Happy St Patrick's day ☘

🎤👾 Introducing Hacktics and Telemetry, a bi-weekly video and audio podcast out of Rapid7 Labs, starring Rapid7's Doug McKee (fulmetalpackets) & Jonah Burgess (@cryptocat.me)! 🧵 Find episode 1's companion blog here: r-7.co/4di8tuH ▶️ Or dive right into the full vid on YouTube: r-7.co/3NiQfP2

🚨 CVE-2026-20127: Cisco SD-WAN authentication bypass. An unauthenticated attacker can inject SSH keys without crypto verification via a flawed state machine. Active exploitation by UAT-8616 since 2023 💀 Check out the full @rapid7.com analysis 👇 attackerkb.com/topics/bP3FM...

BREAKING: powerful iPhone hacking tools used by Chinese criminals originated from US defense giant L3 Harris. Their zero-click exploits went to Russian spies too. Unbelievable harm to our collective security. Scoop: @lorenzofb.bsky.social, here's why it matters 1/ techcrunch.com/2026/03/09/a...

"For the first time since we began tracking zero-day exploitation, we attributed more zero-days to commercial surveillance vendors than to traditional state-sponsored cyber espionage groups." Love to see the stats backing up my hunch. cloud.google.com/blog/topics/...

My first @metasploit-r7.bsky.social module is live! You can now exploit CVE-2026-1731 (BeyondTrust command injection) with the latest version 😎

My writeup for @intigriti.com's "InkDrop" challenge 🖋 cryptocat.me/blog/ctf/mon...

🚨 In conducting 0 day research against #Grandstream GXP1600 VoIP phones, Rapid7 Labs discovered CVE-2026-2329. The unauthenticated stack-based buffer overflow vulnerability ultimately allows an attacker to intercept phone calls and eavesdrop on audio. Read on: r-7.co/4tIzope

My writeup for the "RubitMQ" challenge by @yeswehack.bsky.social 🐇 cryptocat.me/blog/ctf/mon... #ctf #capturetheflag #bugbounty #ethicalhacking #cybersecurity #infosec #yeswehack

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...

Couldn't be more excited to announce I'm joining the vulnerability research team at @rapid7.com next week! 🥳 Really looking forward to teaming up with some seriously talented researchers and digging into real-world threats and vulnerabilities. Stay tuned 😎

My writeup for the "APICrash" challenge from @yeswehack.bsky.social 💥 cryptocat.me/blog/ctf/mon...

At least four videos show what really happened when ICE shot a woman in Minneapolis on Wednesday. DHS has established itself as an agency that cannot be trusted to live in or present reality. @evystadium.bsky.social has more. Full story by @josephcox.bsky.social: www.404media.co/dhs-is-lying...

Happy new year!! 🥳🎉

I've been working hard to move my written content from gitbook over to my own website 👷‍♂️ It's still a work in progress, but I'm pretty happy with the results so far 🙂 🔗 cryptocat.me/blog/

Wishing a very hacky christmas to all the hacker fam! 🎅

Video walkthrough for the Hacky Christmas challenge I made for #NahamCon2025 😇 youtu.be/fs9WeNkUB4M

The #NahamCon2025 CTF is over ✅ Writeups for my challs 👇 🎮 Hacky Christmas ➡ book.cryptocat.me/blog/ctf/202... 💥 VulnBank ➡ book.cryptocat.me/blog/ctf/202... 💥 Snorex 2K CCTV ➡ book.cryptocat.me/blog/ctf/202... Stay tuned for a video walkthrough of Hacky Christmas 🎅🎄

I made a couple of [easy-med] challenges for #NahamCon2025 - you've got 24 hours! 💜 🎮 ctf.nahamcon.com/hubs/hacky-c... 💥 ctf.nahamcon.com/hubs/vuln-bank 💥 ctf.nahamcon.com/hubs/snorex-... Here's a sneak peek at Hacky Christmas 🎅 Can you escape the ice box and take out 1 MILLION gingerbread men? 🎄

I also made some challenges for #NahamCon2025, hope you will check them out! 🎅

New stickers 😼

New video covering the solution to the Mother Printers challenge I created for @hackinghub.bsky.social 💜 Tried to make it as beginner friendly as possible as I know many players aren't familiar with rev/pwn 😇 youtu.be/ebNYtX_8lOY

Didn't get chance to solve my "Mothers Printers" challenge on @hackinghub.bsky.social? 🖨 Here's the official writeup ➡ book.cryptocat.me/blog/ctf/mon... Prefer video? Stay tuned for a beginner-friendly walkthrough on YT next week ▶

Time to drop a couple of hints for my @hackinghub.bsky.social challenge! 1️⃣ First flag is on the website (you need to find it before flag 3/4/5) 2️⃣ The chall is inspired by some cool research I read (go find it) Writeups will be published once we hit 10 solves ➡ app.hackinghub.io/hubs/mother-...

Congratulations to Bhavya for being the first to capture all 5 flags on my @hackinghub.bsky.social challenge! 🥳🎉 We've released a small patch. If you were stuck on flag 3, please re-download files! Good time to practice your patch-diffing 👀 app.hackinghub.io/hubs/mother-...

So, who's gonna blood my new @hackinghub.bsky.social challenge? 😼 Challenge 🔗 app.hackinghub.io/hubs/mother-... First 3 solves will earn the "Hacker Cat" role in my discord server ➡️ discord.cryptocat.me #ctf #capturetheflag #ethicalhacking #cybersecurity #infosec #offsec

The "Ultimate Calculator 3000" challenge is over! ⏳ You can watch the video walkthrough here ➡ youtu.be/lRJno96za5A I'll leave everything online for another week or so 🙂

My writeup for the September Dojo challenge on @yeswehack.bsky.social - Chainfection ⛓ The challenge combined multiple CVEs, creating a chain of vulnerabilities: SQL injection -> file write + path traversal -> SSTI (RCE) Read the full writeup ➡️ book.cryptocat.me/blog/ctf/mon...

I made a new CTF challenge! It will run until the 30th of October 🎃 There's no prizes, but the first 3 solves will earn themselves the "Hacker Cat" rank in my discord server 😸 Download "Ultimate Calculator 3000" to get started ➡ discord.cryptocat.me

Recapping Day One of #Pwn2Own Ireland 2025. Join @dustinchilds.bsky.social (and Maude) as he covers the highlights of the first day of the competition. We awarded $522,500 for 34 unique 0-day bugs, and more is to come. youtu.be/tiM_StSFvow

We just posted our AttackerKB @rapid7.com Analysis for the recent Cisco 0day chain; CVE-2025-20362 and CVE-2025-20333. Full technical root cause analysis of both the auth bypass and buffer overflow are here: attackerkb.com/topics/Szq5u...

New video looking at some interesting printer vulnerabilities, found by @stephenfewer.bsky.social (@rapid7.com) 🖨 ▶ youtu.be/--SaQKmcyiU

One week until @bsidesbelfast.bsky.social, Who's going? 👀 As always, I've got stickers - come say hi! 👋

Video walkthrough for the "Fancy Login Form" web challenge from the @why2025.bsky.social CTF 🚩 Learn how to exfiltrate data via CSS injection ➡️ youtu.be/jUjlj2z5jJk

Played the @why2025.bsky.social CTF over the weekend 💜 Here's some web challenge writeups 👇 book.cryptocat.me/ctf-writeups...

Famous beef noodle soup (broth simmering continously for over 50 years!) in one of my all time favourite cities - Bangkok! 🇹🇭 Any hackers here wanna hang out, hmu 🤙

I've done a lot of awesome hacker meetups but this one was next level! So nice to meet brutecat, dreyand and IDlSSEVERYTHING🔥 These guys have some crazy skills (and stories), hope to meet again in the future 💜

I'll be in Singapore this weekend! I know there's lots of cool hackers there so hmu if you wanna get some coffee/food/drinks 🥰

Finally back in #KualaLumpur 🙏 Meeting some of my favourite Malaysian hackers for food/drinks tomorrow night. If you wanna join, let me know! 🥰

🍉

My OSWE review, tips/tricks.. general ramblings 👀😅 youtu.be/IK4t-i5lDEs

Just finished my OSWE exam 👀 Today I write up the report.. while watching #NahamCon 😌

Here is the official writeup of my XSS challenge on Intigriti. I think it contains some fun browser trivia even for those who did not look at the chall joaxcar.com/blog/2025/05...

The legendary @joaxcar.bsky.social made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100 <iframe>s to utilize a DOM Clobbering gadget after bypassing a RegEx. Check out the writeup below: jorianwoltjer.com/blog/p/hacki...

Heading back to SE-Asia next month.. Any hackers wanna hang out? 👀 Join my discord to keep up with the travel plans / arrange meetups: cryptocat.me/discord 😇 #cybersecurity #ethicalhacking #infosec #bugbounty #ctf #asia

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓

Video walkthrough for the web challenges from Tsuku CTF 💜 youtu.be/qGd4d0zmhy8

We already know that any Web server listening on the loopback interface is a security risk, because it may be accessed by a browser or its extensions. But the impact may be way bigger if this Web server is a MCP server 😱 blog.extensiontotal.com/trust-me-im-...

Have YOU joined my discord server yet? Click the link below and let's talk about hacking stuff 💜 discord.cryptocat.me

Added a video walkthrough for the web challenges from the recent CTF@CIT 💜 youtu.be/ZBdApaw0r0M #capturetheflag #ctf #websecurity #bugbounty #cybersecurity #ethicalhacking #infosec