hacking at *undisclosed*
Joined October 2013
- Tweets 270
- Following 612
- Followers 15,922
- Likes 2,767
18 Photos and videos
Cool to see the N64 cartridge swap exploit finally released publicly.
I originally found this back in 2024, but couldn’t publicly release it for contractual reasons.
Here’s an old demo using it for region lock bypass, chained with RCE from shogihax: youtu.be/09TN1CvoWo0
Sorry I did not realize the reach this post would have, here's the github repo, please support the original developer github.com/mntorankusu/N64-S…
5
29
269
51,715
… and just a couple of months later @gezine_dev managed to exploit the compiler process too!
This completes the mast1c0re exploit chain for the first time, allowing for arbitrary native userland code execution on the latest PS4 / PS5 firmwares, without needing a kernel exploit
45
63
590
85,472
Very cool to see new progress with the mast1c0re exploit :)
7
9
196
116,265
Interesting FreeBSD advisory: freebsd.org/security/advisor…
It’s the first path traversal I’ve seen where the kernel itself is returning filenames with ../ (normally path traversal bugs are at the application-level).
‘Universal Path Traversal’ (akin to UXSS) could be a new bug class?
6
12
127
18,914
CTurt retweeted
15 Jul 2024
i'm excited to share Collateral Damage, a kernel exploit for SystemOS on Xbox One/Series consoles! this initial release is mostly intended for developers, but i hope people will enjoy playing around with it! writeup and more updates in the near future :) github.com/exploits-forsale/…
58
292
1,216
188,947
CTurt retweeted
27 Jul 2023
finally... hello, PS5 PSP :)
129
240
1,496
353,311
Part 2 - Attacking the compiler process: cturt.github.io/mast1c0re-2.…
Ultimately I didn't finish the exploit, but hopefully it's still interesting, and maybe we will see a full exploit implementation from someone else in the future.
39
90
359
65,073
New blog post!
Part 1 in my new PlayStation hacking series: An **unpatched** PS4 / PS5 userland exploit that also allows pirating PS2 games.
mast1c0re: Hacking the PS4 / PS5 through the PS2 emulator - Part 1 - Escape: cturt.github.io/mast1c0re.ht…
Video demo: youtube.com/watch?v=GIl1mR0H…
61
304
1,215
Part 2 - Attacking the compiler process: cturt.github.io/mast1c0re-2.…
Ultimately I didn't finish the exploit, but hopefully it's still interesting, and maybe we will see a full exploit implementation from someone else in the future.
39
90
359
65,073
For a variety of reasons, it’s time for me to move on from the PlayStation hacking scene.
I’m very thankful to have met some great people through this hobby over the years, and for the boost it’s given my security career.
Some of the highlights for me were:
118
49
668
99,675
mast1c0re: The first public PS4/5 userland exploit targeting a game instead of part of the operating system, making it the only one still unpatched on the latest firmware versions.
New blog post!
Part 1 in my new PlayStation hacking series: An **unpatched** PS4 / PS5 userland exploit that also allows pirating PS2 games.
mast1c0re: Hacking the PS4 / PS5 through the PS2 emulator - Part 1 - Escape: cturt.github.io/mast1c0re.ht…
Video demo: youtube.com/watch?v=GIl1mR0H…
2
102
20,956
Working with the PlayStation team through the bug bounty program and successfully being awarded several $10k bounties.
6 months later and I’m still receiving new bounties from PlayStation. Just wanted to say: I’m very happy with my interactions with this team, and I can’t wait to disclose some of the findings!
2
1
106
17,982
Very cool to see public reimplementations of the first part of my mast1c0re exploit chain, especially when tested on the latest PS5 firmware.
24 Jan 2023
PS5 (latest firmware) PoC for mast1c0re vulnerabilities.
Arbitrary PS2 code execution and native PS5 ROP chain execution.
Technical details on
@CTurtE's blog post: cturt.github.io/mast1c0re.ht…
27
72
475
107,809
1/ Last week I open sourced a library I wrote at Google to mitigate a class of YAML injection vulnerabilities (github.com/google/safetext).
1
13
105
2/ It's a common pattern in Go code to use text/template from the standard library to produce YAML.
Since text/template is just intended for plaintext manipulation and has no awareness of YAML syntax, this pattern is at high risk of injections. Example: go.dev/play/p/G1j4s_YpS0I
1
14
3/ These YAML injection vulnerabilities can have impact as severe as Remote Code Execution!
In these instances, safetext/yamltemplate can instead be used as a drop-in-replacement for text/template, that will refuse to return results where a YAML injection would have occurred.
13