📁 Primary Works Directory

Curated offensive security research — zero-days, cloud exploitation & advanced attack chains. Click any card to view the full work.

Ministry Of Education - SSRF

SSRF attack against Singapore's MOE Apache Tomcat. Abusing default credentials to scan internal networks, leak cloud metadata, and fully compromise the environment.

Container Escape PrivEsc EKS

📅 Jan 2025 CVSS 8.6

⚖️ Ministry Of Education - singapore

IMDSv2 Bypass: SSRF to IAM Takeover

Advanced metadata exfiltration from Lambda & EC2 via blind SSRF. Breaking IMDSv2 protections, token replay, and abusing misconfigured proxies.

AWS SSRF IMDSv2

📅 Mar 2025 CVSS 9.0

🏦 Bank of Korea — Financial Infrastructure Risk

React2Shell: Next.js RCE (CVE-2025-55182)

Unsafe deserialization in React Server Components leads to unauthenticated root RCE. 10+ AWS EC2 instances compromised. Full exploit chain and cloud pivot analysis.

RCE Critical Next.js

📅 Dec 2025 CVSS 9.8

☁️ Amazon Web Services — Cloud Compromise Chain

※ Each card is a placeholder link — replace href with actual work page URL when available.