Safflower

Project

• CanHackMe

  Offensive Security Wargame Service.

  • https://canhack.me
  • https://github.com/pendoubleg/canhackme

  2018.07. - 2020.06.

• SolveMe

  Offensive Security Wargame Service.

  • http://solveme.kr
  • https://github.com/pendoubleg/solveme

  2016.08. - 2018.11.

Participation

• Cyber Conflict Exercise 2020, Finalist

  Participated as team 이천쌀콘팬클럽

  2020.10.29. - 2020.10.29.

• 사이버보안 빅데이터 챌린지 2019, Finalist (Track 6)

  Participated as team ‘or’1’=’1

  2019.10.04. - 2019.11.08.

• Cyber Conflict Exercise 2019, Finalist (Blue team)

  Participated as team Re: 오타쿠모임

  2019.10.29. - 2019.10.30.

• DEFCON 27 CTF, Finalist

  Participated as team SeoulPlusBadAss

  2019.08.08. - 2019.08.10.

• Harekaze CTF 2019, 1st place

  Participated as team Yokosuka Hackers

  2019.05.18. - 2019.05.19.

• TSG CTF 2019, 4th place

  Participated as team $wag

  2019.05.04. - 2019.05.05.

• NEWSECU WINTER CTF 2019, 2nd place

  Participated as team $wag

  2019.01.28. - 2019.01.29.

• InterKosen CTF 2019, 3rd place

  Participated as team KimchiPower

  2019.01.18. - 2019.01.20.

• Cyber Conflict Exercise 2018, Finalist (Red team)

  Participated as team 오타쿠모임

  2018.10.29. - 2018.10.30.

• CTFZone 2018, Finalist

  Participated as team GoGiSaJo

  2018.07.21. - 2018.07.22.

• DIMI CTF 2018 Online, 2nd place

  Participated as team st4rburst

  2018.06.17. - 2018.06.17.

• Harekaze CTF 2018, 3rd place

  Participated as team SeoulWesterns

  2018.02.10. - 2018.02.11.

• Christmas CTF 2017, 1st place

  Participated as team 박광호 1인팀

  2017.12.25. - 2017.12.26.

• Layer7 CTF 2017, 1st place (Adult)

  Participated as team 뉴올리언스 치킨버거 + 올엑스트라

  2017.09.22. - 2017.09.24.

• 제1회 서울아이티고등학교 해킹방어대회, 2nd place (Adult)

  Participated as team Safflower

  2017.09.22. - 2017.09.23.

Provision

• Layer7 CTF 2019

  • error

  2019.10.06. - 2019.10.07.

• Power of XX 2019 Quals

  • babyauth

  2019.10.05. - 2019.10.05.

• 20th HackingCamp CTF

  • babyphp
  • eval

  2019.08.24. - 2019.08.25.

• CodeGate CTF 2019 Finals

  • Wordict

  2019.03.26. - 2019.03.27.

• 19th HackingCamp CTF

  • usersearch

  2019.02.16. - 2019.02.17.

• Power of XX 2018 Finals

  • Sign in Me

  2018.11.08. - 2018.11.08.

• Power of XX 2018 Quals

  • es
  • iframe

  2018.10.13. - 2018.10.13.

• Layer7 CTF 2018

  • meow
  • msg
  • url_routing

  2018.09.15. - 2018.09.16.

• 18th HackingCamp CTF

  • alert
  • html
  • SQR
  • url_routing

  2018.09.01. - 2018.09.02.

Exploitation

• SuNiNaTaS, SuNiNaTaS

  • Arbitrary Private Post Read
  • Post Deletion CSRF
  • Comment Deletion CSRF
  • Post Deletion CSRF
  • Logout CSRF
  • Reflected XSS
  • Arbitrary Notice Post Write

  Reported directly to SuNiNaTaS (Hall Of Fame)

  2019.

• Chromium, Google

  • XSS Auditor Bypass

  Reported directly to Google (Report)

  2019.04.18.

• Naver Search, NAVER

  • Reflected XSS

  Reported to KISA (KVE-2019-0677)

  2019.

• Naver Search, NAVER

  • Reflected XSS

  Reported to KISA (KVE-2019-0676)

  2019.

• Asked Website, Asked

  • Stored XSS

  Reported directly to Asked

  2018.

• HackerSchool Website, HackerSchool

  • SQL Injection

  Reported directly to HackerSchool

  2018.

• Dothome Web Hosting, DOTHOME

  • Local Privilege Escalation
  • Remote Code Execution

  Reported directly to DOTHOME

  2018.

• Gnuboard5, SIR

  • User Account Leak
  • Remote Code Execution

  Reported to KISA (KVE-2018-0510)

  2018.

• Youngcart5, SIR

  • SQL Injection

  Reported to KISA (KVE-2018-0405)

  2018.

• Gnuboard5, SIR

  • Reflected XSS
  • Remote Code Execution

  Reported to KISA (KVE-2018-0379)

  2018.

• Gnuboard5, SIR

  • Reflected XSS
  • Remote Code Execution

  Reported to KISA (KVE-2018-0366)

  2018.

• Gnuboard5, SIR

  • Reflected XSS
  • Remote Code Execution

  Reported to KISA (KVE-2018-0358)

  2018.

• Gnuboard5, SIR

  • Reflected XSS
  • Remote Code Execution

  Reported to KISA (KVE-2018-0356)

  2018.

• Youngcart5, SIR

  • Reflected XSS
  • Remote Code Execution

  Reported to KISA (KVE-2018-0346)

  2018.

• Gnuboard5, SIR

  • User Account Leak

  Reported to KISA (KVE-2018-0109)

  2018.

• Youngcart5, SIR

  • SQL Injection

  Reported to KISA (KVE-2018-0102)

  2018.

• Youngcart5, SIR

  • SQL Injection

  Reported to KISA (KVE-2018-0101)

  2018.

• Gnuboard5, SIR

  • Session ID Hijacking

  Reported to KISA (KVE-2018-0013)

  2018.

• Gnuboard5, SIR

  • Reflected XSS
  • File Inclusion

  Reported to KISA (KVE-2017-1047)

  2017.

• Naver Whale, NAVER

  • XSS Auditor Bypass

  Reported to KISA (KVE-2017-1040)

  2017.

• Naver Whale, NAVER

  • XSS Auditor Bypass

  Reported to KISA (KVE-2017-1034)

  2017.

• Gnuboard5, SIR

  • Board Admin Privilege Escalation

  Reported to KISA (KVE-2017-1029)

  2017.

• Maps Marker Pro WordPress Plugin, Maps Marker

  • Arbitrary File Deletion

  Reported to HackerOne (Report)

  2017.11.14.

• Maps Marker Pro WordPress Plugin, Maps Marker

  • SQL Injection

  Reported to HackerOne (Report)

  2017.10.08.

• Maps Marker Pro WordPress Plugin, Maps Marker

  • SQL Injection

  Reported to HackerOne (Report)

  2017.09.27.

• Maps Marker Pro WordPress Plugin, Maps Marker

  • SQL Injection

  Reported to HackerOne (Report)

  2017.09.26.

• Maps Marker Pro WordPress Plugin, Maps Marker

  • SQL Injection

  Reported to HackerOne (Report)

  2017.09.26.

• Maps Marker Pro WordPress Plugin, Maps Marker

  • SQL Injection

  Reported to HackerOne (Report)

  2017.09.26.

• Maps Marker Pro WordPress Plugin, Maps Marker

  • SQL Injection

  Reported to HackerOne (Report)

  2017.09.26.

• Naver Blog, NAVER

  • Clickjacking

  Reported directly to NAVER

  2016.

• Naver Cafe, NAVER

  • Spoofing Grade

  Reported directly to NAVER

  2015.

• XpressEngine, XEHub

  • Stored XSS

  Reported to KISA (KVE-2014-0083)

  2014.

Presentation

• SQL Injection Attack & Defense, TeamLog of Sunrin Internet High School

  2018.09.03.

• Web Application Exploitation, Nefus of Sunrin Internet High School

  2018.08.18.