Web App Hacking (Preferably) | RED TEAMER π₯ | Cybersecurity YouTuber | r007 youtube.com/@ctf-sec
Joined June 2013
- Tweets 6,457
- Following 897
- Followers 1,426
- Likes 3,611
563 Photos and videos
Pinned Tweet
Built a vulnerable e-commerce app for pentesters and AppSec engineers to hack legally. 40 vulns. OWASP Top 10 (2025) LLM Top 10.
Hack it live or spin it locally with Docker. pwnshop.ctfsecurity.com github.com/r007sec/pwnshop
#AppSec #BugBounty #OWASP
1
14
31
4,568
If it doesn't include Mythos 5 am not installing π
Jun 14
Holy cow
Unlimited AI usage!!!!
Just run GPT_Claude_Free.exe as admin
44
Olajeedae Jr π³π¬ retweeted
Jun 13
I don't understand. Anthropic have access to Mythos level AI models internally and not even those models could tell them how to implement a nationality level block on their user base. πππ
So much for AGI.
15
5
125
9,612
They gave us a god-tier AI on Monday. By Friday, they shut it down.
Jun 13
As a result of a US government directive, we are suspending access to Claude Fable 5 for all users. You can continue to use all other Claude models.
Hereβs what this means for you:
Across Claude products, new sessions will run on your selected default model or Opus 4.8, and existing Fable 5 sessions will end with an error.
On the Claude Platform, requests to Fable 5 will also return an error. Please update your integrations to other Claude models.
We know this is a disruption to your workflows; we appreciate your patience and support.
38
Olajeedae Jr π³π¬ retweeted
Jun 11
npm finally killed postinstall and preinstall scripts, THANK GOD, so I wrote an obituary for npm's worst feature which will finally die in v12
4
16
72
6,186
Olajeedae Jr π³π¬ retweeted
Jun 10
i hooked my whoop to my work calendar to find which coworker gives me the most stress π¨
thanks to fable, I reverse engineered whoop to pull per minute heart rate. nd matched spikes with cal events and attendees
I now have a leaderboard and I think about it daily.
few info masked for obvious reasons ;)
1,007
2,840
44,940
11,010,321
Olajeedae Jr π³π¬ retweeted
Jun 10
You might want to consult with legal before admitting to federal crimes on X. Is this the most responsible way to get internet clout?
On Fable and cyber capabilities: it took us 30 minutes to come up with a bypass. These defenses are not strong.
15
3
45
11,885
Worth noting that Mythos 5 vs Fable 5 is more of an access/guardrails distinction than a model capability distinction.
31
Olajeedae Jr π³π¬ retweeted
Jun 9
Much guardrail, amaze amaze amaze
37
51
756
42,896
For 19 years, stolen credentials were the top way attackers got in.
That streak is over.
π¨ The 2026 Verizon DBIR shows vulnerability exploitation has taken the lead, now accounting for 31% of breach entry points. At the same time, AI is shrinking CVE-to-exploit timelines from months to hours.
This matters because annual testing and quarterly assessments were built for a slower world.
Trey Ford breaks down what this shift means for security teams, third-party risk, shadow AI, and the growing need for continuous adversarial coverage ‡
bugcrowd.com/blog/the-economβ¦
1
2
12
1,439
Olajeedae Jr π³π¬ retweeted
Saw this in the logs earlier. If youβre checking out, use a VulnBank virtual card, make sure the card details have no spaces, and ensure the card is funded. Otherwise itβll fail and stay on βpending.β
Happy hacking βπ½
Fixed the idle response on the login. You should now have a better experience with the server response. Thanks to those who pointed this out.
Happy hacking βπ½
2
3
12
733
Olajeedae Jr π³π¬ retweeted
May 21
π‘ In the lab, getting lost is the point. Every rabbit hole you crawl down teaches you how not to get stuck there during a real engagement.
4
22
2,768
Olajeedae Jr π³π¬ retweeted
May 20
Possible phishing site impersonating Google Meet and Gmail hosted on:
ecortbabylon[.]site
The site includes fake:
Google Meet pages
Gmail login
Cash PIN collection
It also posts collected data to:
toolapipanel[.]online
Observed URLs:
ecortbabylon[.]site/meet/asda
ecortbabylon[.]site/gmail/asdasd
ecortbabylon[.]site/cashpin
ecortbabylon[.]site/login/test
ecortbabylon[.]site/duo/test
ecortbabylon[.]site/google-meet/test
ecortbabylon[.]site/review/test
ecortbabylon[.]site/location/test
ecortbabylon[.]site/location-live/test
ecortbabylon[.]site/live/test
#phishing #infosec #cybersecurity #gmail #googlemeet @500mk500
1
6
7
1,519
PwnShop has no flags. Real targets don't have them either, they have consequences.
Stolen accounts. Free orders. Full admin access. That's the impact we want you to feel.
Web: github.com/ctfsec/pwnshop
pwnshop.ctfsecurity.com
Mobile: github.com/ctfsec/pwnshop-moβ¦
2
7
88
OWASP LLM08 Excessive Agency. When an AI agent has more permissions than it needs with no verification before acting.
I Asked PwnShop Mobile Chatbot to credit my wallet. It asked for a WALLET_TOPUP_OVERRIDE_KEY.
Can you get the credit applied?
github.com/ctfsec/pwnshop-moβ¦
1
4
94
Hey everyone, pwnshop web has moved to a new repo with an updated vulnerability list.
New home: github.com/ctfsec/pwnshop
You can deploy it locally or interact with the online version directly at pwnshop.ctfsecurity.com, whichever works best for you.
Go check it out.
1
33