HTB: VariaType Writeup
Medium Linux box chaining a fonttools varLib arbitrary write for initial access, FontForge CVE-2024-25082 tar injection for lateral movement, and a setuptools URL-decode bypass to overwrite sudoers as root.
the🖊️testing.ninja
Hacking and Offensive Security Content.
🔒 HTB: Connected Writeup
Detailed writeup of Season 11 Hack The Box Connected machine. 🔒 Protected Content
WebVerse Pro: Noshrun Writeup
NoshRun is an Austin food-delivery startup hiding seven flags across its multi-service stack. SQL injection, host header poisoning, JWT forgery, race conditions, and command injection.
HackSmarter: Kiosk Writeup
Break out of a locked Windows VDI kiosk over RDP, recover credentials from an unattend.xml, exploit an unquoted service path, and weaponize a DLL plugin hijack to gain local admin.
🔒 HTB: DevHub Writeup
Detailed writeup of Season 11 Hack The Box DevHub machine. 🔒 Protected Content
WebVerse Pro: Murmur Writeup
A Series-B social platform across sixteen services. GraphQL mass assignment hands over credentials, ExifTool RCE pivots to the internal network, and a Drone CI pipeline injection closes it out.
🔒 HTB: Reactor Writeup
Detailed writeup of Season 11 Hack The Box Reactor machine. 🔒 Protected Content
HackSmarter: Martini Writeup
Black-box internal pentest against a Windows AD domain. Guest SMB access exposes credentials, leading to Kerberoasting, a WinRM foothold, and full domain compromise via password reuse and DCSync.
WebVerse Pro: BedRock Writeup
Six services, four languages, one engagement. BedRock is a sprawling property-management WebRange where the bugs live in the seams
HackSmarter: ShadowGate Writeup
Black-box Windows AD engagement against a single DC. AS-REP roasting yields initial credentials, shadow credential abuse pivots to a domain user, and ESC8 relay achieves DCSync.
🔒 HTB: PingPong Writeup
Detailed writeup of Season 10 Hack The Box PingPong machine. 🔒 Protected Content
HTB: Redelegate Writeup
Hard Windows Active Directory box involving FTP enumeration, KeePass cracking, MSSQL credential abuse, ForceChangePassword ACL exploitation, and constrained delegation abuse to achieve DCSync.
🔒 HTB: Logging Writeup
Detailed writeup of Season 10 Hack The Box Logging machine. 🔒 Protected Content
HackSmarter: Samurai Writeup
Samurai is a Linux machine featuring a Joomla 4.2.5 instance vulnerable to CVE-2023-23752, leaking database credentials and sensitive information granting admin access, leading to RCE and a command injection privesc via a SUID-like custom binary.
🔒 HTB: Silentium Writeup
Detailed writeup of Season 10 Hack The Box Silentium machine. 🔒 Protected Content
HTB: Eighteen Writeup
Eighteen is a Windows Server 2025 domain controller where MSSQL impersonation leads to a cracked PBKDF2 hash and a password spray foothold, then BadSuccessor dMSA abuse escalates to Domain Admin.
HTB: EscapeTwo Writeup
EscapeTwo is an easy Windows Active Directory machine on HackTheBox. Starting with provided credentials, we enumerate SMB shares to recover plaintext credentials from Excel files, pivot through MSSQL to a shell as sql_svc, recover ryan credentials from a SQL installer config, then abuse ESC4 via the ca_svc account to forge an administrator certificate and own the domain.
HTB: DarkZero Writeup
Hard Windows Active Directory machine featuring MSSQL linked server lateral movement across two forests, CVE-2024-30088 kernel LPE to SYSTEM, and unconstrained delegation abuse for domain takeover.
HTB: StreamIO Writeup
StreamIO is a medium Windows Active Directory box. SQL injection on a PHP login page leaks MD5 hashes, cracking them gets admin panel access, where a hidden debug parameter enables LFI and PHP source disclosure leading to RCE via eval(). Pivoting through MSSQL and Firefox saved credentials exposes an AD path through LAPS.
🔒 HTB: Garfield Writeup
Detailed writeup of Season 10 Hack The Box Garfield machine. 🔒 Protected Content
HTB: Authority Writeup
Medium Windows Active Directory box where Ansible Vault secrets on an SMB share lead to PWM credential theft, then ESC1 ADCS abuse for domain admin.
HTB: Craft Writeup
Craft is a medium Linux machine featuring a Python eval injection in a craft beer REST API, credential leakage via a self-hosted Gogs instance, and privilege escalation through HashiCorp Vault OTP SSH.
HTB: VulnCicada Writeup
Windows AD machine where NFS exposes a credential in a sticky note photo, NTLM is disabled forcing Kerberos throughout, and ESC8 lets us relay the DC machine account to ADCS for a certificate-based takeover.
HTB: Jeeves Writeup
A medium Windows box featuring an unauthenticated Jenkins instance, a KeePass database holding an NTLM hash, and a flag hidden inside an NTFS Alternate Data Stream.
🔒 HTB: DevArea Writeup
Detailed writeup of Season 10 Hack The Box DevArea machine. 🔒 Protected Content
HTB: Media Writeup
Medium Windows box where a hiring page file upload is abused to steal an NTLMv2 hash via a Windows Media Player playlist, leading to SSH access and a SeTcbPrivilege escalation to SYSTEM.
HTB: Administrator Writeup
Medium Windows Active Directory box starting with given credentials. Exploit an ACL chain to pivot accounts, crack a PasswordSafe backup, and abuse GenericWrite to Kerberoast a DCSync-capable user.
🔒 HTB: Kobold Writeup
Detailed writeup of Season 10 Hack The Box Kobold machine. 🔒 Protected Content
HTB: Conversor Writeup
Conversor is a medium Linux machine featuring XSLT injection via an EXSLT file-write primitive, credential harvesting from a SQLite database, and privilege escalation through a misconfigured needrestart sudo rule.
HTB: Postman Writeup
Postman is an easy Linux box featuring an unauthenticated Redis instance, SSH key injection for initial access, a crackable encrypted private key, and a Webmin RCE vulnerability for root.
HTB: Trick Writeup
Trick is an easy Linux machine on HackTheBox combining DNS zone transfer enumeration, SQL injection, local file inclusion, and SMTP mail poisoning for foothold, then abusing a writable fail2ban action directory to escalate to root.
CTF: Ouro no Pescoço Revenge Writeup
Multi-stage web challenge chaining DOM poisoning, dual CSPT, a semicolon-based query parser discrepancy between Flask and Quarkus, and a Unicode SSRF bypass via furl to read and exfiltrate a server-side flag.
HTB: Gavel Writeup
Gavel is a medium Linux machine featuring an exposed .git repository, a creative backtick-based SQL injection, PHP rule code execution via an admin panel, and a custom YAML-driven privilege escalation.
HTB: Principal Writeup
Medium Linux box exploiting CVE-2026-29000, a critical auth bypass in pac4j-jwt using a forged PlainJWT to gain admin access, leading to RCE via SSH certificate forgery.
HTB: Expressway Writeup
Easy Linux box involving UDP enumeration, IKE Aggressive Mode PSK capture and cracking, SSH foothold, and privilege escalation via CVE-2025-32462 sudo hostname bypass.
HackSmarter: City Council Writeup
Medium Windows AD box where credential capture from a trojanized app leads through Kerberoasting, NTLM theft, DPAPI extraction, and SeImpersonatePrivilege abuse to Domain Admin.
🔒 HTB: Pirate Writeup
Detailed writeup of Season 10 Hack The Box Pirate machine. 🔒 Protected Content
HackSmarter: Exception Writeup
Medium Linux box from HackSmarter. Exploit CVE-2021-22911 NoSQL injection in Rocket.Chat 3.12.1 to achieve RCE, find database credentials in a leftover backup file that works for SSH, and escalate via a misconfigured sudo rule.
🔒 HTB: Interpreter Writeup
Detailed writeup of Season 10 Hack The Box Interpreter machine. 🔒 Protected Content
HTB: Giveback Writeup
Giveback is a medium Linux machine involving a GiveWP PHP Object Injection RCE, pivoting through Kubernetes pods via chisel, exploiting PHP-CGI parameter injection, and escaping to root via a runc wrapper misconfiguration
HackSmarter: GitOops Writeup
A medium-difficulty HackSmarter lab where a public Gitea instance leaks a Terraform state file from a misconfigured S3 bucket, exposing an SSH private key and enabling an Atlantis RCE chain to root.
HTB: Soulmate Writeup
A Linux box featuring CrushFTP exploitation, credential discovery in Erlang configuration files, and privilege escalation through an Erlang SSH daemon allowing arbitrary command execution as root.
🔒 HTB: WingData Writeup
Detailed writeup of Season 10 Hack The Box WingData machine. 🔒 Protected Content
HTB: Signed Writeup
A Windows Active Directory box involving SQL Server authentication relay attacks, Kerberos ticket forging, and NTLM reflection to achieve SYSTEM access through creative pivoting techniques.
HTB: Pterodactyl Writeup
Pterodactyl is a Medium Linux machine featuring unauthenticated Pterodactyl Panel RCE via CVE-2025-49132, credential extraction through MariaDB, and privilege escalation on openSUSE Leap 15.6 using CVE-2025-6018 and CVE-2025-6019 to gain root.
HTB: CodePartTwo Writeup
CodePartTwo is an easy-difficulty Linux machine featuring a vulnerable JavaScript execution sandbox that can be escaped to gain initial access, followed by weak credential recovery and privilege escalation through backup utility manipulation.
HackSmarter: StellarComms Writeup
Step-by-step guide for StellarComms, a medium Active Directory box on HackSmarter. We exploit DACL misconfigurations and perform advanced credential recovery.
HTB: Imagery Writeup
Imagery is a medium-difficulty Linux box where blind XSS leads to admin access, file traversal leaks source code, command injection gains a shell, and a sudo-abused backup tool escalates to root.
OSCP Certification: Review
My journey to earning the OSCP: How I scored 100 points in just 7 hours. This review covers my preparation, the exam environment, and crucial success tips.
HTB: Browsed Writeup
Browsed is a medium-difficulty Linux machine that begins with a browser extension upload portal. By discovering an internal Gitea instance through SSRF and exploiting a bash arithmetic injection vulnerability in a routine script, we gain initial access. Privilege escalation is achieved through Python bytecode cache poisoning to execute code as root.
HTB: Voleur Writeup
Voleur is a medium-difficulty Active Directory machine featuring password-protected Excel files, targeted Kerberoasting via WriteSPN abuse, AD object restoration, DPAPI credential extraction, and privileged access through WSL-accessible domain backups.
HackSmarter: Welcome Writeup
A complete writeup of the HackSmarter 'Welcome' machine. Learn about Active Directory privilege escalation, PDF cracking, and ADCS certificate abuse.
APISEC-CON CTF May 2025 - Writeups
Solutions for the API security challenges featured in the APISEC-CON CTF (May 2025). I cover broken object-level authorization and complex API vulnerability.
BSCP Certification: Review
Reviewing the Burp Suite Certified Practitioner (BSCP) exam. Learn the best strategies for using Burp Suite Professional to pass this rigorous web cert exam.
b01lersc CTF 2025 - Web Writeup
Detailed write-up for two challenging web tasks from b01lersc CTF 2025. I break down the exploitation chain from discovery to obtaining the final flag easily.
HTB Cyber Apocalypse 2025 - AI Challenges
Exploring the AI category in the HTB Cyber Apocalypse 2025 CTF. This write-up covers prompt injection and model manipulation challenges with step-by-step logic.
HTB Cyber Apocalypse 2025 - Web Challenges
Comprehensive solutions for the Web challenges during the HTB Cyber Apocalypse 2025 CTF. Learn about modern web vulnerabilities and bypasses used in the event.
APISEC CTF 2025 - Writeup
A detailed walkthrough of the APISEC CTF 2025, featuring the 'One Request to Rule Them All' challenge. Includes a full video guide and technical methodology.
CBBH/CWES Certification: Review
A deep dive into the Hack The Box CBBH, now CWES certification. Explore my preparation strategy, exam difficulty review, and advice for aspiring web testers.
CAPenX Certification: Review
My comprehensive review of the SecOps Group CAPenX certification. I share my exam experience, study resources, and essential tips for passing on your first try.
Welcome to my blog 👋
Welcome to my cybersecurity blog! Join me as I document my journey through certifications, CTFs, and lab walkthroughs while sharing technical insights daily.