Hello strangers 👋

In this blog, we will cover on php template using Twig and how SSTI works. We will go deep dive on every single version of Twig to understand how researcher craft their payload to get RCE, arbitrary file read and etc.

This problem occurs when user input is passed directly to unserialize() function. We will learn how to invoke deserialization without using unserialize() function.

Create obfuscated webshell using emoji in php.

Before we jump into format string vulnerability, we better try to undertand about format specifier in C. In this lesson, we will going through certain thing about format specifier and how to create our own custom printf

TCP1PCTF was organized by Indonesian and it was opened to anyone. The challenge is solely focus on exploiting deserialization vulnerability and how to chain the gadget to get code execution.