Mikhail Firstov

1K posts

Mikhail Firstov

@cyberpunkych

Security Researcher

Москва, Россия Katılım Ekim 2014

718 Takip Edilen1.2K Takipçiler

Sabitlenmiş Tweet

Mikhail Firstov@cyberpunkych·13 Şub

English slides available here speakerdeck.com/fbkcs/dns-rebi…

FBK CyberSecurity@fbk_cs

Наша новая статья уже на хабре! В ней мы рассказываем об атаке DNS Rebinding, ее актуальности в 2к19 и о том, как стать параноиком просто сидя в интернете через обычный веб-браузер. По мотивам доклада с прошедшей в ноябре конференции @offzone_moscow. habr.com/ru/company/fbk…

English

Mikhail Firstov retweetledi

hacker.house@hackerfantastic·5 Oca

Quake III Arena Directory Traversal & Arbitrary File Read Vulnerabilities (0day) github.com/hackerhouse-op…

hacker.house@hackerfantastic

Happy New Fear. #2026

English

206

55K

Mikhail Firstov retweetledi

maple3142@maple3142·5 Ara

A POC for CVE-2025-55182 gist.github.com/maple3142/48bc…

English

430

549.6K

Mikhail Firstov retweetledi

Awais Nazeer@awais0x1·3 Eyl

Facebook Messenger Remote code execution Worth a $111,750 Video Poc Here: youtube.com/watch?v=wvywPU… Report: vulnano.com/2025/09/remote… @Google @intigriti

YouTube

English

490

28.1K

Mikhail Firstov retweetledi

Orange Tsai 🍊@orange_8361·20 Ağu

Turns out my #PHRACK article is live! 🔥 > The Art of PHP — My CTF Journey and Untold Stories! Kinda a love letter to those CTF players & PHP nerds! Hope all the credit goes to the right ppl. Also huge thanks to @0xdea for not forgetting me, @guitmz for the edits, and the @Phrack crew for keeping it real! 🎉 #article" target="_blank" rel="nofollow noopener">phrack.org/issues/72/5_md…

English

221

902

64.7K

Mikhail Firstov retweetledi

ϻг_ϻε@steventseeley·19 Ağu

As it turns out, @orange_8361 and I have more in common than I had thought! If you love old school PHP quirks and CTF tricks I recommend you read our articles: #article" target="_blank" rel="nofollow noopener">phrack.org/issues/72/5_md… #article" target="_blank" rel="nofollow noopener">phrack.org/issues/72/6_md…

English

258

23.5K

Mikhail Firstov retweetledi

Kirill Firsov@k_firsov·5 Haz

My research on CVE-2025-49113 is out. fearsoff.org/research/round…. Happy reading! #CVE #roundcube #poc @FearsOff

English

334

32.7K

Mikhail Firstov retweetledi

Sergey Bobrov@Black2Fan·20 Mar

I have published a tool based on jadx that helps analyze Java applications. github.com/BlackFan/BFScan BFScan generates HTTP requests and OpenAPI specs based on config files and class/method annotations. It also searches strings that look like URIs, paths, or secrets.

English

121

443

24.2K

Mikhail Firstov retweetledi

Alisa Esage Шевченко@alisaesage·23 Mar

It took 3 years but finally I feel ready to release my Pwn2Own 2021 exploit code. 💖 Video talk covers my full research workflow, from attack surface modeling and reverse engineering, to vulnerability discovery and systematic exploit engineering, enjoy! #Pwn2Own

Zero Day Engineering@zerodayalpha

Release: VM Escape Exploit for Parallels Desktop Hypervisor (Pwn2Own 2021) zerodayengineering.com/research/pwn2o… A virtual machine escape exploit will typically require kernel privileges in the guest OS. In this exploit I chose to offload the reverse-engineered toolgate protocol implementation to a Python module, while keeping my low-level kernel code minimal, just enough to implement the attack interface - a nod to the principle of least privilege in systematic software engineering, which we miss a lot in non-trivial exploit development. -- @alisaesage

English

101

678

161.1K

Mikhail Firstov retweetledi

Timur Yunusov@a66ot·13 Haz

Gosh, look what I found! youtube.com/watch?v=EeGpPD… @theRaz0r @cyberpunkych

YouTube

English

570

Mikhail Firstov@cyberpunkych·20 Kas

@LittleJoeTables @dyn___ Ah, got it. What about AXFR records? There is also research about it - defensive-security.com/blog/meterpret…

English

Mikhail Firstov@cyberpunkych·20 Kas

@LittleJoeTables @dyn___ What about using DNSKEY or IPv6 records for data transfer? It’s better than classic TXT records, for example working meterpreter dns transport - 2017.zeronights.org/wp-content/upl…

English

Mikhail Firstov retweetledi

PT SWARM@ptswarm·20 Eki

🚨 New article: "WinRAR’s vulnerable trialware: when free software isn’t free" by our researcher @Psych0tr1a. In this article, we show how vulnerabilities in trialware could beсome a gate for hackers. swarm.ptsecurity.com/winrars-vulner…

English

158

Mikhail Firstov retweetledi

FBK CyberSecurity@fbk_cs·26 Kas

Ущерб от киберпреступлений в 2021 году достигнет 6 трлн. долларов: Александр Черненко @fbk_cs и Роман Чаплыгин @ptsecurity на «Неделе МСФО и управленческого учета» conf.msfo1.ru рассказали о новом подходе в кибербезопасности, который может изменить прогнозы для бизнеса.

Русский

Mikhail Firstov retweetledi

PT SWARM@ptswarm·6 Eki

⚡️New DNS Out-of-Band vector for MSSQL Injections in SELECT statement! Can be used for completely blind #sqli. Use fn_trace_gettable and #Burp Collaborator👍. #ptswarmTechniques

English

361

882

Mikhail Firstov retweetledi

Jake Miller@theBumbleSec·8 Eyl

Excited to share my latest research! h2c smuggling: request smuggling via HTTP/2 cleartext. Leveraging TCP tunnels provided by HTTP/1.1 upgrades, we can initiate h2c connections directly with compatible back-end services, bypassing proxy access controls. labs.bishopfox.com/tech-blog/h2c-…

English

313

700

Mikhail Firstov retweetledi

Sergey Bobrov@Black2Fan·20 Ağu

Did you know that browsers support multiple Content-Type in HTTP response header? Content-Type: text/plain; x=x, text/html, foobar More tricks in my content-type research github.com/BlackFan/conte…

English

240

654

Mikhail Firstov@cyberpunkych·25 Tem

@DedPerded1988 @Alexlogachev1 Яндекс стабильнее и лучше всего себя показывает на рынке.

Русский

Mikhail Firstov retweetledi

FBK CyberSecurity@fbk_cs·23 Tem

Очень давно от нас не было вестей, но мы вернулись с новой статьей в журнале "Хакер"! В этот раз будет описано подробное прохождение машины "Sunset: decoy" c сайта VulnHub. xakep.ru/2020/07/23/sun…

Русский

Mikhail Firstov retweetledi

Pavel Zhovner@zhovner·21 Tem

Hey @stripe and @kickstarter Can someone please explain why our company verification documents are being rejected without any clear answer? We try all formats (PDF, JPG, PNG) and all possible resolutions. Support from both sides does not response for a several days!

English

208

Keşfet

@Google @intigriti @0xdea @guitmz @Phrack @orange_8361 @FearsOff @theRaz0r