Blog posts and security writeups.https://fulvio.sh/https://fulvio.sh/writeups/htb-spookifier/https://fulvio.sh/writeups/htb-spookifier/A Halloween name generator with four spooky fonts. The scariest thing about it was the sanitization.Sat, 23 May 2026 00:00:00 GMThttps://fulvio.sh/writeups/htb-notebookconverterpro/https://fulvio.sh/writeups/htb-notebookconverterpro/A Jupyter notebook conversion service running a vulnerable nbconvert. Neither CVE alone gets the flag.Fri, 15 May 2026 00:00:00 GMThttps://fulvio.sh/writeups/htb-flagcommand/https://fulvio.sh/writeups/htb-flagcommand/A horror D&D text adventure where every path leads to death. The way out was never inside the game.Thu, 07 May 2026 00:00:00 GMThttps://fulvio.sh/writeups/htb-reactoops/https://fulvio.sh/writeups/htb-reactoops/A static Next.js interface with no inputs and no obvious attack surface. The vulnerability was in the framework itself.Thu, 30 Apr 2026 00:00:00 GMThttps://fulvio.sh/blog/llm-vs-keyword-extraction/https://fulvio.sh/blog/llm-vs-keyword-extraction/Building ResumeRadar forced me to figure out exactly where LLMs outperform keyword matching for skill extraction, and where they don't.Tue, 28 Apr 2026 00:00:00 GMT