A walkthrough of the HackTheBox 'Puppy' machine. This write-up covers initial access, privilege escalation, and post-exploitation techniques.

A walkthrough of the HackTheBox 'Fluffy' machine which is easy rated windows box. This write-up covers initial access, privilege escalation, and post-exploitation techniques.

This note covers race condition vulnerabilities in web applications, where multiple processes or requests are executed simultaneously, leading to unintended behavior. It includes labs on bypassing ...

Information disclosure issues often reveal sensitive data such as framework versions, environment variables, source code, or even admin bypass techniques. These labs walk through discovering and ex...

Collection of PortSwigger labs demonstrating business logic vulnerabilities in web applications, including flaws in workflow validation, authorization, input handling, and purchasing logic. Ideal f...

Comprehensive notes and practical lab walkthroughs on web application authentication vulnerabilities. Covers topics such as username enumeration, brute-force attacks, broken 2FA logic, password res...

PoC showing unauthenticated remote code execution in Erlang/OTP SSH server. By exploiting a flaw in SSH protocol message handling, an attacker can execute arbitrary commands on the target without v...

PoC showing Linux privilege escalation via sudo Terraform. By abusing provider_installation dev_overrides and TF_CLI_CONFIG_FILE, a malicious provider script runs as root, allowing creation of a SU...

CVE-2024-47533 is a critical authentication bypass vulnerability in Cobbler (versions 3.0.0 to before 3.2.3 and 3.3.7) allowing unauthenticated remote code execution via the XMLRPC interface.

CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, 16.5.0RC1) caused by improper handling of Groovy expressions in the SolrSearc...