Skip to content
View marcostolosa's full-sized avatar
🏴‍☠️
Mem3nt0 Mori.
🏴‍☠️
Mem3nt0 Mori.

Block or report marcostolosa

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
marcostolosa/README.md
typing banner

Profile Views Followers Focus US Gov HoF CVSS


> whoami

Red teamer, pentester, bug bounty hunter and reverse engineer.
I don't just find vulns - I tear them apart to understand their core,
then automate the boring part and teach how they tick.

Wired differently (ASD Lvl 1) → the hyperfocus that dismantles complex
threats and turns them into writeups anyone can follow.
  • 🔩 Break → Understand → Automate → Teach. Offensive technique, binary reversing and AppSec, always from the attacker's seat.
  • 🎯 Always hunting. HTB / THM boxes, research on Bugcrowd · HackerOne · Intigriti · YesWeHack, sharpening on pwn.college, Crackmes.one, MalwareBazaar & DEFCON.
  • 🧪 Real environments only. Isolated labs, working PoCs, detailed exploits - logs on the console, concrete proof, zero bullshit.

> disclosures --list

Real findings, real impact. The ledger:

CVE / ID Target Class Severity
CVE-2025-10230 Samba OS Command Injection (13 yrs hidden) CVSS 10.0 🔴
CVE-2026-23722 WeGIA Stored XSS → RCE / UI redressing CVSS 9.1 🔴
CVE-2025-67503 WeGIA Reflected XSS CVSS 8.2 🟠
NCUA VDP 🇺🇸 U.S. Gov Unauthenticated OS Command Injection P1 🔴
Digital Flanders 🇧🇪 Belgium Gov Blind XXE → Internal SSRF (Tomcat Manager) High 🟠
Samba CTDB Samba Buffer Overflow (InfiniBand wrapper) Memory Corruption 🟠

> hof --recognition

6× U.S. Government Hall of Fame  ·  15 valid vulns  ·  93.75% accuracy

🇺🇸 Agency Program
🚀 NASA National Aeronautics and Space Administration
🏛️ U.S. Dept. of Commerce Vulnerability Disclosure Program
🎖️ Dept. of Veterans Affairs Vulnerability Disclosure Program
💳 NCUA National Credit Union Administration
♻️ EPA Environmental Protection Agency
🦅 U.S. Fish & Wildlife Service Vulnerability Disclosure Program

+ 🇧🇪 Digital Flanders (Belgium Gov) · achievements: Submission Shogun L3 · Bounty Bee L4 · Collaboration Crusader L1

Full trophy cabinet → bugcrowd.com/h/Tr0p


> cat arsenal.txt

[recon]        nmap · naabu · nuclei · ffuf · amass · httpx · subfinder
[exploitation] Burp Suite Pro · pwntools · Metasploit · sqlmap · mitmproxy
[reversing]    IDA Pro · Ghidra · Radare2/Rizin · x64dbg · Frida · gdb-pwndbg
[ad / redteam] BloodHound · Impacket · CrackMapExec · Certipy · Rubeus · Havoc · Cobalt Strike
[cloud]        AWS · Azure · GCP · Terraform · Docker · Kubernetes
[analysis]     Semgrep · CodeQL · advanced regex · custom tooling

Languages of choice

Python Go C Bash PowerShell JavaScript

Python for everything · Bash & PowerShell for speed · C when I need to get close to the metal · JS to run everywhere. If it can be scripted, I automate it.


> ls ~/playground

Red Teaming & APT Emulation  •  Exploit Dev & Reverse Engineering  •  Malware Analysis  •  AI/ML in Offensive Security  •  Advanced AppSec & DevSecOps  •  Cloud Security & Secure Architecture


> git log --stat


> nc -connect

LinkedIn X Discord YouTube Email


PS C:\Users\Tr0p> exit  # thanks for reading... now go own something! (with authorization).

Pinned Loading

  1. manw-ng manw-ng Public

    A command-line tool for extracting Win32 API documentation from Microsoft and exec this functions.

    Python 15 2

  2. OCRack OCRack Public

    High-performance PDF translation tool featuring PaddleOCR for maximum text extraction with optimized prompts, automatic chapter detection, smart chunking, checkpoint/resume system, and comprehensiv…

    Python 8 2

  3. arctax arctax Public

    AI bypass prompt generator with ML + Uncensored local LLM.

    Python 9 2

  4. mindsecurity/REload.Me mindsecurity/REload.Me Public

    REload.Me – The most easy reverse engineer classroom.

    Python 3 1