Olivia
Online
Ngo Wei Lin
@Creastery
www = web web web · Staff Security Engineer @praetorianlabs · Previously 🌐 Security Researcher @starlabs_sg · Plays CTFs with HATS SG. Opinions are my own.
Singapore
Joined May 2012
534 Following
1.1K Followers
115 Posts
Pinned Tweet
Check out my write-up on a seemingly harmless and limited send() in GitHub (CVE-2024-0200) and how it could be used to obtain environment variables from a production container and to achieve remote code execution in GitHub Enterprise Server:
https://t.co/jmjTTOxEGY
@ttaka_66 @DennisPacewicz @rubykaigi @GitHubSecurity Hi @ttaka_66, thanks for enjoying the talk! The slides/resources are available at https://t.co/XcLlQsG4Ub.
Happy to announce that I'll be speaking alongside @DennisPacewicz at @rubykaigi next week!
We'll be sharing some secret stories on how I gained access to production GitHub credentials using CVE-2024-0200 as well as @GitHubSecurity's remediation efforts.
https://t.co/zIHyfJ7vqZ
I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby!
It builds on the work of others, including Leonardo Giovanni, Peter Stöckli @GHSecurityLab and @wcbowling
https://t.co/mzXQnA691O
Who to follow
starlabs
@starlabs_sg
A Singapore company that discovers vulnerabilities to help customers mitigate the risks of cyber attacks. Organisers of @offbyoneconf
Bien 🇻🇳 
@bienpnn
A weeb that loves crashing software | @qriousec & @seasecresponse & @ProjectSEKAIctf | アイマス最高 | @rinka_linca 推し
Thach Nguyen Hoang 🇻🇳
@hi_im_d4rkn3ss
Security Researcher @starlabs_sg. Pwn2Own Mobile 2020, 2021, 2022, 2023. Pwn2Own Vancouver 2022, 2023, 2024, 2025.
Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! https://t.co/7ygwWXY0pd
Highlights include:
⚡ Escaping from DocumentRoot to System Root
⚡ Bypassing built-in ACL/Auth with just a '?'
⚡ Turning XSS into RCE with legacy code from 1996
🚨 New Blog Alert! 🚨
Can an attacker execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities in Ruby can be exploited and how they can be detected with CodeQL.
🔗 Read the full post: https://t.co/tdumVwrfKC
Stay safe and code responsibly! 🛡️💻
My colleague @hash_kitten and I discovered a full-read SSRF vulnerability in Next.js (CVE-2024-34351). We published our research today on @assetnote's blog: https://t.co/pUXGG64B0O. Thank you to the Vercel team for a smooth disclosure process.
Here is my deep-dive post on #github Actions cache poisoning. This is a powerful build pipeline lateral movement and privilege escalation technique and I used it to earn several thousand💰in #bugbounty rewards.
https://t.co/7S5MjdP2Wc
Send()-ing Myself Belated Christmas Gifts - GitHub's Environment Variables & GHES Shell
https://t.co/g9d3kOA04o
Read about how one of our talented researchers, @Creastery , found it, exploited it and reported it in a fast and professional manner:
Check out my write-up on a seemingly harmless and limited send() in GitHub (CVE-2024-0200) and how it could be used to obtain environment variables from a production container and to achieve remote code execution in GitHub Enterprise Server:
https://t.co/jmjTTOxEGY
Earlier this year I found a pretty cool vuln, an arbitrary file write in GitLab.
Here’s the details https://t.co/3d0pDxaUEM
Route to Safety: Navigating Router Pitfalls is the swansong from @daniellimws
https://t.co/QOqAkOhHMz
We hope everyone enjoyed his informative post and wish him all the best in his future endeavours.
Off-by-One 2024 Conference CFP is now opened! Be part of a historical event and shape the future of offensive security in this region.
Submission and speaker benefits https://t.co/96khe0PVR2
If you like to talk to us, drop us a line at [email protected]
@testanull All the best!
@adnanthekhan Thanks! Yep, code review. A very unexpected bug with a wild story to share at end April!
👀
CVE-2024-0200 An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of… https://t.co/lZu3ul2tNo
@adnanthekhan @infernosec @GitHubSecurity Seconded on fixing this insecure default config -- I've already tried pushing for this multiple times but to no avail.
@joernchen Hey Joern, the current coordinated disclosure date is set at late April 2024. Hope to share more details and insights then!
This is one of the most insane bugs I've discovered, but it all happened at a really inopportune time. 😥
Shoutout to all the Hubbers who got involved and had been working tirelessly on this since the Christmas/New Year period! 🙏
We received a bug bounty report of a vulnerability which, if exploited, allowed access to credentials within a production container. We have patched https://t.co/0iKPk2jtk4 and rotated all affected credentials, and patches for GHES are available today. https://t.co/5youY6yNTA
@albinowax There is still one more duplicate entry for "Compromising F5 BIGIP with Request Smuggling", but other than that, I think you got them all.
Last Seen Users on Sotwe
مريومه للقواده ❤️
Seen from Saudi Arabia
Soso femboy
Seen from Algeria
さKOLEKSI RARE 18+ち
Seen from Indonesia
🔥دخــلـه🖕لـلـشعره🔥🐦🔥
Seen from Egypt
Yudi12
Seen from Malaysia
Duy
Seen from Vietnam
Suka Tobrut
Seen from Indonesia
Michael Corleone
Seen from United Kingdom
Korekgassssss
Seen from Germany
Mona Nunez
Seen from Chile
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81.1M followers
Lady Gaga
@ladygaga
72.6M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.2M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
61.9M followers
CNN
@cnn
61.9M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers