RECON

Completed the Gavel (Medium) machine on Hack The Box. The initial foothold came from an exposed .git directory that leaked the application’s source code and bcrypt password hashes. After cracking the credentials with John the Ripper, I gained access and achieved a reverse shell through command injection in the admin rule field. Reusing the cracked credentials allowed privilege escalation to the application user and retrieval of the user flag. Root access was obtained by abusing the gavel-util...

To quote the human.json Protocol : human.json is a protocol for humans to assert authorship of their site content and vouch for the humanity of others. It uses URL ownership as identity, and trust propagates through a crawlable web of vouches between sites. I think this is a neat idea, so I added it to my site. It’s available at evanhahn.com/human.json . For more, see the human.json documentation . And see how I use AI on this blog .

A newly disclosed Android vulnerability is making noise for a good reason. Researchers showed that some phones powered by certain MediaTek chipsets can be cracked in under 60 seconds, letting an attacker recover the lock screen PIN, decrypt storage, and even pull sensitive wallet seed phrases from the device. The issue is tracked as CVE-2026-20435 […]

Karpathy's autoresearch gives an AI agent a training script, a GPU, and a git branch. It runs 100 experiments overnight, keeps what works, discards what doesn't. The human writes the prompt. The agent writes the code.

ForceMemo: Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push    StepSecurity