Josh

1.5K posts

Josh

@boredpentester

Embedded device security researcher / VR / Pwn2Own

Katılım Eylül 2018

783 Takip Edilen1.2K Takipçiler

Sabitlenmiş Tweet

Josh@boredpentester·22 Eki

The story of how I almost pwned the Lexmark Postscript stack for Pwn2Own 2025... And I would have gotten away with it too, if it hadn't been for those meddling firmware updates! boredpentester.com/pwn2own-2025-p…

English

114

15.1K

Josh@boredpentester·3d

'You're absolutely right...'

English

454

Josh@boredpentester·4d

@h0mbre_ Windows 11 is only $30k I think as well...

English

558

h0mbre@h0mbre_·4d

kvm at pwn2own is only $50k, that is surprising to me. maybe im just ignorant, but seems like a super hard target

English

118

12.3K

Josh retweetledi

dex@dexhorthy·10 Mar

Here’s what’s gonna happen: - you replace your code review with feedback loops (sentry, datadog, support tickets, etc) - you stop reading the code - software factory fixes everything - one day something breaks at 3am, agent can’t fix it - nobody’s read the code in 3 months - you have 3 weeks of downtime trying to re-onboard and fix it - you lose significant % of your contracts and users - your company is now dead

dex@dexhorthy

@gregpr07 this may surprise you that thus is coming from me but I think we’re in for a 1-3 year period where stuff might break at 3am and if you’re relying on loops to fix it and nobody understands what’s under the hood, you’re looking at an existential threat to your company

English

258

567

6.9K

588K

Josh retweetledi

0xor0ne@0xor0ne·6 Mar

Exploiting the Synology BeeStation (BST150-4T), CRLF injection, auth bypass, and SQLite injection to RCE (CVE-2024-50629~50631) kiddo-pwn.github.io/blog/2025-11-3… Credits @kiddo_pwn @infosec

English

162

8.3K

Josh@boredpentester·6 Mar

So cool 🔥

Buzzer@buzz3r_

I decided to try out agentic coding/reversing, so I’m releasing a project that assists with reverse engineering in both Binja and IDA Pro. It’s an agent, not an MCP, that support multiple providers, it has some interesting features such as code exploration github.com/buzzer-re/Riku…

English

928

Josh@boredpentester·5 Mar

@HaifeiLi How did I miss this! Was it recorded?

English

270

Haifei Li@HaifeiLi·4 Mar

ZXX

101

7.1K

Josh@boredpentester·22 Şub

@LiveOverflow /me bookmarks

English

619

LiveOverflow 🔴@LiveOverflow·22 Şub

After a long pause, a new video coming today! Part 1 of small documentary about Pwn2Own…

English

514

24.1K

Josh@boredpentester·22 Şub

@thedawgyg @devs_lyfe May I ask, how much time was spent on this in terms of initial setup, bug finding, triage, and exploit development? Just trying to get a feel for how much time investment it takes to find a bug (first part) and then demonstrate exploitably (second part)

English

dawgyg - WoH@thedawgyg·21 Şub

@devs_lyfe yea i spent significantly more time on this than i normally do on a bug for any bounty program, so my ROI here is very far from the ~$1000/hr I try to maintain when hacking.

English

dawgyg - WoH@thedawgyg·21 Şub

$18,000 for my first ever Google bounties isn't bad I suppose... but the amount of work it took for these 2 specific issues, it deff feels like its lower than it should have been. Gonna ask for some clarity on the reasoning behind the amounts and see what they say.

English

217

8.8K

Josh@boredpentester·20 Şub

If like me , you're reading a blog post and sometimes struggle to fully grasp how the heap overflow is achieving its primitives, ask Claude to produce you a JAX diagram to visualise it for you! Here's Claude walking through Synacktiv's recent LFH strategy when escaping VMWare:

English

2.3K

Josh@boredpentester·14 Şub

A fair critique of LLMs in general I think we can agree with

Charbel-Raphael@CRSegerie

In my experience, Gemini deep research is not very corrigible, it's like a bulldozer that eats a gargantuan amount of papers, but is quite hard to steer, and you have little visibility A few specific pain points: - It doesn't seem to differentiate well between low-quality and high-quality sources, which I suspect is a major driver of the few hallucinations I've seen - It's good for literature reviews, but poor at flagging epistemic uncertainty, when you're on the frontier of knowledge, you need the tool to tell you "this is contested" or "evidence is thin here," not just confidently synthesize everything flat - Last time I checked, it was impossible to copy the output with citations and links intact, which should be straightforward to fix

English

436

Josh@boredpentester·9 Şub

@alexjplaskett It is very similar but with target specific guidance, verifiers, tools and usage guidance adapted towards ARM and emulation, as opposed to JS bugs. I've been running it against bugs I've written exploits for in the past and it's doing OK so far!

English

Alex Plaskett@alexjplaskett·9 Şub

@boredpentester Ok cool, so your setup is similar to the below but without an initial trigger file? github.com/SeanHeelan/ana… Yeah it’s pretty interesting, have been having some findings.

English

152

Josh@boredpentester·9 Şub

ChatGPT 5.2 versus a known (fixed) JBIG2 bug in Lexmark. I gave it no PoC file, just well RE'd code, struct layouts, high-level guidance and RCA. It has got most of this right, and achieved the primitive I asked for having overwritten a function pointer.

English

1.3K

Josh@boredpentester·9 Şub

@alexjplaskett Yes, this is a single agent running in a Docker container with access to the target rootfs, pwndbg, qemu-user etc, as well as vulnerability details, a verifier and an export of the vulnerable library from IDA (post RE) via a custom exporter I built. No initial trigger file.

English

Alex Plaskett@alexjplaskett·9 Şub

@boredpentester Are you using an agent loop here with tool usage?

English

Josh@boredpentester·9 Şub

For clarity, the image above is the LLM's analysis output, not my input.

English

207

Josh@boredpentester·9 Şub

As above, I did have to give it high quality code decompilation, including structure layout, target specific guidance in terms of how to run, robust verification scripts (otherwise it absolutely will solve the wrong problem) and detailed tool usage instructions.

English

214

Josh@boredpentester·9 Şub

However; The LLM didn't need the 2-4 hours I did to learn about the JBIG2 format, the different segment headers and their meaning. My token use was 9M tokens (approx $3.50).

English

215

Josh retweetledi

Atum@Atuml1·6 Şub

What Do Opus 4.6's 500 Zero-Days Mean for Us? atum.li/en/blog/opus-4…

English

104

9.3K

Josh@boredpentester·7 Şub

@dguido @SIGKITTEN What do you look for in candidates re their use of AI? I've found myself iterating, at first I was using ChatGPT projects with IDA exports to assist my RE flows, and now agents with containers to do VR on ARM, but I still feel like I'm missing tricks compared to others!

English

Dan Guido@dguido·6 Şub

@SIGKITTEN Huge difference in job applicant pool out there right now. Lots of people's exposure to AI is "I have copilot at work." Not sure I can work with people like that! The mere fact of using Cowork + 1 connector puts a candidate in top position with us.

English

1.1K

SIGKITTEN@SIGKITTEN·6 Şub

I keep seeing stuff like this, YC did that recently too, I think and I don't get the point of it. The conversations I consider impressive depend so much on the exact date that it just seems like it'd be random noise. Like, I had sessions autonomously solving crackmes with sonnet-3, which was pretty impressive at the time. But if you look at them now, you'd be like "well duh ofc it can do that"

Dan Guido@dguido

@trailofbits If you want your application to impress us, write in with a Claude/ChatGPT conversation you're particularly proud of

English

4.3K

Keşfet

@h0mbre_ @kiddo_pwn @infosec @HaifeiLi @LiveOverflow @thedawgyg @devs_lyfe @alexjplaskett