Swissky's Lab

LeHack 2025 - PayloadPLZ

Swissky — Sun, 29 Jun 2025 00:00:00 +0000

Last weekend, I took part in the LeHack 2025 event in Paris. As always, the challenges hosted by YesWeHack were top-notch and full of valuable learning opportunities. This year's highlight was crafting a polyglot payload capable of triggering in 13 different contexts, including SQL injection, XSS, Bash command execution, and more.

Anatomy of Pokemon glitches

Swissky — Wed, 02 Oct 2024 00:00:00 +0000

Digging into the anatomy of Pokemon Yellow glitches, or how to impress your school friends during break time.

SSRFmap - Introducing the AXFR module

Swissky — Thu, 13 Jun 2024 00:00:00 +0000

After reading a great blog post about a CTF challenge where you had to chain several SSRF to get the flag, I took some time to improve SSRFmap, fix the bugs and merge the Pull Requests. Then I implemented a new module called axfr</code> to trigger a DNS zone transfer from the SSRF using the gopher protocol. This blog post is about my journey on implementing it.



Ph0wn CTF 2019 - Flag Digger
Swissky — Sun, 04 Feb 2024 00:00:00 +0000
TLDR: It's never too late to try to solve an old challenge. This blog post is a quick writeup of a challenge from the Ph0wn CTF 2019 where you were given a small chip and you had to extract the flag from it.</p>
</p>


DLS 2024 - RedTeam Fails - "Oops my bad I ruined the operation"
Swissky — Mon, 15 Jan 2024 00:00:00 +0000
Recently I had the pleasure to give a rump during the "Drink Love Share" meet organized by TheLaluka</a>. This blog post will delve deeper into the topic.</p>
</p>
This rump told the tale of a little Dino starting in the red team industries.</p>


Offensive Nim - Auto Obfuscate Strings with Nim's Term-Rewriting Macros
Swissky — Fri, 30 Sep 2022 00:00:00 +0000
TLDR: Use nim-strenc</code>, or read below to discover how to write your own Nim macro.</p>
![NimMacro]({{ site.baseurl }}/images/OffensiveNim/nimlang.png)</p>
Lately I discovered the repository Yardanico/nim-strenc</a>, you can use it very easily in your Nim code by importing strenc</code>.

Let's try it on this simple example. First you need to install the package using this command: nimble install strenc</code></p>


STHACK2022 - Catch the bird, a trip from web to IRL
Swissky — Sat, 21 May 2022 00:00:00 +0000

Challenge author: ajani</li>
Category: web</code>, physical</code></li>
</ul>
The challenge started with the following Post Card</p>
![Post Card]({{ site.baseurl }}/images/STHACK2022/sthack2022_post-card.png)</p>


FCSC - CTF Writeup
Swissky — Sun, 26 Apr 2020 00:00:00 +0000
FCSC - FRANCE CYBERSECURITY CHALLENGE 2020</h2>
Some writeups of severals web challenges from the FCSC 2020</a>.</p>
</p>


DVID - Damn Vulnerable IoT Device
Swissky — Thu, 26 Dec 2019 00:00:00 +0000
Who ever wanted to learn about Hardware Hacking ? I found this small opensource IoT hacking</strong> learning board while I was in a security event. It is designed by @vulcainreo</a> and cost around 45€, more than 300 units were shipped around the world.</p>
Let's dig into this awesome project and clone the git : https://github.com/Vulcainreo/DVID.git</code> !</p>
</p>


Ph0wn CTF 2019 - Smart Devices CTF
Swissky — Sat, 14 Dec 2019 00:00:00 +0000
Another week another CTF, this time it was the Ph0wn</a> at Sophia Antipolis (France). I teamed up with members from @Maki</a>, @iansus</a>,  @MansourCyril</a> and @0hax</a>. We reached the second place</strong> of this IoT/Hardware CTF.</p>
![Banner]({{ site.baseurl }}/images/Ph0wn/Ph0wnBanner.png "Banner"){: .center-image }</p>
Writeups' challenges</h2>

Rookie - Sunny day</a></li>
Hardware - Ant-Maker</a></li>
Misc - Compromised Sensor</a></li>
Misc - Domotics</a></li>
Crypto - Shamir Quest</a></li>
</ul>


HIP19 Writeup - Meet Your Doctor 1,2,3
Swissky — Sat, 22 Jun 2019 00:00:00 +0000
Last wednesday I was in the Hack In Paris event for the 3rd time. As always there were some great conferences and challenges, and a new competition called "Hacker Jeopardy" which was very fun! During the Wargame I focused my time on Web challenges based on the graphql</code> technology which was new to me, you will find below my writeups for the Meet Your Doctor</code> challenges.</p>
![HIP Wargame 2019]({{ site.baseurl }}/images/HIP19/hip19_wargame.png "HIP Wargame 2019"){: .center-image }</p>


UYBHYS - Sea Monster Attack & Defense CTF
Swissky — Sat, 22 Jun 2019 00:00:00 +0000
Last week-end I teamed up with members from Aperikube</a> for an Attack/Defense CTF which took place in Brest - France. In this "small" blog post I will write about this experience, the challenges and our methodology :)</p>
![Banner]({{ site.baseurl }}/images/SeaMonster/SeaMonsterBanner.png "Banner"){: .center-image }</p>


SIGSEGV1 Writeup - MD Auth
Swissky — Sun, 23 Dec 2018 00:00:00 +0000
Let's talk about the "MD Auth" challenge, I admit I started with this challenge thinking it would be about "Markdown". I was wrong but it was nonetheless interesting to solve.</p>


An XSS Story
Swissky — Tue, 14 Aug 2018 00:00:00 +0000
Last night I stumbled across an XSS in a bug bounty program, this was quite fun to exploit.</p>


WHID Injector - Tips and Tricks
Swissky — Thu, 18 Jan 2018 00:00:00 +0000
What is it ? The WHID Injector is USB Key which act as a remote keyboard. Basically it sets up a Wifi Access Point where you can connect and send whatever you want on the machine. It also has a Rubber Ducky payload converter, an exfiltrated data tab and many more.</p>
What can I do ? Everything you could do with a keyboard plugged into a computer, for example : using WHID Toolkit</a> you can spawn a reverse-shell :D</p>
Where to buy a WHID Injector ? I got mine from Aliexpress</a>, it's also available on ebay around 15+ $ ;)</p>


French Croissant - or why you need to lock your computer
Swissky — Wed, 08 Nov 2017 00:00:00 +0000
Last year the first day of my internship I was given a computer and asked to install and secure it for two days. After that delay anyone can try to attack and compromise my machine, and if so I was welcome to buy some "French Croissants" to the team while the attacker explain his method to get access into your computer the next morning.
There are some techniques you need to be aware of when you're securing your machine, the list below is not exhaustive.</p>


ECW CTF - Web Writeups
Swissky — Tue, 07 Nov 2017 00:00:00 +0000
Challenges's Writeup - Online Prequals</h2>

Web 50 - Hall of Fame</a></li>
Web 100 - Pass Through</a></li>
Web 150 - GoldFish</a></li>
Web 175 - Magic Car</a></li>
</ul>

Swissky's Lab

LeHack 2025 - PayloadPLZ

Anatomy of Pokemon glitches

SSRFmap - Introducing the AXFR module

Ph0wn CTF 2019 - Flag Digger

DLS 2024 - RedTeam Fails - "Oops my bad I ruined the operation"

Offensive Nim - Auto Obfuscate Strings with Nim's Term-Rewriting Macros

STHACK2022 - Catch the bird, a trip from web to IRL

FCSC - CTF Writeup

FCSC - FRANCE CYBERSECURITY CHALLENGE 2020</h2> Some writeups of severals web challenges from the FCSC 2020</a>.</p> </p>

DVID - Damn Vulnerable IoT Device

Ph0wn CTF 2019 - Smart Devices CTF

Writeups' challenges</h2> Rookie - Sunny day</a></li> Hardware - Ant-Maker</a></li> Misc - Compromised Sensor</a></li> Misc - Domotics</a></li> Crypto - Shamir Quest</a></li> </ul>

HIP19 Writeup - Meet Your Doctor 1,2,3

UYBHYS - Sea Monster Attack & Defense CTF

SIGSEGV1 Writeup - MD Auth

An XSS Story

WHID Injector - Tips and Tricks

French Croissant - or why you need to lock your computer

ECW CTF - Web Writeups

Challenges's Writeup - Online Prequals</h2> Web 50 - Hall of Fame</a></li> Web 100 - Pass Through</a></li> Web 150 - GoldFish</a></li> Web 175 - Magic Car</a></li> </ul>

FCSC - FRANCE CYBERSECURITY CHALLENGE 2020</h2>
Some writeups of severals web challenges from the FCSC 2020</a>.</p>
</p>

Writeups' challenges</h2>
Rookie - Sunny day</a></li>
Hardware - Ant-Maker</a></li>
Misc - Compromised Sensor</a></li>
Misc - Domotics</a></li>
Crypto - Shamir Quest</a></li> </ul>

Challenges's Writeup - Online Prequals</h2>

Web 50 - Hall of Fame</a></li>
Web 100 - Pass Through</a></li>
Web 150 - GoldFish</a></li>
Web 175 - Magic Car</a></li> </ul>