SQL Injection to Full Database Compromise
A walkthrough of a real-world engagement where a seemingly minor SQLi vulnerability led to complete database exfiltration and lateral movement.
READ MORE
03 — KNOWLEDGE BASE
BLOG & WRITEUPS
$ sqlmap -u "target/login" --dbs available databases: [+] information_schema [+] production_db $ dump --table users [+] 4821 entries extracted
$ GetUserSPNs.py corp/user ServicePrincipalName: HTTP/app $ hashcat -m 13100 hash.txt [+] P@ssw0rd123 CRACKED $ psexec.py admin@dc01
AD Privilege Escalation via Kerberoasting
How I escalated from a low-privilege domain user to Domain Admin in under 4 hours using Kerberoasting and misconfigured service accounts.
READ MORE
$ python3 exploit.py --target htb [*] Sending payload... [*] WAF bypass: SUCCESS $ nc -lvnp 4444 [+] Connection received [+] whoami: root
HackTheBox — Machine Writeup: Fortress
Full walkthrough of the Fortress machine — initial foothold through API key leakage, privilege escalation via SUID binary exploitation.
READ MORE
$ nmap -sV --script vuln 10.0.0.0/24 [*] Scanning 254 hosts... [+] 10.0.0.12: EternalBlue [+] 10.0.0.47: MS17-010 $ use exploit/ms17_010_eternalblue
Internal Network Assessment: From Zero to Domain
Internal pentest methodology from initial reconnaissance to full domain compromise, including legacy system exploitation and credential harvesting.
READ MORE
$ burpsuite --intercept on [*] Analyzing JWT tokens... alg: none [VULNERABLE] $ forge-token --alg none --role admin [+] Access granted: admin panel
JWT Algorithm Confusion Attacks in the Wild
Deep dive into JWT vulnerabilities found across multiple bug bounty targets — algorithm confusion, weak secrets, and the "none" algorithm bypass.
READ MORE
$ ffuf -w wordlist -u /FUZZ [+] /.git/config [200] [+] /api/v1/admin [403] $ gitdumper.sh target/.git [+] Source code recovered
Exposed .git Directory to Source Code Theft
How a misconfigured web server exposing a .git directory led to full source code exfiltration and discovery of hardcoded credentials.
READ MORE