https://yn-labs.com/en/Recent content on 万屋猫LabsHugoenThu, 02 Apr 2026 00:00:00 +0900https://yn-labs.com/en/posts/protonmail-mcp/Thu, 02 Apr 2026 00:00:00 +0900https://yn-labs.com/en/posts/protonmail-mcp/<h2 id="the-problem">The Problem</h2> <p>Every existing ProtonMail MCP server requires Proton Bridge — a paid desktop app. Free ProtonMail users have no way to integrate their email with AI assistants.</p> <p>I found 11 existing ProtonMail MCP projects on GitHub. All of them require Bridge.</p> <h2 id="the-solution">The Solution</h2> <p>I built <a href="https://github.com/ichiburn/protonmail-mcp">protonmail-mcp</a> — a Go MCP server that talks directly to Proton&rsquo;s API using only their official open-source libraries:</p> <ul> <li><strong><a href="https://github.com/ProtonMail/go-proton-api">go-proton-api</a></strong> — The same library used by Proton Bridge itself</li> <li><strong><a href="https://github.com/ProtonMail/go-srp">go-srp</a></strong> — SRP authentication</li> <li><strong><a href="https://github.com/ProtonMail/gopenpgp">gopenpgp</a></strong> — PGP encryption/decryption</li> </ul> <p>No third-party API wrappers. No supply chain risk from unknown packages handling your passwords and private keys.</p>https://yn-labs.com/en/legal/tokushoho/Thu, 02 Apr 2026 00:00:00 +0900https://yn-labs.com/en/legal/tokushoho/<table> <thead> <tr> <th>Item</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Business Name</td> <td>Yorozuya Neko Labs (万屋猫Labs)</td> </tr> <tr> <td>Contact</td> <td><a href="mailto:contact@yn-labs.com">contact@yn-labs.com</a></td> </tr> <tr> <td>Pricing</td> <td>See <a href="https://yn-labs.com/en/services/">Services</a> page</td> </tr> <tr> <td>Payment Method</td> <td>Bank transfer</td> </tr> <tr> <td>Payment Terms</td> <td>Invoiced after delivery, due within 30 days</td> </tr> <tr> <td>Service Delivery</td> <td>Per agreed timeline after contract</td> </tr> <tr> <td>Cancellation Policy</td> <td>No refund after work begins. Full refund if cancelled before work starts</td> </tr> <tr> <td>Representative</td> <td>Ichiburn (Yorozuya Neko Labs)</td> </tr> <tr> <td>Address / Phone</td> <td>Disclosed upon request without delay</td> </tr> </tbody> </table>https://yn-labs.com/en/writeups/ctf/kalmarctf-2026-rootbabykalmarctf-zip-slip/Sun, 29 Mar 2026 00:00:00 +0900https://yn-labs.com/en/writeups/ctf/kalmarctf-2026-rootbabykalmarctf-zip-slip/<h2 id="overview">Overview</h2> <p>KalmarCTF 2026 Web challenge &ldquo;RootBabyKalmarCTF&rdquo; (170pts).<br> A CTFd 3.8.1 instance is provided with admin credentials for the management panel.<br> The goal is to read <code>/flag2-&lt;random&gt;.txt</code> as <strong>root</strong>, not admin.</p> <h2 id="vulnerability">Vulnerability</h2> <p><strong>CVE-2026-30345: CTFd 3.8.1 Zip Slip (Path Traversal)</strong></p> <p>The <code>/admin/import</code> backup import function checks if ZIP file entry names contain <code>..</code>.<br> However, the check can be bypassed using the <code>uploads//absolute/path</code> format (double slash).</p> <h3 id="the-check">The Check</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">for</span> f <span style="color:#f92672">in</span> members: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> f<span style="color:#f92672">.</span>startswith(<span style="color:#e6db74">&#34;/&#34;</span>) <span style="color:#f92672">or</span> <span style="color:#e6db74">&#34;..&#34;</span> <span style="color:#f92672">in</span> f: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> zipfile<span style="color:#f92672">.</span>BadZipfile </span></span></code></pre></div><h3 id="the-bypass">The Bypass</h3> <p>Entry name: <code>uploads//opt/CTFd/manage.py</code></p>https://yn-labs.com/en/about/Mon, 01 Jan 0001 00:00:00 +0000https://yn-labs.com/en/about/<h1 id="about-yorozuya-neko-labs">About Yorozuya Neko Labs</h1> <img src="https://yn-labs.com/images/ichiburn_icon.png" alt="Ichiburn" class="w-24 h-24 rounded-full border-2 border-chrome shadow-metal mb-6"> <h2 id="who-is-ichiburn">Who is Ichiburn?</h2> <p>Sole proprietor specializing in AI automation and security.<br> &ldquo;Yorozuya&rdquo; (万屋) means &ldquo;general store&rdquo; — we solve any technical challenge you throw at us.</p> <h3 id="skills">Skills</h3> <ul> <li><strong>AI Automation</strong>: MCP Development, LLM Integration, AI Workflow Automation</li> <li><strong>Security</strong>: Bug Bounty, Web Pentesting, CTF (Pwn/Web), Security Review Automation</li> <li><strong>Infrastructure</strong>: Terraform, Cloudflare, AWS, OCI, Docker, GitHub Actions</li> <li><strong>Development</strong>: Go, Rust, Python, TypeScript, Next.js, .NET</li> </ul> <h3 id="oss">OSS</h3> <ul> <li><a href="https://github.com/ichiburn/protonmail-mcp">protonmail-mcp</a> — Bridge-free ProtonMail MCP server for AI assistants</li> </ul> <h3 id="contact">Contact</h3> <p>Reach out via <a href="https://yn-labs.com/en/services/">the inquiry form</a> or <a href="mailto:contact@yn-labs.com">contact@yn-labs.com</a>.</p>https://yn-labs.com/en/services/Mon, 01 Jan 0001 00:00:00 +0000https://yn-labs.com/en/services/