Olivia
Online
makelaris
@makelariss
Building worlds where hackers play. 🏴
Head of CTFs @hackthebox_eu | Global cyber competitions + enterprise training | he/him
Thessaloniki, Greece
Joined July 2016
2.6K Following
1.2K Followers
5.2K Posts
Pinned Tweet
Who knew you could suffer eternal damnation by eating some space shrimps? 🦐 20 hours and counting ⏰.
You still have time to hack your way in at https://t.co/V2JOKI8lDK and claim the first🩸for my #Web challenge #ImageTok.
#HackTheBox #CyberSecurity #CyberSecurityTraining
Spent a week testing AI for vulnerability research. 14 confirmed bugs in 20 min on one target. 5% hit rate on a hardened one. Same AI, same setup. 4 approaches, what worked, what failed, why target selection matters more than model sophistication. https://t.co/R5ofHyXQem
I am releasing a new toolkit I built for IIS-based lateral movement and code execution within IIS worker pool process's memory.
Phantom ASPX Loader & PhantomLink -- a two-part toolkit for reflectively loading native DLLs into IIS w3wp.exe worker processes via ASPX.
https://t.co/EevQysfANT
Discovered 3 HTTP request smuggling vulnerabilities and 1 cache poisoning vulnerability in Cloudflare’s Pingora reverse proxy, all exploitable under the default configuration. These issues resulted in 2 Critical CVEs and 1 High-severity CVE.
https://t.co/jvvwexywg9
Who to follow
ptr-yudai
@ptrYudai
🍣🍣🍣 https://t.co/5OmzwCTPea
🍣🥺🍣 @zer0pts の猫 🐯
🍣🍣🍣 https://t.co/5OmzwCTPea
Icare
@Icare1337
Pentester at Thales CDI | OSCP | Bug Bounty Hunter | Researcher | Ethical Hacker | Honoring my father, a hacker of the early days | ckj0756 | Icare
Martin Mielke 
@xct_de
Red Teaming • Vulnerability Research • Exploit Dev • 🇩🇪|🇯🇵
🚨Ethereum Developers: you can now install your first AI Auditor in 1 minute - fully autonomous, available 24/7, with multiple sub-agent helpers. Open Source.
FREE to use (with your AI model) and already finding vulnerabilities in smart contracts. Link below🫡
New blog: Hooked on Linux — Rootkit Taxonomy, Hooking Techniques and Tradecraft
Part 1 of our Linux rootkit series exploring kernel & userland rootkits and the hooking techniques they use (syscall/function hooks, ftrace, eBPF, inline patching).
🔗https://t.co/GIAK4a9v34
Turning Almost Nothing into a Supply Chain Compromise of Angular with GitHub Actions Cache Poisoning
https://t.co/jwatPVhujC
#BugBounty
Recently my RE workflow moved into sandboxed VMs where agents have full control over the environment. I needed an MCP server that runs headless in the same sandbox and exposes way more of the #BinaryNinja API than others.
Here's the release: https://t.co/HU2Vf8Uj6T
WebSockets are not yet affected by Local Network Access permission in Chrome.
Check out this blog post from my colleague @GrumpinouT!
https://t.co/JGbv8zLa8S
A bunch of security issues I reported to better-hub. Disclosing as these should have been fixed now.
Thanks for quick fixes @bekacru
New write-up!
Bypassing egress filtering in BullFrog GitHub Action (using query pipelining feature of DNS over TCP)
(link in comment)
We disclosed a critical unauthenticated RCE chain in mcp-atlassian (4M+ downloads).
CVE-2026-27826 - SSRF via Atlassian URL headers
CVE-2026-27825 - Arbitrary file write → RCE
Fixed in 0.17.0.
Full breakdown 👇
https://t.co/KtOql88nM8
Second write-up of the day!
sudo restriction bypass via Docker Group in BullFrog GitHub Action
https://t.co/X9ux7s2NI7
Why macOS AVs shouldn’t trust PIDs 😄🍏 - new post by @Coiffeur0x90 Intego X9: XPC validation falls back to PID → PID reuse + posix_spawn() shenanigans 😏 ⇒ confused deputy / privileged methods abused 🤡🧨 Lesson: PID ≠ identity. https://t.co/kD1ju8eWNz
Just a few days later, there's the next blog post for @AikidoSecurity! Another framework-level vulnerability this time affecting Astro, resulting in SSRF if an unvalidated connection can be made to the webserver.
Read the details here:
https://t.co/hozRN3poJR
Sometimes you spot a sink and know it's vulnerable, but proving it is a challenge. @SLCyberSec's team broke through layers of crypto to reach a pre-auth deserialization sink in OpenText Directory Services. Breaking the encryption was a journey. https://t.co/f961ijdyPh
Pwning TRUfusion Enterprise again: chaining a pre-auth SSRF (CVE-2025-32355), a default password, and a path traversal (CVE-2025-59793) to gain RCE.
#security
https://t.co/kkVDeAnTVi
HonoJS JWT/JWKS Algorithm Confusion (CVEs pending)
https://t.co/odO3hHiGX6
I was looking a bit onto why OPENROWSET is able to read privileged files (like the root flag on Signed @hackthebox_eu) when using Silver tickets on MSSQL. Turns out you can get SYSTEM access without potatoes by recovering the full token. https://t.co/cd47HQLXF0
Last Seen Users on Sotwe
Inka the Impaler
Seen from United Kingdom
Ayah Harry
Seen from Indonesia
x everyday
Seen from Italy
stevencarson
Hiroki Gay Office
Seen from Vietnam
sınırsız istekler
Seen from Turkey
18Live Bigg Nipples
Seen from Pakistan
Pass Kebumen👰🤵
Seen from Indonesia
♠️ Luna ♠️
Seen from United States
Đạt Bịt Mồm
Seen from Vietnam
Most Popular Users
Elon Musk
@elonmusk
240.5M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.3M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.5M followers
Taylor Swift
@taylorswift13
81.3M followers
Lady Gaga
@ladygaga
72.9M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.7M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.6M followers