About Me
Hi! I'm Sérgio Charruadas (aka itzv3nom), a cybersecurity professional with hands-on experience as a Penetration Tester. I currently work as a Training Developer at Hack The Box
I have conducted multiple security assessments across multiple industries. My work has directly supported enhancing clients' security postures by identifying vulnerabilities and providing actionable mitigation strategies.
I'm passionate about continuous learning, offensive security research, and contributing to the cybersecurity community through public speaking, certification reviews and CVE disclosures.
Here are some areas I specialize in:
- Web Application Security
- API Security Testing
- Mobile Security (Android)
- Network Penetration Testing
- Active Directory Exploitation
Where I've Worked
- Review and evaluate Academy modules before release to ensure quality standards
- Test and troubleshoot hands-on exercises to verify intended functionality
- Create detailed walkthroughs for published modules to support learners
- Grade Academy exams and provide constructive feedback
- Conducted penetration tests on web applications, networks, and systems to identify security vulnerabilities
- Worked on DORA (Digital Operational Resilience Act) implementation for a major Portuguese bank as SME in Offensive Security
- Documented and communicated findings to technical and non-technical stakeholders in clear reports
- Conducted Web and API penetration tests
- Documented and communicated findings to technical and non-technical stakeholders in clear reports
- Collaborated with blue and purple teams on performed attacks
- Focused on VAPT methodologies and OWASP security testing standards
- Performed thorough security assessments of internal web applications and APIs
- Documented testing results with detailed Proof of Concepts (PoCs)
Talks & Presentations
HTB Lisbon: The Click - Unlocking the Hacker Mindset
This talk introduces The Click – Unlocking the Hacker Mindset, exploring how to think like a hacker by stepping into the mindset of an attacker. It covers real-world penetration testing scenarios, showcasing vulnerabilities and security control bypass techniques through interactive exercises and live demonstrations.
Attendees gained hands-on experience in learning practical skills to approach cybersecurity with a fresh perspective. The session also highlights key insights from my career transition into cybersecurity, encouraging participants to develop their own hacker mindset.
CVE Disclosures
CVE-2025-54777
CVE-2025-54777 is a medium-severity denial-of-service (DoS) vulnerability in the Web Connection interface of Konica Minolta bizhub multifunction printers. A malformed file during S/MIME certificate registration can crash the service, disrupting remote management. No widespread exploitation has been reported. Firmware updates are available for affected models, and Konica Minolta recommends applying them and following security best practices.
Found in collaboration with security researcher and good friend 0xmupa.
CVE-2024-37147
CVE-2024-37147 is a medium-severity improper access control vulnerability in GLPI, the open-source IT and asset management platform. It allows authenticated users to attach documents to items they don’t have permission for, bypassing access controls. This could let attackers insert unauthorized or malicious files, affecting data integrity and workflows. The flaw affects GLPI versions 0.85 through 10.0.15 and is fixed in 10.0.16 or later.
Found in collaboration with security researcher and good friend 0xmupa.
