[CVE-2025-46661] IPW Systems Metazo - Remote Code Execution via unauthenticated SSTI

IPW Systems Metazo had an unauthenticated SSTI that was leading to RCE in it. An unprotected route would happily just evaluate smarty template language leading to unauthenticated RCE directly.
Read more →

How I suddenly attended the AWE training in London

This blog post tells the weird story on how I unexpectedly attended the training for Advanced Windows Exploitation (OSEE) in London
Read more →

My journey to OSED and concluding OSCE³

This blog post will give an insight into the world of becoming an Offensive Security Exploit Developer and concluding the journey to OSCE³
Read more →

[CVE-2023-22855] Kardex MLOG - Insecure path join to RCE via SSTI

Kardex MLOG has an insecure path join, which allows to include files locally or from a remote smb server. In combination with the template rendering of .t4 files a SSTI is possible and allows for RCE. This blog post will describe how I found this vulnerability and how to leverage it to gain a reverse shell.
Read more →

Can an AI design a CTF Challenge in Golang?

In this blog post I want to test the new ChatGPT AI and see if I can design a ctf challenge written in golang aided by the AI.
Read more →

My journey to OSWE

This blog post will give an insight into the world of becoming an Offensive Security Web Expert and how it did compare to OSEP
Read more →

Bug Bounty - Cross-site request forgery is a thing

In this post I will explain when CSRF can be a serious issue. I will use an example for which I got promoted $2.400 as bounty.
Read more →

I hacked the german armed forces, and all I got …

This blog post will describe my adventure with the german armed forces and how I earned more than just a lousy T-Shirt. Topic: Vulnerability Disclosure Policy - Deutsche Bundeswehr
Read more →

My journey to OSEP

This blog post will give an insight into the world of becoming an Offensive Security Experienced Penetration Tester as I have experienced it
Read more →

[Gophish] Sophisticated Setup

In this article I will show how you use Gophish, Caddy and Maddy with webhook to setup a complex phishing framework situation
Read more →

[goshs] Part #4 - Eyecandy, anyone?

In this blog post I will use a third-party library called parcello to embed static files into my project. I will use different javascript libraries and a lot of css to design goshs
Read more →

[goshs] Part #3 - I can haz featurez?

In this blog post I will add a few new features to our beloved goshs. I will give the user the opportunity to upload files to the current directory. Also I will implement a self-signed certificate and tls for the webserver. Finally there will be basic authentication.
Read more →

[goshs] Part #2 - Trying to achieve code quality

In this blog post I will pickup the progress of the previous post and I will try to achieve some kind of code quality by splitting up the code and outsourcing the handler into an own “class”.
Read more →

[goshs] Part #1 - My take on SimpleHTTPServer in go

In this blog post I will describe how I replicated python’s SimpleHTTPServer functionality in go using only the standard libraries. This is a very technical post and will guide through the complete implemention of it. It is aimed at go beginners and intermediates.
Read more →

[CVE-2020-14293] and [CVE-2020-14294] 2 vulnerabilities in Secure File Transfer Solution Qiata by Secudos

The Secure File Transfer Solution Qiata by Secudos suffers from two vulnerabilities. One persistent Cross-Site Scripting and one Authenticated OS Command Injection with Privilege Escalation. This post will describe the vulnerabilities in detail.
Read more →

[CVE-2020-15492] INNEO Startup Tools 2017/2018 - From Path Traversal to RCE

INNEO Startup Tools has a path traversal vulnerablility in versions up to 2018 M040 (13.0.70.3804). This post will show the details of the vulnerability and how to leverage it to gain RCE.
Read more →