https://github.com/chocapikk/chocapikk

https://github.com/chocapikk/chocapikk

Last synced: 3 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/chocapikk/chocapikk
• Owner: Chocapikk
• Created: 2023-11-13T09:17:02.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2025-09-24T14:25:22.000Z (4 months ago)
• Last Synced: 2025-09-24T16:29:20.307Z (4 months ago)
• Size: 654 KB
• Stars: 0
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          


   

     

   



![](./github-header-image.png)

> [!NOTE]

> **Hi there! I'm Valentin Lobstein (aka Chocapikk)**, Security Engineer & Exploit Developer @ [LeakIX](https://leakix.net).  

> **Passionate** about vulnerability research, exploit development, and internet-wide vulnerability detection.  

> **Committed** to sharing knowledge and building open-source tools



   

      

   





  

    

  

  

    

  

  

    

  

  

    

  

  

    

  

  

    

  

  

    

  






  🧰 Skills & Languages

  


    

  


  📚 Repositories

  

    

      

        Tool

        Description

        Link

      

    

    

      

        WPProbe

        Fast WordPress plugin enumeration

        GitHub

      

      

        LFIHunt

        Scan & exploit Local File Inclusion (LFI)

        GitHub

      

      

        LeakPy

        Query LeakIX.net API via Python

        GitHub

      

    

  

  🏆 Hall Of Fame

  


    

    

    

    

  


  🚨 CVE Contributions

  | CVE Identifier                                                    | Description                                          | Links                                                                                                                                     |

  |-------------------------------------------------------------------|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|

  | 🔒 CVE-2023-50917                                                 | Remote Code Execution in MajorDoMo                  | [GitHub](https://github.com/Chocapikk/CVE-2023-50917)                                                                                     |

  | 🔒 CVE-2024-22899 to CVE-2024-22903, CVE-2024-25228               | Exploit chain in Vinchin Backup & Recovery           | [GitHub](https://github.com/Chocapikk/CVE-2024-22899-to-22903-ExploitChain)                                                               |

  | 🔒 CVE-2024-30920 to CVE-2024-30929, CVE-2024-31818               | Research and exploitation in DerbyNet                | [GitHub](https://github.com/Chocapikk/derbynet-research)                                                                                  |

  | 🔒 CVE-2024-31819                                                 | Unauthenticated RCE in WWBN AVideo via `systemRootPath` | [GitHub](https://github.com/Chocapikk/CVE-2024-31819)                                                                                     |

  | 🔒 CVE-2024-3032                                                  | Themify Builder < 7.5.8 – Open Redirect              | [WPScan](https://wpscan.com/vulnerability/d130a60c-c36b-4994-9b0e-e52f7f99387/)                                                           |

  | 🔒 CVE-2025-2609 & CVE-2025-2610                                  | Stored XSS in MagnusBilling 7.x (one unauthenticated) | [Blog](https://chocapikk.com/posts/2025/magnusbilling) · [VulnCheck](https://vulncheck.com/advisories/magnusbilling-logs-xss)              |

  | 🔒 CVE-2025-2292, CVE-2025-30004, CVE-2025-30005 & CVE-2025-30006 | Authenticated vulnerabilities in Xorcom CompletePBX ≤ 5.2.35 | [File Disclosure](https://vulncheck.com/advisories/completepbx-file-disclosure) · [Command Injection](https://vulncheck.com/advisories/completepbx-authenticated-command-injection) · [Path Traversal](https://vulncheck.com/advisories/completepbx-path-traversal-file-deletion) · [Reflected XSS](https://vulncheck.com/advisories/completepbx-reflected-xss) |

  | 🔒 CVE-2025-2611                                                 | ICTBroadcast <= 7.4 – Unauthenticated RCE via cookie injection | [GitHub](https://github.com/Chocapikk/CVE-2025-2611) |

  | 🔒 CVE-2025-34147 to CVE-2025-34152                              | Multiple unauthenticated OS command injection vulnerabilities in the Shenzhen Aitemi M300 Wi-Fi Repeater (MT02). Affects: `extap2g` SSID, WISP-mode `ssid`, WPA2 `key`, PPPoE `user`, PPPoE `passwd`, `time` param in `/protocol.csp?`. Allows remote root code execution within Wi-Fi range. | [Part 1](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root/) · [Part 2](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/) |

  🚨 Exploit Development & PoC

  *All PoCs and Metasploit modules consolidated in:*  

  [Chocapikk/msf-exploit-collection](https://github.com/Chocapikk/msf-exploit-collection)

  ☁️ LeakIX

  - Moderator & vulnerability hunter  

  - Notable finding: Massive PSaux ransomware attack affecting 22,000 CyberPanel instances ([BleepingComputer](https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/))  

  - Follow on Twitter: [@leak_ix](https://twitter.com/leak_ix)

  


    

  


  🤓 Stats for Nerds

  


    

  


  


    Views


    

  


  🎶 Spotify

  


    

  


> [!CAUTION]  

> ⚠️ **Disclaimer**  

> Please use the information and exploits provided in my repositories for educational purposes and responsible disclosure only. I am not responsible for any misuse or damage caused by using these tools, scripts, or exploits.