┌────────────────────────────────────────────────────────────────────┐
welcome :) []
└────────────────────────────────────────────────────────────────────┘
[ handle ] Lautaro V. Culic'
[ role ] Mobile Security Researcher (Android / iOS)
[ focus ] reverse engineering, penetration tester
[ writeups ] lautarovculic.github.io
[ youtube ] youtube.com/@TheHackingHub
[ email ] work@lautarovculic.com
----------------------------------------------------------------------
0x0 OVERVIEW
----------------------------------------------------------------------
I break mobile apps on purpose ⠀⠀⠀⠀⠀⠀⠀⣠⣶⡞⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢀⣿⠿⠀⠀⠀⠀
• iOS & Android reverse engineering ⠀ ⢀⣤⣶⣶⣤⣀⣤⣴⣶⣶⣤⡀
• mobile penetration testing ⢰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡟⠁
• dynamic & static analysis ⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀
• code review ⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡄⠀
0 1 0 ⠸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦
0 0 1 ⠀⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
1 1 1 ⠀⠀⠙⢿⣿⠿⠿⠻⠿⣿⠿⠋⠀
----------------------------------------------------------------------
0x1 STATS (APPROX)
----------------------------------------------------------------------
[CTF / LABS]
• Hack The Box
- +80 machines
- +50 challenges ┌─────┐
- 6 fortress │█████│
- 1 prolab │█████│
- 44 writeups │█████│
│█████│
• Hacker101 / TryHackMe │ ○ │
- +210 machines └─────┘ ## ##
- TOP 1% ## ##
- +5 challenges ##############
- 5 writeups #### ###### ####
######################
• Mobile CTF ## ############## ##
- Android: +110 CTF & writeups ## ## ## ##
- iOS: +20 CTF & writeups #### ####
----------------------------------------------------------------------
0x2 BUG BOUNTY
----------------------------------------------------------------------
[HackerOne]
• 5 vulnerabilities found ⠀⠀⠀⢠⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡄⠀⠀⠀⠀
- Sprinklr (Web): stored XSS x5 ⠀⠀⠀⠀⠙⣷⣤⣶⣶⣶⣶⣶⣶⣤⣾⠋⠀⠀⠀⠀⠀
• 6 badges ⣴⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⠀⠀⠀⠀⠀
⠀⠀⠀⠀ ⣼⣿⣿⣀⣸⣿⣿⣿⣿⣇⣀⣿⣿⣧⠀⠀⠀⠀
[Bugcrowd] ⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⠀⠀
• 3 vulnerabilities found
- Discord (Android & iOS): one-click account takeover
- SoundCloud (Android): command injection
- NASA (android): sensitive data exposure
• 2 badges
[Other targets]
• DeepSeek (Android)
- persistent DoS
- Proof-of-Work (PoW) bypass
- sensitive data exposure via Android backup
• Oracle (Android)
- open Firebase database
- arbitrary URL injection in WebView x2
- anti-root detection bypass
- ref: Oracle CPU Jul 2025
----------------------------------------------------------------------
0x3 LINKS
----------------------------------------------------------------------
[ misc ]
• LinkedIn : linkedin.com/in/lautarovculic
• GitHub : github.com/lautarovculic
• Bugcrowd : bugcrowd.com/h/lautarovculic
• HackerOne : hackerone.com/lautaro
[ social ]
• X (Twitter) : x.com/lautarovculic
• Instagram : instagram.com/lautarovculic
----------------------------------------------------------------------
0x4 NOTES
----------------------------------------------------------------------
• knowledge should flow freely
• always looking for interesting Android/iOS research
----------------------------------------------------------------------
me_v0.6.2 - reject automation scanner, embrace manual
----------------------------------------------------------------------