viewer (x64)

Sun, 20 Apr 2025 00:00:00 +0000

Prologue — The Calm Before the Buffer Break
#

I wasn’t looking for trouble. Just bouncing between binaries on a slow weekend, half-interested in what outdated software still lingers in hospital networks. That’s when I stumbled on MedBoard Log Viewer — a quiet little utility meant to process and display logs in a fancy UI. But it was the backend log-loading routine that caught my eye. And once I spotted strcpy, I leaned forward.

Entropy Overload — Bcrypt Length Limits in 'Entropyyyy…' (1753 CTF 2025)

Sat, 19 Apr 2025 00:00:00 +0000

Prologue — The Noise is the Signal
#

Some challenges are loud — stack traces, debug logs, binary dumps. This one wasn’t.

Copy, Paste, Exploit: Buffer Overflow in EduGrade Import Engine

Wed, 18 Sep 2024 00:00:00 +0000

4. Buffer Overflow in EduGrade Import Engine (x64)
#

Platform: Windows 10 x64
Target: EduGrade Desktop (Import Engine Parser)
Discovered: August 2024
Status: Local Privilege Escalation (unpatched)
CVSS (Est.): 7.6 – Local overflow leads to code execution

The Phantom Subdomain: How I Found Slack’s Forgotten Backdoor

Sat, 14 Sep 2024 00:00:00 +0000

Prologue — The Digital Graveyard
#

Midnight. The glow of my monitor painted the walls a faint blue as I scrolled through Slack’s sprawling domain records.

Strings Unleashed: Unsafe Length Handling in BookPro Reader

Sat, 22 Jun 2024 00:00:00 +0000

3. Unsafe Length Handling in BookPro Reader (x64)
#

Platform: Windows 10 x64
Target: BookPro Reader (EPUB/ZIP Parser)
Discovered: May 2024
Status: Unreported – no known disclosure policy
CVSS (Est.): 8.1 (High) – Stack corruption via overlong metadata entry

3 AM & Phantom Requests: My Blind SSRF Journey Through Shopify's PDF Underworld

Thu, 23 May 2024 00:00:00 +0000

Prologue — The Accidental Discovery
#

2:03 AM — My third espresso was long cold. The glow of the Shopify admin panel lit up my desk like a scene out of a low-budget cyber thriller.

PointerOverflow CTF 2024 – DF

Fri, 03 May 2024 00:00:00 +0000

0x00 – Prologue
#

Forensics challenges usually start out tame—bit of file carving, maybe some strings, or sleuthing around disk images. But sometimes, one of those USB dumps hits differently.

JWT Hunt – Iron CTF 2024

Tue, 23 Apr 2024 00:00:00 +0000

0x00 – Prologue
#

I like JWT bugs. They’re like puzzles where you know someone somewhere made a careless design call, and you just have to figure out where the glue fell apart. In this one, the challenge was called “JWT Hunt” and it lived up to the name. Turns out the devs had split the signing key into four parts and sprinkled them around the site like cryptographic breadcrumbs.

Binary Badlands – HTB University CTF 2024

Sun, 21 Apr 2024 00:00:00 +0000

0x00 – Prologue
#

I knew from the moment I saw “MD5” in the challenge description, things were about to get weird. Anyone who’s spent enough time around outdated crypto knows MD5 is a landmine. It’s fast, broken, and predictable in just the right (or wrong) ways. This challenge leaned all the way into that mess.

ZKPoF – HITCON CTF 2024

Sat, 09 Mar 2024 00:00:00 +0000

0x00 – Prologue
#

There are some challenges that punch you in the face with math. And then there are ones like this—“ZKPoF”—that slowly pull you in, pretending to be a protocol puzzle, until you realize Python’s int() is about to be your best friend and worst enemy. This was a zero-knowledge proof challenge… but with a twist. Instead of proving knowledge of a secret, I was exploiting the protocol for leaking just enough of it to reconstruct the whole damn secret.

Phantom Libraries: DLL Hijacking in OfficePort Scheduler

Wed, 21 Feb 2024 00:00:00 +0000

Prologue — The Ghost in the Folder
#

DLL hijacking never really died. It’s just waiting for the right developer to forget a LoadLibrary call. That’s exactly what happened with OfficePort Scheduler, a scheduling utility built for enterprise task planning on Windows 11.

Coffee, Curiosity & an API – JWT 'alg:none' Exploit in HealthTrack

Mon, 19 Feb 2024 00:00:00 +0000

Prologue: Coffee, Curiosity & an API
#

It was one of those quiet February evenings. No caffeine left in the mug, but my curiosity was wide awake. The glow from the screen illuminated my desk, casting a soft digital haze. I was drifting through recon mode—scrolling API docs, poking endpoints, intercepting calls like I was casually flipping through a dusty book in a forgotten archive.

One by One – LA CTF 2024

Sun, 18 Feb 2024 00:00:00 +0000

0x00 – Prologue
#

Brute-forcing a Google Form? Yeah, it sounds dumb until you realize the form is leaking state via some sneaky HTML fields. That’s when it turns into an actual side-channel attack and not just clicking buttons like a bot. This was one of those problems where you stare at Chrome DevTools long enough, and suddenly you’re deep in Puppeteer automations and page parity logic.

LocalNews and the Whispering Header - SQLi in a Forgotten Log

Sat, 17 Feb 2024 00:00:00 +0000

Prologue — When Headers Speak
#

10:47 PM — Rain tapped against the window while Burp Suite ran idle. I was deep into recon on a small CMS platform called LocalNews. The payout was modest, the target obscure—but that’s the beauty of it. Quiet places often hide loud bugs.

Heap Drift: Misaligned Write in SafeMail’s Attachment Parser

Thu, 08 Feb 2024 00:00:00 +0000

Prologue
#

Started out just poking at SafeMail’s desktop client because I was curious how they handled attachments. It’s always those small parsing subsystems where things fall apart. I loaded up the binary in IDA and watched the way filenames were processed when attachments were being saved.

Racing the Kernel: Use-After-Free in SnapBackup.sys

Sat, 02 Dec 2023 00:00:00 +0000

Prologue — Ring-0 and the Need for Speed
#

Most people ignore backup software. I don’t. Especially when it’s running in the kernel and handling file operations with zero context verification.

The Anatomy of a Clickjacking Vulnerability: A Trello Deep Dive

Wed, 15 Nov 2023 00:00:00 +0000

An exploration of a clickjacking vulnerability found in Trello’s public boards, examining the technical details, potential impacts, and broader security lessons about proper header configurations.

Stacking Bytes: Heap Overflow in PrintSecure’s Spooler

Mon, 06 Nov 2023 00:00:00 +0000

Prologue — Midnight Layers & Metadata Games
#

I’d been reverse engineering some internal RPC routines on a lightly documented print management service—PrintSecure, used across several enterprise Windows Server 2019 deployments. The kind of service that hums quietly in the background, doing menial job routing, completely overlooked. That’s usually a good place to find something sharp.

Hard Forensics – BlackHat MEA Quals 2023

Sat, 04 Nov 2023 00:00:00 +0000

Sometimes, you get a JPEG, and you just know it’s lying to you. It smiles at you innocently like any regular image, but as a hacker, you know better. So, I stared at the given JPEG for a moment — instinctively opened it in a hex editor. Why? Because standard images don’t end with a bunch of gibberish appended to them.

Delegatecall Drains & Solidity Sleight — Paradigm CTF 2023

Sat, 21 Oct 2023 00:00:00 +0000

Prologue — Solidity’s Footgun
#

Some CTFs are logic puzzles. Others are byte-level traps. And then there are Paradigm CTFs — where Solidity becomes a minefield and every contract hides a design decision that’ll make you pause, rewind, and rethink everything you know about execution flow.

TaskMaster – How an Avatar Became a Cookie Monster

Thu, 05 Oct 2023 00:00:00 +0000

Prologue — Of Avatars and Curiosity
#

It started with a profile page.

Late one night in October, I was sipping on reheated coffee and casually poking around the “TaskMaster” app — a tidy little task management platform listed on YesWeHack. On the surface, it was clean, minimal, maybe even a bit charming.

Overflowing Authority: Stack Smash in LocalAdminTool.exe

Mon, 02 Oct 2023 00:00:00 +0000

Prologue — Pipes, Stacks, and Hidden Elevation
#

I was digging around Windows 10 utilities installed on a workstation used for internal admin scripting. One tool stood out — LocalAdminTool.exe. It used a named pipe to receive commands, and the binary hadn’t seen a patch in years.

Chaining Control: ROP Exploitation in HealthDesk Report Viewer

Thu, 14 Sep 2023 00:00:00 +0000

Prologue — CSVs, Gadgets & Shells
#

It started with a curiosity hit—an old install of HealthDesk Report Viewer, still alive on a legacy Windows 7 x86 box. Binary hadn’t been touched since 2010. And it was one of those static base address builds, no ASLR, no DEP, no nothing. Just waiting.

Encrypted Mail – DUCTF 2023

Sat, 02 Sep 2023 00:00:00 +0000

0x00 – Prologue

This one was different. Not just some base64 puzzle or random math CTF fluff. It had structure. It had depth. I knew from the first glance that “Encrypted Mail” was hiding something sophisticated. There was a Zero-Knowledge Proof involved — that alone made me crack my knuckles. That phrase isn’t tossed around unless it means business.

Echoes of Control: Format String Exploit in DevMon

Fri, 18 Aug 2023 00:00:00 +0000

Prologue — Strings, Stacks, and Legacy Tricks
#

Legacy systems are a goldmine. I was rummaging through an old factory control rig running Windows XP and found a small utility called DevMon Status Tool. No ASLR, no stack cookies, no DEP. Real 2003 energy.

From Blob to Boom: Insecure Deserialization in FinPro CRM

Fri, 04 Aug 2023 00:00:00 +0000

Insecure Deserialization in FinPro CRM Client (x86)
#

Prologue: Old Habits, Unsafe Casts
#

I was poking through a legacy CRM tool called FinPro — the kind your dad’s office might still be using. Clunky GUI, startup splash screen, and an installer that required admin rights. Perfect vintage.

Silent Payloads: DOM-Based XSS in PayPal’s Checkout

Mon, 24 Jul 2023 00:00:00 +0000

Silent Payloads: DOM-Based XSS in PayPal’s Checkout
#

How a routine evening review of postMessage logic in third-party iframes spiraled into a silent, weaponizable DOM XSS — tucked neatly within a trusted payment flow.

12:57 AM and a Concurrency Fault: How I Exploited Uber’s Coupon Redemption Logic

Tue, 13 Jun 2023 00:00:00 +0000

Prologue: 12:57 AM
#

The apartment was quiet. I was not hunting vulnerabilities or replaying traffic with aggressive fuzzing. It was more observational – that rare and quiet mindset that often reveals misbehavior where others only see clean execution.

Signed to Compromise: Kernel Overflow in XLogDriver.sys

Sat, 10 Jun 2023 00:00:00 +0000

Signed Driver Exploit in XLogDriver.sys (x64 Kernel)
#

Prologue: A Signed Invitation to Ring-0
#

This one hit different. I was sifting through a bunch of random vendor drivers, most of them dusty utilities for things like USB logs and peripheral diagnostics. Nothing fancy. But one caught my eye: XLogDriver.sys.

NahamCon CTF 2023 – Multiple Challenges

Sun, 07 May 2023 00:00:00 +0000

0x00 – Prologue
#

Sometimes a CTF throws everything at you: logic bugs, broken binaries, half-documented APIs, and the occasional ancient Star Wars meme. NahamCon 2023 was that kind of ride. Our team, SneakBytes, dove in headfirst and came out the other side with a trail of solved challenges, caffeinated brains, and some solid lessons.

Signed Once, Loaded Twice: Plugin Signature Bypass in CodeWorks IDE

Tue, 11 Apr 2023 00:00:00 +0000

Signature Bypass in CodeWorks IDE Plugin Loader
#

Prologue: Not All Checks Are Made Equal
#

It started with curiosity, like it usually does. I wasn’t even targeting CodeWorks specifically. I was just bouncing around dev tools I had lying around — checking how they loaded plugins, how they validated them, and if they did anything… out of order.

Broken Authentication: Uncovering Twitter's OAuth Vulnerability

Fri, 07 Apr 2023 00:00:00 +0000

A technical deep dive into an authentication vulnerability in Twitter’s legacy API that allowed bypassing signature validation, exposing user data through inconsistent OAuth enforcement.

Swipe to Shell: Exploiting a Buffer Overflow in PaySafeTech Daemon

Fri, 17 Mar 2023 00:00:00 +0000

Buffer Overflow in PaySafeTech Payment Daemon
#

Prologue: The Ghost in the Machine
#

The smell of late-night coffee and burnt solder still hung in the air. It was one of those nights — quiet, focused, and laced with the promise of uncovering something… forgotten.

Escape Protocols: Get Out Series Reversals – BSidesSF 2023

Sat, 04 Mar 2023 00:00:00 +0000

Prologue — Three Layers Deep
#

When I first saw the Get Out series in BSidesSF 2023, I thought it was going to be a quick play. A warmup, a logic check, and maybe some light patching. I didn’t realize I was about to sink hours into crafting an RPC client from scratch, abusing a fresh CVE, and building an exploit chain with an old-school stack overflow.

"PetCare" – CSRF in the Admin Panel: When One Click Made You an Admin

Wed, 15 Feb 2023 00:00:00 +0000

A simple POST request without CSRF protection allowed me to trick a PetCare admin into granting me admin privileges. This writeup dives into the exploitation steps, mental process, root cause, and patching of a high-risk vulnerability in their internal panel.

Curiosity & file_id=187: My First Bug Bounty Journey with FileSharePro

Thu, 09 Feb 2023 00:00:00 +0000

Prologue — A New Hunter’s First Spark
#

They always say your first bounty feels different.
For me, it started with a file URL. Not a secret admin panel or a vulnerable upload endpoint. Just a link:
https://filesharepro.com/download?file_id=123

Reverse Prophecy: Unraveling the Magic 8 Ball – Flare-On 2022

Fri, 11 Nov 2022 00:00:00 +0000

Prologue — Binary Fortune Telling
#

It was deep into the evening when I first ran the Magic 8 Ball binary. The kind of binary that greets you with a friendly UI — asking questions like it’s all innocent. But in the back of my head, I knew this wasn’t just a game of chance.

About

Mon, 13 Jun 2022 20:55:37 +0100

Hello! My name is Vaishnav and I specialize in proactively identifying, exploiting, and mitigating vulnerabilities within networks, applications, and systems before malicious actors can leverage them. My interest in cybersecurity started back in 2019 when I finished watching a brilliant TV show called Mr. Robot — turns out, diving into the world of digital anarchy ignited a passion that pushed me into ethical hacking.

Decrypting Shadows: Reversing Ransomware from CactusCon's FunWare

Mon, 07 Feb 2022 00:00:00 +0000

Prologue — Digging Through Bytes
#

I remember that lazy afternoon. Coffee was cold. The air around me was still, except for the quiet hum of my laptop. I booted up the CactusCon 2022 CTF and saw something that immediately got my attention: FunWare. A name oddly whimsical for what turned out to be a ransomware reversing challenge.

Blindspot – SAS CTF 2025

0x00 – Prologue #

APISEC-CON CTF – Exception Excavation & Render Bender

0x00 – The Setup #

Haunting the Heap: Use-After-Free in AuthenKey Login Handler (x64)

Prologue — Heap Echoes in an AuthenKey Login Night #

Overflow in Silence: Stack Smash in MedBoard Log Viewer (x64)

Prologue — The Calm Before the Buffer Break #

Entropy Overload — Bcrypt Length Limits in 'Entropyyyy…' (1753 CTF 2025)

Prologue — The Noise is the Signal #

Copy, Paste, Exploit: Buffer Overflow in EduGrade Import Engine

4. Buffer Overflow in EduGrade Import Engine (x64) #

The Phantom Subdomain: How I Found Slack’s Forgotten Backdoor

Prologue — The Digital Graveyard #

Strings Unleashed: Unsafe Length Handling in BookPro Reader

3. Unsafe Length Handling in BookPro Reader (x64) #

3 AM & Phantom Requests: My Blind SSRF Journey Through Shopify's PDF Underworld

Prologue — The Accidental Discovery #

PointerOverflow CTF 2024 – DF

0x00 – Prologue #

JWT Hunt – Iron CTF 2024

0x00 – Prologue #

Binary Badlands – HTB University CTF 2024

0x00 – Prologue #

ZKPoF – HITCON CTF 2024

0x00 – Prologue #

Phantom Libraries: DLL Hijacking in OfficePort Scheduler

Prologue — The Ghost in the Folder #

Coffee, Curiosity & an API – JWT 'alg:none' Exploit in HealthTrack

Prologue: Coffee, Curiosity & an API #

One by One – LA CTF 2024

0x00 – Prologue #

LocalNews and the Whispering Header - SQLi in a Forgotten Log

Prologue — When Headers Speak #

Heap Drift: Misaligned Write in SafeMail’s Attachment Parser

Prologue #

Racing the Kernel: Use-After-Free in SnapBackup.sys

Prologue — Ring-0 and the Need for Speed #

The Anatomy of a Clickjacking Vulnerability: A Trello Deep Dive

Stacking Bytes: Heap Overflow in PrintSecure’s Spooler

Prologue — Midnight Layers & Metadata Games #

Hard Forensics – BlackHat MEA Quals 2023

Delegatecall Drains & Solidity Sleight — Paradigm CTF 2023

Prologue — Solidity’s Footgun #

TaskMaster – How an Avatar Became a Cookie Monster

Prologue — Of Avatars and Curiosity #

Overflowing Authority: Stack Smash in LocalAdminTool.exe

Prologue — Pipes, Stacks, and Hidden Elevation #

Chaining Control: ROP Exploitation in HealthDesk Report Viewer

Prologue — CSVs, Gadgets & Shells #

Encrypted Mail – DUCTF 2023

Echoes of Control: Format String Exploit in DevMon

Prologue — Strings, Stacks, and Legacy Tricks #

From Blob to Boom: Insecure Deserialization in FinPro CRM

Insecure Deserialization in FinPro CRM Client (x86) #

Prologue: Old Habits, Unsafe Casts #

Silent Payloads: DOM-Based XSS in PayPal’s Checkout

Silent Payloads: DOM-Based XSS in PayPal’s Checkout #

12:57 AM and a Concurrency Fault: How I Exploited Uber’s Coupon Redemption Logic

Prologue: 12:57 AM #

Signed to Compromise: Kernel Overflow in XLogDriver.sys

Signed Driver Exploit in XLogDriver.sys (x64 Kernel) #

Prologue: A Signed Invitation to Ring-0 #

NahamCon CTF 2023 – Multiple Challenges

0x00 – Prologue #

Signed Once, Loaded Twice: Plugin Signature Bypass in CodeWorks IDE

Signature Bypass in CodeWorks IDE Plugin Loader #

Prologue: Not All Checks Are Made Equal #

Broken Authentication: Uncovering Twitter's OAuth Vulnerability

Swipe to Shell: Exploiting a Buffer Overflow in PaySafeTech Daemon

Buffer Overflow in PaySafeTech Payment Daemon #

Prologue: The Ghost in the Machine #

Escape Protocols: Get Out Series Reversals – BSidesSF 2023

Prologue — Three Layers Deep #

"PetCare" – CSRF in the Admin Panel: When One Click Made You an Admin

Curiosity & file_id=187: My First Bug Bounty Journey with FileSharePro

Prologue — A New Hunter’s First Spark #

Reverse Prophecy: Unraveling the Magic 8 Ball – Flare-On 2022

Prologue — Binary Fortune Telling #

About

0x00 – Prologue
#

0x00 – The Setup
#

Prologue — Heap Echoes in an AuthenKey Login Night
#

Prologue — The Calm Before the Buffer Break
#

Prologue — The Noise is the Signal
#

4. Buffer Overflow in EduGrade Import Engine (x64)
#

Prologue — The Digital Graveyard
#

3. Unsafe Length Handling in BookPro Reader (x64)
#

Prologue — The Accidental Discovery
#

0x00 – Prologue
#

0x00 – Prologue
#

0x00 – Prologue
#

0x00 – Prologue
#

Prologue — The Ghost in the Folder
#

Prologue: Coffee, Curiosity & an API
#

0x00 – Prologue
#

Prologue — When Headers Speak
#

Prologue
#

Prologue — Ring-0 and the Need for Speed
#

Prologue — Midnight Layers & Metadata Games
#

Prologue — Solidity’s Footgun
#

Prologue — Of Avatars and Curiosity
#

Prologue — Pipes, Stacks, and Hidden Elevation
#

Prologue — CSVs, Gadgets & Shells
#

Prologue — Strings, Stacks, and Legacy Tricks
#

Insecure Deserialization in FinPro CRM Client (x86)
#

Prologue: Old Habits, Unsafe Casts
#

Silent Payloads: DOM-Based XSS in PayPal’s Checkout
#

Prologue: 12:57 AM
#

Signed Driver Exploit in XLogDriver.sys (x64 Kernel)
#

Prologue: A Signed Invitation to Ring-0
#

0x00 – Prologue
#

Signature Bypass in CodeWorks IDE Plugin Loader
#

Prologue: Not All Checks Are Made Equal
#

Buffer Overflow in PaySafeTech Payment Daemon
#

Prologue: The Ghost in the Machine
#

Prologue — Three Layers Deep
#

Prologue — A New Hunter’s First Spark
#

Prologue — Binary Fortune Telling
#

Prologue — Digging Through Bytes
#