https://innoctf.com/ Practitioner-grade capture-the-flag writeups and threat analysis across web exploitation, binary exploitation, and forensics. en Mon, 22 Jun 2026 00:00:00 +0000 https://innoctf.com/posts/localhost-trust-boundary https://innoctf.com/posts/localhost-trust-boundary AutoJack turns a browsing AI agent into a path to host code execution. The reusable bug class is a local service that trusts any caller on 127.0.0.1. Here is how it works and how to test for it in a lab. Mon, 22 Jun 2026 00:00:00 +0000 https://innoctf.com/posts/sql-injection-ctf https://innoctf.com/posts/sql-injection-ctf A practitioner walkthrough of SQL injection for capture-the-flag: how to detect an injectable parameter, exploit it with UNION and blind techniques, and get past common filters. Mon, 22 Jun 2026 00:00:00 +0000 https://innoctf.com/posts/rop-chains https://innoctf.com/posts/rop-chains A practitioner walkthrough of return-oriented programming for CTF pwn: why ROP exists, how to find gadgets, and how to chain them into a call to execve when the stack is non-executable. Mon, 22 Jun 2026 00:00:00 +0000 https://innoctf.com/posts/volatility-forensics https://innoctf.com/posts/volatility-forensics A practitioner walkthrough of memory forensics with Volatility 3 for CTF: identify the image, triage processes and connections, flag injected code, and dump the implant for analysis. Mon, 22 Jun 2026 00:00:00 +0000 https://innoctf.com/posts/perimeter-becomes-payload https://innoctf.com/posts/perimeter-becomes-payload Three 2026 incidents, an AI-agent RCE chain, a FortiGate edge flaw, and a WordPress malware takedown, share one lesson: the layer you trust to protect you is now the way in. A practitioner breakdown. Mon, 22 Jun 2026 00:00:00 +0000