Zeyu (Zayne) | @[email protected]
@zeyu2001
Followers
2K
Following
5K
Media
212
Statuses
837
building AI hackers @hacktronai | CS @Cambridge_Uni | freelance @cure53berlin (prev: @tiktok_us, OGP) | CTFs @Water_Paddler & @seetf_sg (DEF CON 31-32🥈)
Joined September 2021
I'm co-founding a company with @S1r1u5_ and @rootxharsh. The problem is simple:. 1. The world is writing more code than ever, and the number of insecure systems is exploding. 2. It is much easier for AI to find vulnerabilities than to secure code, so the capabilities of threat.
12
14
190
people either love or hate my laptop keyboard when they see it
26
14
683
My slides from today's talk about Static Program Analysis. I go into how data flow analysis (like taint propagation in CodeQL) works from first principles - should be digestible with some first-year university maths knowledge.
1
35
161
Unrelated to the corCTF challenge, I was writing about "same-site leaks" using <object>. Maybe I should write something new now that there's the corCTF challenge 🤔.
6
30
131
#OSWE certified!. Was a really fun challenge, and I actually learnt new techniques from the exam boxes! My advice is to just treat it like a CTF 😅
16
2
119
@intigriti jquery.query-object is vulnerable to prototype pollution. The descriptor object doesn't define the value property so we can pollute descriptor.value. __proto__[value]=true&cmd=alert(document.domain).
5
6
77
time flies. I crossed 1,000 reputation on @Hacker0x01? I remember almost giving up last year after my first 5 findings were all duplicates lol
3
3
79
Wrote many interesting challenges for SEETF this year. Some highlights:. • 0day SSRF bypass in PlantUML.• Client-side desync.• XS-Leak by abusing Chrome's URL length limits.• WASM buffer overflow. Challenge sources and solutions: Thanks for playing!.
0
9
80
I will never be 21 and whining about CTF infrastructure from a luxury suite in Vegas with my teammates again. Earlier this month, I participated in the DEF CON 31 CTF and Midnight Sun CTF. This post serves as proof that I touched grass along the way.
1
2
79
> giving a CS tech talk on static code analysis next week.> struggled to find a good demo.> decided to just write some random codeql query, and combine with to find specific type of vuln on popular github projects.> found xss in project with 78k+ stars 🙃.
1
1
73
why bother finding 0days to make CTF challenges when you can just pretend there's a 0day and wait for the participants to find one.
5
5
67
it's official - Cambridge has approved my year off. I'll spend fall 2025 to 2026 on my own terms. I don't really have much of a plan except that I'll be building. hopefully it'll be something big. or maybe I'll fail miserably. who cares. I haven't felt this alive in long.
7
0
65
I stepped out of my comfort zone and gave my first live-audience conference presentation at @BSidesLondon today!. Thank you @roachy and the rookies team for getting me settled in and easing my nerves! I'm really excited to try speaking to a larger audience in the future.
5
1
64
offsec/vr is really fun as a hobby, but quickly gets dull as a job. much of my past year has been spent on finding a good balance, but now I've discovered so many other hobbies that I don't spend much time hacking things anymore. maybe I'll find that spark again at defcon?.
4
1
61
I made some slides on the DEFCON qualifiers web challenges for some singapore students. I'm too lazy to make writeups sooo.
3
9
59
Hey, I now own I'm also revamping my personal website and thought it made sense to write my first post about where I am in life right now and why I'm taking a step back from popping shells for now!.
4
4
51
deleted this because it was a "0day" but author said it's fine so it's back - AsmBB XSS to RCE from hxp CTF 2023 (credit to great teammates).
2
11
49
being in academic environments has always been hard for my mental health, but i was always too afraid to admit it. cambridge is not easy, it has taken a toll on my mental health, and i'm finally willing to admit it. so excited to see a therapist for the first time in my life.
2
0
48
ez rce in 10 seconds with python. while True:. print("root@pentagon~$ ", end=""). os.system(input()). BOOM rooted 🔥🔥🔥. subscribe to my udemy course and patreon for more tips & tricks. #bugbountytips #rce #0day.
5
3
46
I'm an @offsectraining User Generated Content (UGC) author! Recently submitted a machine, Charlotte, based on some security work I did last year. Can't wait for people to try it on Proving Grounds and untangle Charlotte's "web" 🌐 of vulnerabilities!
1
5
43
Giving a 45 minute talk on modern client-side web security tomorrow. Fun stuff from novel XS-Leaks to the insecure mess of browser extensions. I'm totally not preparing my talk as I'm typing this.
Check out the line-up of exciting talks for #pwnEd5 Get your ticket by Monday 11th March
1
0
43
An introduction to CodeQL and data flow analysis.
0
7
43
Thank you @PortSwigger for the swag! Proud to be one of the first 100 people to be #burpsuitecertified.
2
1
41
"Smuggler" and "Wild DevTools" from @BSidesTLV_CTF are the best web CTF challenges I've played in a long time - can't wait to write these up!
5
8
43
gg! guess I can finally say I'm a dEFcOn CtF 2023 finAlIsT. artifact bunker and brinebid were decent web challenges, we don't talk about raw water
3
0
43
local CTF drama is rookie shit compared to codegate drama.
1
0
42
@BSidesLondon @roachy I spoke about XS-Leaks on the modern web. Slides from today are available at
0
7
40
I wish there was something like CTFs (for security hiring) for SWE hiring that isn't leetcode. .
2
0
39
Great to see CTFers getting the recognition they deserve. Something like this coming from government is truly rare.
Cybersecurity is not just about protecting individuals; it is also critical to national security. #Taiwan will continue to foster top cybersecurity talent that helps us build a more secure & resilient country that is trusted worldwide.
1
1
40
Wrote up some interesting web challenges from HackTM CTF by @WreckTheLine. Pretty cool stuff - I found an unintended solution to "secrets" and some weird Chrome behaviours along the way.
2
5
37
This is my last week securing the kids dancing app. Super grateful to the people who took a chance on me, offering me a pre-uni internship. During my time here, I found 50+ vulnerabilities and worked on cool projects. Excited to start a new chapter - back 2 school after 3 years!.
1
1
39
In 2022:. - got accepted into my dream uni.- found my first CVEs.- gave my first conference talk (albeit on Zoom).- got my OSWE.- lined up an internship for next year.- @seetf_sg hosted our first CTF (!). Super grateful for the opportunities & can't wait for what 2023 holds 💙🤞.
2
0
36
I barely have any time to play CTFs (or do any kind of self-learning for that matter, outside of exam revision) nowadays. Ironically I find myself looking forward to the end of the AY to start learning things I care about, instead of random physics applications of vector calc etc.
1
0
37
I wrote a web challenge this year. Enjoy 😬.
🚀 ACSC 2024 (Asian Cyber Security Challenge) is Happening!🚀. 📅 March 30-31, 2024 🌟 Mark your calendars!. 🔜 Registration opening soon. Don't miss out!. More details here ▶️ #ACSC2024 #CyberSecurity #SaveTheDate.
0
0
35
Scored a first blood on the last CTF on the last day of 2022. Happy new year all!🥳
4
1
34
writing a webassembly challenge calls for some soju.
1
1
33
We got 2nd place! Really fun first-time hacker summer camp experience, and had lots of fun meeting teammates for the first time. Thanks to everyone who came down. With this experience I'll be more confident next year 💪
0
0
34
having to mention "cybersecurity conference" to US immigration after getting selected for TSA's "SSSS" extra screening is a traumatising experience I won't wish upon my worst enemy.
4
0
32
clearing out my room and found some stuff lying around, told my parents to have fun with them and they came up with this. it's so cute 🥺
1
0
33
no crazy request smuggling 0days this year, but I wrote some (hopefully) interesting web challenges. come play this weekend!.
3
2
34
CVE-2022-25763 and CVE-2022-28129, discovered while writing the SEETF request smuggling challenges :).
1
1
32
the amount of security knowledge I've learnt from random chinese blogs back in my CTF days is actually insane. although I always feel ashamed when I have to click on the "translate" button. (sorry mom).
1
1
32
IMO, someone who plays CTFs / does bug bounties / reported legitimate CVEs >> someone who has every cert but does not do any of these. After from the HR screen it doesn't really do much. Of course if someone else (like employer) pays for it then yeah it's worth the effort.
3
0
32
can't believe the first time I'm seeing northern lights is in. Cambridge
2
0
30
hear me out if everyone merged into 10 teams for defcon ctf we can all go.
2
0
31
Finally got around to doing this! No more stickers collecting dust, and no more saying goodbye to stickers when replacing laptops :)
3
1
30
been a while, finally farmed another 2 CVEs. these were from the challenge I wrote for SEETF23.
0
0
30
Honestly it's finally dawning on me that I'm actually starting a CS degree at Cambridge in a month's time. 2 years ago I got rejected from almost every US school I applied to. The process was so draining and demoralising that I didn't even want to try studying overseas anymore.
6
0
31
Going back home to 🇸🇬. Can't believe the CTF world tour coming to an end. I had so much fun 😭 how am I gonna get used to being a normal person again.
0
0
29
I used to do ctf every weekend and get burnt out, now I do ctf once every 3 months and ride the dopamine rush to 2nd place 🤷♂️.
MOCA CTF Quals is over!. Here are the teams who swore the most against our absolutely non-cursed challs. Seems like MarcoG is not the only author to cause PTSD, web authors really need to touch the grass. Very hard, with the face. See you in Pescara, arrosticini are waiting!
1
0
30
10,000 likes and I'll drop out of Cambridge tomorrow
10,000 likes and i'll quit my software engineering job at google tomorrow
2
1
29
be careful what you ask for.
where web.
2
1
28
I averaged 1 country per month this year. 🇸🇬🇯🇵🇰🇷🇷🇴🇺🇲🇩🇪🇸🇪🇮🇸🇬🇧🇮🇹🇫🇷🇲🇹.
2
0
28
Won 2nd place at a hackathon today as a solo team. Honestly, I think solo-ing a hackathon is a great experience to do once, just to test your skills & limits - never doing it again though. 😴.
1
1
28
well. I'm finally done with summer 2025 applications. lost out on my dream company unfortunately but got a role I'm pretty happy with :)
1
0
26
Some interesting challenges from niteCTF:. Protip for all future subdomain takeover challenges - make sure your exploit page path isn't guessable, or someone (definitely not me) is gonna steal your flag 😅.
0
3
24
Returning to college after three years in the military taught me valuable skills, but also revealed a major gap in the tools available for STEM students. Existing note-taking apps just didn’t cut it. So I built something I would want to use. (It does not have any AI in it, wow!).
Introducing EurekaPad: the note-taking app tailored for STEM students. Lightning-fast, runnable code blocks, interactive graphs, intuitive LaTeX math editor, and audio transcription. Because smart people deserve smart tools. Try it for yourself:
7
1
26
I'm ashamed to admit it but I once hoarded flags for a CTF. Please give me my UK visa.
2
0
25
my 3am brain's thoughts on regular expressions:.
0
0
25
100% recommend driving 8 hours from vegas nerd fest to touch grass at yosemite!
0
1
24
guess i have a company now. life is strange.
3
1
22
had a 6 hour layover at Helsinki, where I did 3 CSAW quals challs 🧊
0
0
23
meeting crazyman irl is a life-changing experience.
Nice day in NUS and we got 1st in greyhat CTF 2023 Final.Meanwhile I'm really happy to see friends onsite :D.Thanks for the organizers of greyhat CTF 2023 final.Challenge are interesting and great!
2
0
22
Kind of strange flying 15 hours to get to Taiwan, when my home is only 4 hours away. Anyway I'm here for HITCON!
0
0
22
So, SEETF 2023 went really well. But it's missing one thing. One of the best things about CTFs is being able to meet talented individuals in person, and we want to do that with SEETF. Here comes the problem - hosting an on-site CTF is hard, even more so for a small team like us.
1
0
22
I love my team I love my team I love my team I love my team I love my team I love my team I love my team I love my team
3
1
22
since this year's defcon finals weight is 34, this means that @cursedCTF has the potential to be 73% as significant as defcon finals
0
1
20
After semi-tryharding some H1 programs over the past few weeks, I finally feel comfortable displaying this valuable skill on my LinkedIn profile. Truly an incredible skill to learn. More to come!
2
0
21
it's the time of the year again where I'm designing the ctf platform and I'm once again reminded of how much I hate css.
1
1
21
It's a wrap for SEETF 2022! Here's something I wrote from a CTF-organisational point of view. It also talks a bit about our challenge infrastructure, which I was in charge of:. If anyone is interested!.
3
1
21
got all the flags for my OSWE! 24 hours left to tidy up my exploit scripts and take all the screenshots I need 😋.
0
0
21
Christmas in Malta with Friendly Maltese Citizens (and Friendly U.S. Citizens and Friendly Greek Citizen)
0
0
21
crazy how life changes with a set of carefully placed bets, and how much luck there is involved due to information assymetry. didn't think much of taking the SG military up on their offer to do what seemed like a crazy 9 month training program, but I didn't know when I signed the.
0
2
20
ctf burnout is real, maybe I'll just hibernate until defcon.
2
0
20