Offensive Security
Notes & Walkthroughs
Detailed writeups for Hack The Box machines, Pro Labs, APT Labs, Endgames, and CTF challenges. Focused on Active Directory, binary exploitation, malware development, and red team operations.
High school student from Vietnam passionate about offensive security, binary exploitation, and Active Directory attacks. Member of W4LLZ CTF team.
HTB Endgame: XEN
Complete domain compromise through Citrix VDI breakout, Kerberoasting, NetScaler PCAP analysis, password spraying, and SeBackupPrivilege abuse to extract ntds.dit from the Domain Controller. Six flags across the entire kill chain.
HTB Pro Lab: Dante
Red Team Operator Level I lab walkthrough. Pivoting through 14 machines across three subnets using Ligolo-ng, WordPress exploitation, LLMNR poisoning, buffer overflows, and KeePass credential extraction to achieve domain dominance.
HTB Pro Lab: Zephyr
Red Team Operator Level I. Assumed breach Active Directory environment starting with a standard domain user. Escalate through Kerberoasting, delegation abuse, constrained delegation, ACL attacks, and DCSync to achieve full Domain Admin compromise across a hardened enterprise network.
HTB Pro Lab: Offshore
Red Team Operator Level II. Advanced corporate network penetration testing requiring deep pivoting across multiple subnets, exploiting web vulnerabilities, Grafana exploitation, complex privilege escalation paths, and tunneling deep into the internal AD environment to compromise the domain.
HTB Pro Lab: Cybernetics
Red Team Operator Level II. Advanced Active Directory attacks across five domains including Kerberos delegation abuse, GPO exploitation, forest trust pivoting, and cross-domain compromise with 25 flags.
HTB Pro Lab: RastaLabs
Red Team Operator Level III. The most advanced HTB Pro Lab featuring realistic APT-style operations — Cobalt Strike C2 infrastructure, Citrix VDI exploitation, network pivoting through multiple trust boundaries, and full enterprise domain takeover with 30+ flags.
HTB Pro Lab: APTLabs
Advanced Persistent Threat simulation environment. 18 machines across 3 AD forests — phishing initial access, Kerberoasting, RBCD, DCSync, Golden Tickets, cross-forest trust exploitation, and full domain compromise. 20 flags, 24h daily reset.
DarkCorp
Full Active Directory chain attack including NTLM relay, GPO abuse, Silver Ticket forgery, and Shadow Credential exploitation on a hardened Windows domain environment.
Sorcery
Docker escape through Kafka RCE combined with SSRF chain exploitation, leading to FreeIPA domain compromise through container breakout and privilege escalation.
Brainfuck
WordPress exploitation combined with RSA cryptographic attacks. From web application foothold through custom cipher decryption to root access on a hardened Linux system.
APT
Advanced persistent threat simulation on a Windows Domain Controller. NTLMv1 downgrade attacks, DC exploitation, and multi-stage privilege escalation in a hardened AD environment.
Rope
Binary exploitation through format string vulnerability to ROP chain construction. Stack-based buffer overflow with custom exploit development on a 64-bit Linux binary with protections.
RopeTwo
V8 engine out-of-bounds exploitation leading to browser sandbox escape and kernel-level privilege escalation. Advanced pwn chain from JavaScript engine to root on Linux.
APTNightmare2
Memory forensics investigation of an APT intrusion. Rootkit analysis, process reconstruction, and indicator extraction from a compromised Windows memory dump.
SalineBreeze-1
Threat intelligence deep dive into Salt Typhoon's network-device espionage toolkit and GhostEmperor's kernel-mode Demodex rootkit. MITRE ATT&CK mapping, CVE analysis, and APT profiling.
Basic Shellcode Injection — Windows API Fundamentals
Introduction to malware development on Windows. Understanding the VirtualAlloc → WriteProcessMemory → CreateThread execution flow, generating position-independent shellcode, and injecting it into a remote process.
Opening Night
XXE injection through SVG file upload. Exploiting XML external entity processing in a web application's image upload functionality to read arbitrary server files.
Free Cloud Storage
Zip Slip directory traversal attack through a file upload service. Crafting a malicious ZIP archive with path traversal symlinks to write files outside the intended directory.
Trust Issues
DNSSEC validation bypass combined with SQL injection. Chaining cryptographic protocol weaknesses with database exploitation to bypass authentication mechanisms.
Bit Leak
RSA partial key exposure attack using LSB oracle. Recovering full plaintext from an RSA encryption oracle that leaks individual bits through a padding oracle side-channel.
3-Write-Up
VoIP packet analysis and PNG reconstruction from network capture data. Extracting hidden voice communications and embedded image files from PCAP traffic.
Invisible Ink
Polyglot file analysis combining PDF and alternate format parsing. Extracting hidden data layers from a document that serves as both a valid PDF and another file format.
Loud Packets
Bitmap image reconstruction and steganographic analysis. Decoding hidden information embedded in packet payload data mapped to bitmap pixel values.
Thomas Schools of China
Reverse engineering a custom binary file format. Parsing proprietary headers, custom compression schemes, and non-standard encoding to extract the hidden flag data.
Polaroid
Mach-O binary reverse engineering on macOS. XOR-based string obfuscation analysis, Objective-C method tracing, and flag extraction from a native Apple binary.
Remoose
ELF binary analysis with anti-debugging techniques. Bypassing ptrace-based protections, reconstructing obfuscated control flow, and extracting the flag from a hardened Linux executable.
Hunting Field
Buffer underflow exploitation on a Linux binary. Unconventional memory corruption through negative indexing, hijacking execution flow via stack manipulation and GOT overwrite.
Glitch
Image steganography challenge. Extracting hidden data from visual artifacts in a glitched image file through pixel-level analysis and channel manipulation.
Calculative Barracuda
AI prompt injection and jailbreaking challenge. Manipulating LLM behavior through carefully crafted inputs to bypass safety filters and extract restricted information.
Crocc Crew
Full Active Directory attack chain from web enumeration through SMB and LDAP enumeration, Kerberoasting, Constrained Delegation abuse, and Secrets Dump to achieve Domain Admin on a TryHackMe AD lab.
CCT 2019
Cyber Competition Team 2019 challenges including Forensics, Reverse Engineering, PCAP analysis, and Cryptography. Multi-category CTF walkthrough with detailed analysis of each challenge.
DirtyDecrypt / DirtyCBC — CVE-2026-31635
Local privilege escalation to root via rxgk_decrypt_skb — a missing COW guard vulnerability in the Linux kernel rxgk module that allows bypassing Copy-On-Write protection and writing directly into the page cache. Deterministic exploit, no race condition, public PoC available.
ShadowPolicy — GPO Preference State-Injection
Advanced detection and auditing framework for the ShadowPolicy threat model: GPO Preference Scheduled Task XML injection via SYSVOL state modification in Windows Server 2022 / Active Directory. Full defensive architecture with DSC hardening, SACL auditing, and SIEM detection rules.