Hank Chen

@_twinklestar03 @scwuaptx Congrats!

It's been a pleasure working with the legendary Angelboy @scwuaptx Getting the chance to work alongside someone I've admired ever since I first stepped into the pwnable feels surreal!

The glibc cycle continues lol.. Unsafe -> implement safety features -> safety features slow -> circumvent safety features in order to get speed -> unsafe github.com/shellphish/how…

played DiceCTF quals and managed to blood the kernel pwn challenge and won the $150 bounty! check out the writeup: kqx.io/writeups/corne…

We partnered with Mozilla to test Claude's ability to find security vulnerabilities in Firefox. Opus 4.6 found 22 vulnerabilities in just two weeks. Of these, 14 were high-severity, representing a fifth of all high-severity bugs Mozilla remediated in 2025.

I found a vulnerability in Oracle VirtualBox (CVE-2026-21957) back in September 2025. It can be turned into AAR/AAW, and then escaping the VM is pretty easy. I originally planned to find a vulnerability for Pwn2Own, but since I found the vuln in September, sitting on a practical vuln for that long didn’t feel very ethical, so I eventually reported it to ZDI. But I still finished the exploitation + demo video as practice.

Verified! @hank0438 of InnoEdge Labs exploited an exposed dangerous method against the Alpitronic HYC50 – Lab Mode, earning $40,000 USD and 4 Master of Pwn points. #Pwn2Own #P2OAuto

Just published an IDA plugin: HappyIDA Built with @h3xr4bb1t and @scwuaptx , and I’ve been using it in my daily reversing work for 1~2 years. There’s still a lot to do, but it felt like the right time to make it public, so we’re more likely to fix things (and hopefully some kind stranger will help us) It’s fancy, but not that fancy. Honestly, IDA Pro would be better if they adopted some of these ideas. There is no complex algorithms, no timeless debugger, no symbolic execution, but just a bunch of tiny features that have already helped me speed up reversing a lot. (The screenshot shows the origin of the project and the first feature I implemented: parameter labeling. @h3xr4bb1t later made it much more powerful. The SEH highlighter was made by @scwuaptx, and the SEH rebuilder was made by @h3xr4bb1t) github: github.com/HappyIDA/Happy…

Found a great blog about my vulnerability! Besides tech things, there are also some interesting stories that I might share at the conf in the future 😆

"Windows has a design flaw in driver validation. If certificate revocation checks fail or time out (which happens often), Windows assumes the certificate is fine and loads the driver anyway."🥴 source: linkedin.com/pulse/heartcry… news.sophos.com/en-us/2025/08/… IOCs: github.com/sophoslabs/IoC…

Holiday CTFs are here! Intro video about Advent of Code and my approach this year. (And check out flagvent.org and the Sans Holiday Hack as well). youtube.com/watch?v=JmiunE…

@pwncollege is doing Advent of Pwn ! Everyone should check it out 🤓 We’re excited to announce that our first-ever Advent of Pwn kicks off on Sunday, November 30, 2025 at 7:00 PM (in 5 days) at pwn.college/advent-of-pwn!

My estimation is that MTE will be bypassed by the end of the year. ismtebypassed.com Since Apple invested 100s+ man years in MTE, this will hopefully be the final attempt to secure the OS on their own and will finally open up the platform to more eyes. #FreeTheSandbox

If you wanted to show a party trick to your friend or just leak kernel addresses via admin privileges you can use this repository: github.com/Idov31/EtwLeak… Since it can only leak addresses and only using administrative privileges, it isn't breaking a security boundary. 1/3

kernelCTF: CVE-2025-38477 kernelCTF entry for a race condition in the network scheduler subsystem. Most notably, shows a technique of putting controlled data into unmapped sections of vmlinux. github.com/n132/security-…

I think this is kinda neat. Wanted an alternative to calling NtContinue so I created this small (and incomplete) stand in function that will populate the registers I care about and then pivot to Ctx->Rip via ROP

I bypassed user approvals and achieved RCE in VS Code Copilot by flipping 4 bits. Find out how: jro.sg/CVEs/copilot/ Thanks to @msftsecresponse for rapidly triaging and patching this vulnerability.

PAC, BTI, and relative vtables bypass by @bruce30262 (HITCON CTF 2025) bruce30262.github.io/hitcon-ctf-202… #infosec #ctf

This is interesting. Ntdll has a whole bunch of 16-byte aligned (and thus CFG-compatible) jmps to function pointers stored in .mrdata (all resolving to User32 funcs). Most have zero references, jmp inst or the fp, and the fp's can be overwritten without triggering copy-on-write

💡Striking! #Pwn2Own newcomer @hank0438 of InnoEdge Labs flash a light bulb on and off the show he exploited the Phillips Hue Bridge. He's off to the disclosure room to enlighten us on how he did it. #P2OIreland

✨Confirmed! Hank Chen (@hank0438) of InnoEdge Labs used an auth bypass and an OOB write to exploit the Phillips Hue Bridge. Their second round win nets them $20,000 and 4 Master of Pwn points. #Pwn2Own