Security research, career reflections, and technical deep-dives. No fluff.
Root-to-administrator compromises with full attack chains, tool output, and lessons learned.
HackTheBox Cicada: Anonymous SMB finds a default password in an HR notice. impacket-lookupsid SID brute force builds the user list without credentials. Spray hits michael.wrightson. AD description field leaks david.orelious credentials. DEV share holds a PowerShell backup script with emily.oscars plaintext password. SeBackupPrivilege dumps the SAM. Pass-the-Hash delivers Administrator.
HackTheBox Heist: Cisco router config in a support ticket yielded three passwords via Type 7 decode and Type 5 hashcat crack. RID brute force built the user list, credential spray hit Chase over WinRM. Firefox process memory dump revealed the Administrator password in plaintext.
HackTheBox Return: printer admin panel on port 80 transmits LDAP credentials to a netcat listener when the server address is updated. svc-printer is in Server Operators. VSS service binary path hijack adds the account to local Administrators. Domain owned.
HackTheBox Timelapse: cracked a zip-protected PFX certificate on an anonymous SMB share, authenticated to WinRM over HTTPS using the extracted certificate, found svc_deploy credentials in PowerShell history, and read the LAPS Administrator password via ldapsearch.
HackTheBox Support: reversed a custom .NET binary on an anonymous share to recover XOR-encoded LDAP credentials, dumped a plaintext password from a user's LDAP info field, and exploited GenericAll over the DC via RBCD to compromise the domain.
HackTheBox Active: anonymous SMB access exposed Groups.xml in SYSVOL, gpp-decrypt recovered SVC_TGS credentials, Kerberoasting the Administrator SPN cracked Ticketmaster1968, psexec delivered a SYSTEM shell.
HackTheBox Sauna: harvested 6 employee names from a bank website, AS-REP Roasted fsmith, pivoted via WinPEAS AutoLogon credentials to svc_loanmgr, then DCSync'd the domain via pre-assigned replication rights.
HackTheBox Forest: RPC null session user enumeration, AS-REP Roasting svc-alfresco, BloodHound path through 4 nested groups to WriteDACL, PowerView DCSync grant, and Pass the Hash to Administrator.
HackTheBox Nibbles: an HTML comment in the index page source reveals the Nibbleblog CMS before any enumeration tool runs. admin/nibbles logs you in. The My Image plugin saves the PHP file to disk despite throwing errors. Shell lands as nibbler. sudo -l exposes a world-writable script in a NOPASSWD path. printf overwrites it. Root.
HackTheBox Bashed: gobuster finds a /dev/ directory with directory listing enabled. phpbash.php is sitting there, left over from the developer's own research. Web shell lands as www-data. sudo -l reveals scriptmanager NOPASSWD:ALL. Lateral move to scriptmanager, /scripts/ ownership reveals a cron job executing test.py as root. Overwrite the script, wait for cron, root shell on port 5555.
HackTheBox Shocker: gobuster with .sh extension finds user.sh inside a forbidden /cgi-bin/ directory. Shellshock via User-Agent header fires through Apache's CGI handler on bash 4.3. Shell lands as shelly. sudo -l reveals Perl NOPASSWD as root. GTFOBins exec one-liner completes the escalation.
HackTheBox Lame: nmap service scan identifies Samba 3.0.20-Debian. CVE-2007-2447 exploits the username map script option, passing shell metacharacters in the authentication username directly to /bin/sh. The Samba daemon runs as root. One Metasploit module call delivers an immediate root shell with no privilege escalation required.
HackTheBox Cap: exploited an IDOR to download another user's PCAP, extracted FTP plaintext credentials with Wireshark, reused them on SSH, and escalated to root via cap_setuid on Python 3.8.
Six challenges. Five evidence types. One attacker. Read in order: each challenge builds on the last.
A Linux server compromised on November 14, 2025. Full attack timeline reconstructed through log analysis alone. 6/6 flags captured.
A Cobalt Strike beacon disguised as a kernel process, credentials recovered from RAM, and a staged exfil archive. Reconstructed using Volatility. 6/6 flags captured.
C2 domain identified via DNS traffic, credentials stolen over a reverse shell, base64-encoded data hidden inside DNS subdomains. Reconstructed from one PCAP. 5/5 flags captured.
Hidden stolen-data file on a USB image, a log-shredding cleanup script, a PNG carved from raw sectors, and deleted credentials recovered from a wiped disk. 5/5 flags captured.
C2 address extracted from an ELF binary, beacon User-Agent identified, and a two-stage VBA macro infection chain fully reversed using only strings and cat. 5/5 flags captured.
The final challenge: correlate all previous evidence, reconstruct twelve attack events in exact chronological order. 4/5 flags captured.
Longer-form writing on offensive security concepts and the career behind the work.
A developer's guide to SQL injection, seen from both sides of the keyboard. How the same code looks completely different once you learn to think like an attacker.
My timetable said Maths, Physics and Chemistry. My evenings said something else. Twelve years later, I hunt vulnerabilities for a living. Here's how that happened.