Exploiting HTTP Request Smuggling in Node.js and Gunicorn

In this blog post, we discuss two vulnerabilities that were identified during my research on HTTP Request Smuggling:

Node.js - CVE-2023-30589
Gunicorn - CVE-2024-1135

May 11, 2024

/2024/05/11/Exploiting-HTTP-Request-Smuggling-in-Node.js-and-Gunicorn/ Yadhu Krishna M

Web Exploitation

PyCGI: From Nginx Path-Traversal to RCE; bi0s CTF 2022

This year I contributed 2 challenges to bi0s CTF (formerly InCTF Internationals).

EmoLocker (Server-Side)
PyCGI (Client-Side)

In this post, we discuss the intended solution to PyCGI challenge. The source code of this challenge can be downloaded from here.

# Analysis

We are provided with 2 attachments for this challenge:

Dockerfile
Nginx.conf

Looking into the Nginx configuration, we can find that there is a potential path traversal in the /static endpoint. You can read more about this here.

January 19, 2023

/2023/01/19/PyCGI-From-Nginx-Path-Traversal-to-RCE-bi0s-CTF-2022/ Yadhu Krishna M

Web Exploitation

Unlocking the EmoLocker: bi0s CTF 2022 - Author’s Writeup

In this post, we discuss the solution to EmoLocker challenge from bi0s CTF 2022. The source code of this challenge can be downloaded from here.

# Analysis

Upon opening the challenge link, we are presented with a lockscreen that uses emojis instead of numbers. The page has two features: register and login. Additionally, there is an admin bot, which suggests that the challenge may involve client-side concepts.

January 19, 2023

/2023/01/19/Unlocking-the-EmoLocker-bi0s-CTF-2022-Authors-Writeup/ Yadhu Krishna M

Web Exploitation

A Timeline of Growth: Reflections on the Past, Present and Future

As I look back at my three and a half years at Amrita University and Team bi0s, I can’t help but feel a sense of nostalgia. Join me as I take a trip down memory lane, and reflect on the experiences, lessons, and achievements that have shaped me into the person I am today.

# 🚌 Journey so far..

As I reflect on the past few years, I am struck by the impact that time has had on me. I have grown and changed in ways I never could have imagined. My experiences at Amrita and Team bi0s have helped me to broaden my perspective and gain a deeper understanding of the world around me. I am proud of the progress I have made, both academically and personally, and acknowledge that there were times when I felt lost and uncertain. But it was during those moments that I learned the value of taking a step back, re-evaluating my goals and redirecting my efforts.

November 13, 2022

/2022/11/13/A-Timeline-of-Growth-Reflections-on-the-Past-Present-and-Future/ Yadhu Krishna M

Life

#Life

A tale of HTML Injection to Account takedown at Exercism.org

# About Exercism

Exercism is an online platform that helps people upskill their programming skills through practice and mentoring. They are an open-source organization with over 200 GitHub repositories, thousands of contributors, and a friendly, inclusive community.

I came to know about the platform in 2018 when my mentor - Vipin Pavithran asked me to improve my coding skills by practicing on Exercism.

Exercism is an amazing platform to learn to code. It has got an amazing set of challenges and a huge variety of learning tracks.

November 5, 2022

/2022/11/05/A-tale-of-HTML-Injection-to-Account-takedown-at-Exercism.org/ Yadhu Krishna M

Web Exploitation

to old posts