# WHO AM I?
## PROFILE
### NAME
· Lee Wonpyeong
### NICKS
· Safflower
· plzdonotsay
### RESIDENCE
· Seoul, Republic of Korea
### JOBS
· Security Researcher
· University Student
### EXPERIENCE
· 2016.08.01 ~ 2018.11.01 | SolveMe Administrator
· 2018.07.18 ~ Present | CanHackMe Administrator
## ORGANIZATION
### School
· 2018.03 ~ Present | Kwangwoon Univ
### Company
· 2018.11 ~ Present | UnityLab
### Team(s)
· 2018.05 ~ Present | Demon
· 2018.07 ~ Present | $wag
· 2018.12 ~ Present | Seoul Electric Decomposer (a.k.a SED)
## CTF PARTICIPATION
Period | CTF | Rank (Team/Solo) | Display Name
### 2017
· 2017.09.22 ~ 2017.09.24 | 2017 Layer7 CTF | Adult Top 1 (Solo) | 뉴올리언스 치킨버거 + 올엑스트라
· 2017.09.22 ~ 2017.09.23 | 제1회 서울아이티고 해킹방어대회 | Adult Top 2 (Solo) | Safflower
· 2017.12.25 ~ 2017.12.25 | 2017 Christmas CTF | Top 1 (Team) | with 박광호1인팀
### 2018
· 2018.02.10 ~ 2018.02.11 | 2018 Harekaze CTF | Top 3 (Team) | with SeoulWesterns
· 2018.06.17 ~ 2018.06.17 | 2018 KDMHS CTF Online | Top 2 (Solo) | st4rburst
· 2018.07.21 ~ 2018.07.22 | CTFZone 2018 Quals | Top 5 (Team) | with GoGiSaJo
· 2018.09.29 ~ 2018.09.29 | CCE 2018 Preliminary Round | Top 4 (Team) | with 오타쿠모임
· 2018.10.29 ~ 2018.10.30 | CCE 2018 Final Round | Attack Team Top 5 (Team) | with 오타쿠모임
### 2019
· 2019.01.18 ~ 2019.01.20 | 2019 InterKosen CTF | Top 3 (Team) | with KimchiPower
· 2019.01.28 ~ 2019.01.29 | 2019 NEWSECU WINTER CTF | Top 2 (Team) | with $wag
· 2019.04.05 ~ 2019.04.06 | Midnightsun CTF 2019 | Top 23 (Team) | with Harekaze
· 2019.04.12 ~ 2019-04-14 | PlaidCTF 2019 | Top 25 (Team) | with Swear
· 2019.05.04 ~ 2019.05.05 | TSG CTF 2019 | Top 4 (Team) | with $wag
· 2019.05.18 ~ 2019.05.19 | 2019 Harekaze CTF | Top 1 (Team) | with Yokosuka Hackers
## CTF PROVISION
Period | CTF | Challenge(s)
### 2018
· 2018.06.13 ~ 2018.06.13 | 2018 H3X0R CTF | hexhub, uglyweb, urlfiltering
· 2018.09.01 ~ 2018.09.02 | 18st HackingCamp CTF | alert, html, SQR, url_routing
· 2018.09.15 ~ 2018.09.16 | 2018 Layer7 CTF | meow, msg, url_routing
· 2018.10.13 ~ 2018.10.13 | 2018 Power of XX CTF Quals | es, iframe
· 2018.11.08 ~ 2018.11.08 | 2018 Power of XX CTF Finals | Sign in Me
### 2019
· 2019.02.16 ~ 2019.02.17 | 19st HackingCamp CTF | usersearch
· 2019.03.26 ~ 2019.03.27 | 2019 Codegate Finals CTF | Wordict
## PRESENTATION
Period | Place | Topic
### 2018
· 2018.08.18 ~ 2018.08.18 | Nefus, Sunrin Internet High School | Web Application Vulnerability
· 2018.09.03 ~ 2018.09.03 | TeamLog, Sunrin Internet High School | SQL Injection Attack & Defense
### 2019
·
## DEVELOPMENT
Period | Product | Reference
### 2016
· 2016.08.01 ~ 2018.11.01 | SolveMe | https://github.com/safflower/solveme
### 2017
### 2018
· 2018.01.07 ~ Present | JavaScript Obfuscator | https://github.com/safflower/javascript-obfuscator
· 2018.07.18 ~ Present | CanHackMe | https://canhack.me
· 2018.10.30 ~ Present | Online Cryper | https://crypt.safflower.pw
### 2019
·
## REAL-WORLD EXPLOITATION
Target | What kind of | Report to | Reference
### 2014
· XpressEngine | Stored XSS | KISA Bug Bounty Program | KVE-2014-0083
### 2015
· Naver Cafe | Spoofing Grade | Naver Security Team | -
### 2016
· Naver Blog | Clickjacking | Naver Security Team | -
· Naver Blog | Clickjacking | Naver Security Team | -
### 2017
· Maps Marker Pro | SQL Injection | HackerOne | -
· Maps Marker Pro | SQL Injection | HackerOne | -
· Maps Marker Pro | SQL Injection | HackerOne | -
· Maps Marker Pro | SQL Injection | HackerOne | -
· Maps Marker Pro | SQL Injection | HackerOne | -
· Maps Marker Pro | SQL Injection | HackerOne | -
· Maps Marker Pro | Arbitrary File Deletion | HackerOne | -
· Sirsoft Gnuboard5 | Board Admin Privilege Escalation | KISA Bug Bounty Program | KVE-2017-1029
· Naver Whale | Bypass XSS Auditor | KISA Bug Bounty Program | KVE-2017-1034
· Naver Whale | Bypass XSS Auditor | KISA Bug Bounty Program | KVE-2017-1040
· Sirsoft Gnuboard5 | Reflected XSS & File Inclusion | KISA Bug Bounty Program | KVE-2017-1047
### 2018
· Sirsoft Gnuboard5 | Hijack Session ID | KISA Bug Bounty Program | KVE-2018-0013
· Sirsoft Youngcart5 | SQL Injection | KISA Bug Bounty Program | KVE-2018-0101
· Sirsoft Youngcart5 | SQL Injection | KISA Bug Bounty Program | KVE-2018-0102
· Sirsoft Gnuboard5 | Leak Account | KISA Bug Bounty Program | KVE-2018-0109
· Sirsoft Youngcart5 | Reflected XSS & Remote Code Execution | KISA Bug Bounty Program | KVE-2018-0346
· Sirsoft Gnuboard5 | Reflected XSS & Remote Code Execution | KISA Bug Bounty Program | KVE-2018-0356
· Sirsoft Gnuboard5 | Reflected XSS & Remote Code Execution | KISA Bug Bounty Program | KVE-2018-0358
· Sirsoft Gnuboard5 | Reflected XSS & Remote Code Execution | KISA Bug Bounty Program | KVE-2018-0366
· Sirsoft Gnuboard5 | Reflected XSS & Remote Code Execution | KISA Bug Bounty Program | KVE-2018-0379
· Sirsoft Youngcart5 | SQL Injection | KISA Bug Bounty Program | KVE-2018-0405
· Sirsoft Gnuboard5 | Leak Account & Remote Code Execution | KISA Bug Bounty Program | KVE-2018-0510
· Dothome Web hosting service | Local Privilege Escalation & Remote Code Execution | Dothome Admin | -
· Sirsoft Gnuboard5 | SQL Injection | KISA Bug Bounty Program | KVE-2018-????
· HackerSchool (hackerschool.org) | SQL Injection | HackerSchool Admin | -
· Asked (asked.kr) | Stored XSS | Asked Admin | -
### 2019
· Naver Search | Reflected XSS | KISA Bug Bounty Program | KVE-2019-0676
· Naver Search | Reflected XSS | KISA Bug Bounty Program | KVE-2019-0677
· Google Chrome | Bypass XSS Auditor | Google Security Team | Report
· SuNiNaTaS (suninatas.com) | Arbitrary Private Post Read | SuNiNaTaS Admin | -
· SuNiNaTaS (suninatas.com) | Post Deletion CSRF | SuNiNaTaS Admin | -
· SuNiNaTaS (suninatas.com) | Comment Deletion CSRF | SuNiNaTaS Admin | -
· SuNiNaTaS (suninatas.com) | Logout CSRF | SuNiNaTaS Admin | -
· SuNiNaTaS (suninatas.com) | Reflected XSS | SuNiNaTaS Admin | -
· SuNiNaTaS (suninatas.com) | Arbitrary Notice Post Write | SuNiNaTaS Admin | -
## LINK
## CONTACT
· Facebook Messenger | https://m.me/plzdonotsay
· E-mail | plzdonotsay@gmail.com