Call4pwn

121 posts

Call4pwn

@call4pwn

Software Engineer | Cybersecurity Specialist | Pwn/RE | CTF Player @0xfun

Katılım Eylül 2022

36 Takip Edilen32 Takipçiler

Call4pwn retweetledi

UbuConLA@ubuconla·2d

Call for Papers is now open! Share your knowledge at UbuCon Latin America 2026 📲 Submit your proposal by scanning the QR @ubuntu @MozChile @DMConstantino @nhaines @linaporras @NaudyU @il_Vipero @z37a @elurcu @klaibsonn @OpenlabEc @taniagallardot

English

101

Call4pwn retweetledi

UbuConLA@ubuconla·5d

📢¡Confirmado! La UbuConLA 2026 ya tiene lugar y fecha 🔥 🏫 Universidad Central de Chile 📍 Facultad de Ingeniería y Arquitectura (FINARQ) 🗓️ 29 y 30 de septiembre @ubuntu @ubuntuco @ubuntuecuador @ubuntu_ve @LubuntuOfficial @Ubuntu_News @UBports @ucentral_cl @il_Vipero

Español

Call4pwn retweetledi

MiloTruck@milotruck·24 Mar

stuxf@stuxfdev

We at @verialabs built an autonomous CTF agent in a weekend and won 1st place at @BSidesSF 2026, solving all 52/52 challenges. It races multiple AI models (Claude, GPT-5.4) in parallel, each in isolated Docker sandboxes with full CTF tooling. A coordinator LLM reads solver traces and sends targeted guidance to stuck agents. As AI gets better at finding and exploiting vulnerabilities, we think it's important to understand exactly how good it is and where it fails. github.com/verialabs/ctf-…

ZXX

8.3K

Call4pwn@call4pwn·25 Mar

My 6 CVEs (RCE and Auth Bypass) on Nexxt Nebula 300+ routers are now public. I leave the write-up with the analysis of the bare-metal firmware (MIPS/eCos) and the exploit chain on the blog. 👇 #Reversing #BugBounty #CVE #IoT #Hardware byteco.dev/posts/nexxt-ne…

English

206

Call4pwn@call4pwn·11 Mar

Top 6, good challenges 👍🏽 Ready for the next edition 🔥

Hackena@Hackenaio

🏁Hackena Ramadan CTF is officially OVER! 🌙💻 Flags: Captured 🚩 Leaderboards: Locked 🔒 Competition: FIERCE 🔥 Massive congrats to the top teams who dominated the scoreboard! 🏆 Thank you to everyone who brought the heat this holy month. Drop your write-ups and tag us!📝

English

Call4pwn retweetledi

Coffin@lostsec_·8 Mar

The hype around Claude Code security will fade in a few months, just like what happened with Xbow AI. AI tools can assist, but they can’t replace human creativity, intuition and real attacker mindset. In bug bounty hunting, the edge still belongs to humans who think differently.

English

407

22.7K

Call4pwn retweetledi

UbuConLA@ubuconla·7 Mar

Ya estamos compilando la 11ª edición de la UbuConLA . #UbuConLA #Ubuntu #SoftwareLibre #OpenSource @ubuntuco @ubuntu_ve @ubuntuecuador @ubuntu_UK @only_office @DMConstantino @z37a @linaporras @il_Vipero @sukso96100 @NaudyU @namsohj @0x4171341 @hernan_jg @tcarrondo @ffespechen

Español

189

Call4pwn@call4pwn·7 Mar

The immediate result is a General Protection Fault right on demand. From there, getting an LPE by overlapping a cred struct on the freelist is basically just a game of Heap Feng Shui.

English

Call4pwn@call4pwn·7 Mar

Wrote up my full analysis (from NDSS 2026) at a fresh Linux 7.0-rc2 build.Since KCFI is basically killing traditional control-flow hijacks, DOP via the SLUB allocator is definitely the new meta. byteco.dev/posts/dirtyfre… #Linux #Kernel #NDSS #C

English

Call4pwn@call4pwn·7 Mar

The best part? If you have an OOB write, you don't even need to fake execution anymore. In the post, I walk through isolating the object in the physmap and simulating the corruption with pwndbg. Just destroy the IPC queue, and watch free_msg()->call kfree() right on your payload.

English

Call4pwn@call4pwn·7 Mar

Honestly, struct msg_msg in the kmalloc-1024 cache is still the perfect target for this. Unlike msg_queue, it somehow dodged the __randomize_layout mitigation in 7.0-rc2. If you can corrupt a single qword (the next pointer at offset 0x20), you completely own the free path.

English

Call4pwn@call4pwn·6 Mar

They're stealing the best feeling from this world: being stuck, struggling for hours in the debugger, understanding the memory, and finally breaking the exploit yourself. Solving something just by making good prompts isn't playing CTFs. 🚩

English

Call4pwn@call4pwn·6 Mar

I'm not against AI. But when you see them throw the binary at the LLM, they don't even understand the vulnerability, and then they open a support ticket in the middle of a CTF because the generated script doesn't give them the flag... it's incredibly frustrating.

siunam@siunam321

I started playing CTFs in 2022, and LLMs definitely changed the **competitive** CTF scene a lot, especially since mid-2025. I also started using LLMs in late 2025. Yes, those models did one-shot many challenges, but what's the fun of slopping them? I learned absolutely nothing 🥲

English

Call4pwn@call4pwn·6 Mar

This is especially noticeable in pwning or reversing. An AI can tell you "there's an overflow here," but it won't build the ROP chain, adjust heap offsets, or bypass mitigations if you don't understand the fundamentals. Blindly running Python scripts isn't hacking.

English

Call4pwn@call4pwn·6 Mar

Doing that disrespects the author's time and those who are truly racking their brains to analyze. And be warned: the day this generation encounters a strict on-site CTF without AI, they'll be staring at the terminal, clueless.

English

Call4pwn@call4pwn·5 Mar

The post breaks down the theory and has a working prototype in C: manual patching of opcodes at the bit level and direct block chaining to bypass the dispatcher.

English

Call4pwn@call4pwn·5 Mar

I wrote about the internal architecture of Dynamic Binary Instrumentation (DBI) engines and how to build one from scratch for ARM64 using pure C. When standard tools create a lot of noise in memory, it's time to go down to the JIT level. byteco.dev/posts/arm64-db… #Reversing #C

English

Call4pwn@call4pwn·5 Mar

The direct consequence is the geometric explosion of instructions (N = A + B + 1). Isolating the context (GPRs, SIMD, NZCV) around a single opcode costs ~50 actual instructions. This overhead of O(1) to O(n) is the technical basis for timing-based avoidance.

English

Call4pwn@call4pwn·5 Mar

Implementation requires translating these short jumps into runtime multi-instruction springboards: inverting logical conditions, using temporary registers (X16/IP0), and loading 64-bit inline literals to force absolute jumps.

English

Call4pwn@call4pwn·5 Mar

The fundamental problem in AArch64 when hooking/DBI is PC-relative addressing. If you allocate a Code Cache with mmap and copy instructions like B.EQ or ADRP, the offset limit (e.g., ±1MB) causes them to point to invalid memory.

English

Keşfet

@ubuntu @MozChile @DMConstantino @nhaines @linaporras @NaudyU @il_Vipero @z37a