Jaycelation

https://jaycelation.github.io/JaycelationA minimal, responsive and feature-rich Jekyll theme for technical writing. 2026-06-23T10:07:10+07:00 Jayce https://jaycelation.github.io/ Jekyll © 2026 Jayce /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png HTB Kobold Write-up: MCPJam RCE to Root2026-06-23T09:30:00+07:00 2026-06-23T10:06:11+07:00 https://jaycelation.github.io/posts/htb-kobold-writeup/ Jayce

Overview Kobold is a Linux machine that chains an unauthenticated MCPJam Inspector RCE with a PrivateBin template traversal issue and Docker abuse through Arcane. The high-level path was: VHost enum -> MCPJam unauthenticated RCE -> shell as ben -> writable PrivateBin shared volume -> PrivateBin template cookie RCE -> read PrivateBin config -> reuse password to login Arcane ...

HTB WingData Write-up: Wing FTP RCE to Root2026-06-22T17:00:00+07:00 2026-06-22T17:00:00+07:00 https://jaycelation.github.io/posts/htb-wingdata-writeup/ Jayce

Overview WingData is a Linux machine that chains a vulnerable Wing FTP Server instance with weak credential storage and a vulnerable privileged backup restore script. The high-level attack path was: Wing FTP RCE -> read application config -> extract Wing FTP user hashes -> crack wacky's password -> SSH as wacky -> abuse sudo backup restore script -> root Recon The target...

Intigriti 0626: Leaking Admin Private Notes with Reflected HTML Injection and XS-Leak2026-06-22T00:00:00+07:00 2026-06-23T09:36:27+07:00 https://jaycelation.github.io/posts/intigriti-0626-html-injection-xs-leak/ Jayce

Summary: I solved the Intigriti 0626 challenge by turning a CSP-limited reflected HTML injection in /search into an XS-Leak oracle. The final exploit redirected the admin bot to an attacker-controlled controller and leaked the admin’s private note title one character at a time. Introduction This write-up covers my solution for the Intigriti 0626 challenge. At first glance, the application l...

Intigriti 0526: Stored XSS via DOM Clobbering in the Testimonial Feed2026-05-27T10:00:00+07:00 2026-05-27T21:12:25+07:00 https://jaycelation.github.io/posts/intigriti-0526-stored-xss-dom-clobbering/ Jayce

Summary: I solved the Intigriti 0526 challenge by abusing a DOM clobbering primitive in sanitized testimonial content, turning harmless-looking anchors into a stored XSS chain. Introduction This write-up covers my solution for the Intigriti 0526 challenge, where I found a stored cross-site scripting issue in the testimonial feed. The interesting part of the bug was not a classic sanitizer b...

CVE-2026-25645: Insecure Temp File Reuse in Python Requests2026-03-25T09:00:00+07:00 2026-06-23T09:36:27+07:00 https://jaycelation.github.io/posts/cve-2026-25645/ Jayce

Vulnerability Summary: A local attacker with write access to the temporary directory could pre-create a malicious file to be reused by the requests library, leading to an integrity breach. Vulnerability Details CVE ID: CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2 Severity: Moderate (4.4) CWE: CWE-377: Insecure Temporary File CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Impact...