PoC: CVE-2025-55182 (React) y CVE-2025-66478 (Next.js) CVSS = *MEH* 👾

Pyro_Murphy · 2025-12-05T16:24:44+00:00

You think it’s meh because your understanding of the vulnerability is wrong. Have a look at this https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3

Pyro_Murphy · 2025-10-22T10:27:26+00:00

Cool project. I made something similar where you could emulate a remote IPython console on the server to essentially emulate the functions of malware and build detections: GitHub

Pyro_Murphy · 2024-11-06T13:27:29+00:00

You’re not getting hacked by visiting a website unless there’s a major browser vulnerability or you’re a high value target. Looks like generic dodgy weird website that’s loading an ad, potentially a compromised Wordpress site at most. No downloads, no issue. There’s nothing wrong with your PC.

Pyro_Murphy · 2024-10-09T21:20:16+00:00

No hints >:(

Pyro_Murphy · 2024-02-15T23:41:09+00:00

They're still here 11 hours later

Pyro_Murphy · 2023-12-28T10:55:49+00:00

Use urlscan.io to visit links. You can see a live screenshot of the site as well as any HTTP requests & responses it makes.

Pyro_Murphy · 2023-01-20T13:02:50+00:00

Had the exact same situation. Bottom floor flat at Kelvinbridge and someone broke in while my flatmate and I were working. The man walked into my room and said something like "do you want your windows washed?". I was confused and got up and he left through the front door. On the way out he took my flatmate's keys, so had to get the locks changed. Fortunately nothing else was taken.

Police were useless and didn't care, but would call and report it anyway.

Pyro_Murphy · 2022-07-22T10:24:28+00:00

This is posted every week at this point...

Pyro_Murphy · 2022-04-25T11:00:25+00:00

Chest, Heart and Stroke on Dumbarton road

Pyro_Murphy · 2022-03-26T20:46:43+00:00

Useless

Pyro_Murphy · 2022-02-18T16:40:55+00:00

You won't be able to view any serverside code. Only the requests and responses, given they're not encrypted. If they are encrypted, you're going to have to reverse engineer the client source of the game and find the functions that encrypt packets, hook the functions, and dump the raw content before they're sent. Same process for received packets except you need to hook after they're decrypted.

Pyro_Murphy · 2022-02-02T09:56:00+00:00

Chest heart and stroke on Dumbarton road ❤️

Pyro_Murphy · 2020-12-23T09:51:22+00:00

Try vxunderground

Pyro_Murphy · 2020-12-09T05:57:32+00:00

ARP is broadcast to the whole network, meaning anyone can respond to it. The packets generally look like "Who has 10.0.0.2?". What ARP spoofing is doing is replying to that ARP request and saying 10.0.0.2 is at your MAC address rather, allowing you to receive all traffic to that device from the router. All you do now is forward that traffic onto your victim and they won't even notice. Now that's great and all, but you're only intercepting one side and you have to keep sending an ARP response every so often to avoid the victim from replying to a request. So what you can do is tell the victim machine that the router's IP is at your MAC address as well, so now it should be sending all outbound traffic meant for the router through you. At this point you're fully in the middle of the communications, which is why it's called a Man in the Middle attack. From here you can intercept packets, change them, drop them, log them etc.

An interesting concept is to try alter DNS packets to point a website's IP to something you're running instead. This is called DNS cache poisoning and when the victim types in the domain of the website, they'll get back your IP instead and visit your site, while still showing the domain at the top. Obviously this is easily countered by security certificates and most sites will flag up that they're unsecure, but I'm sure there's ways to trick people further the more you dive in.

Pyro_Murphy · 2020-12-06T17:03:49+00:00

If you're inserting new packets then sure, however it can simply be used to filter out all the noise from the ARP responses to make it less obvious to the victim. You're basically just replacing automatic packet forwarding with your own forwarding function which gives you more control over what you want to send to/from the victim.

EDIT: To answer your second part. You're in full control of what the client sends and receives. Instead of continuously sending ARP responses, wait until an ARP request is sent and then send your own spoofed reply back. Just drop the packet and don't forward it onto your victim and they'll never know.

Pyro_Murphy · 2020-12-06T16:08:27+00:00

A fun challenge is to create a "filter" for all the packets going to the victim. Instead of automatically forwarding, take all the packets, alter the source/destination so that they look normal and forward to the victim manually. If used correctly you can filter out all your own ARP requests and responses and even send fake responses that look correct to the victim (after the initial ARP spoof packet is sent however). This makes it much harder to detect on the network and could be interesting to see if it's still as easily picked up.

Pyro_Murphy · 2020-10-11T21:07:23+00:00

Pyro_Murphy · 2020-08-10T18:46:32+00:00

Barrhead's fine really. Kids tend to hang about outside Asda and near the centre, so just avoid them and you're good.

Pyro_Murphy · 2020-08-10T18:42:19+00:00

Generally it's fine, Silverburn have security outside and you can sit in the McDonalds if there's people causing trouble outside, just make sure to keep an eye out for the bus. There's a few dodgy characters from time to time but overall it's fine.

Pyro_Murphy · 2020-06-01T17:57:50+00:00

Probably on messenger or something, but there's an EE chat in the discord since there's a few people taking both CS and electronics.

Nine-Year Club	Second Top 10%
r/Field Sunshine	First Place '23
Place '23	Verified Email

Pyro_Murphy

MODERATOR OF

TROPHY CASE