I Found a Cryptominer on a Public Government Pre-Production Host

- 6 mins read
You should now first the website was in publicly exposed pre-production (staging) host used for validating deployments before release Introduction Hi, when React2Shell (cve-2025-55182) started and I was boring, I turn on my PC to collect as many website I can that infected with this vulnerability, one of the website that I spot is Public-Private Partnership (PPP) it means it is collaboration between government and the private company. the Idea was simple, detect if there is React2Shell then test it, write PoC send the report.
Read More…

Fully account take over; they printed the password

- 4 mins read
Intro Vulnerability Type: Information Disclosure & Broken Authentication Logic I was just browsing :), I came across an login page in a website is often I visit. they updated the pages in their websites, so I tested their new updates. the problem was in the “Forget password”. While analyzing the authentication workflow in JavaScript and the API responses I identified a two-stage vulnerability chain. When you press “Forget password” it only ask you about the username, if you enter it, it will send a temporary password to the phone number and the email account that linked to it.
Read More…

DACL 1 Attacks and sacrificial process

- 6 mins read
INTRO This is DACL I skill assessment from HackTheBox, one of the machines that tested my skills in DACL and lateral movement, Below I will write my experiences and my challenges that I faced, let me show you the AD network that we have: domain: inlanefreight.local DC: dc01.inlanefreight.local computers: WS01, REMOTE_SVC Enum I have got a credential to start the machine that is carlos:Pentesting01 using this account let’s start an initial enumeration
Read More…

Unconstrained Delegation User, Chained DNS, SPNs, and a Printer to Pwn a Domain

- 4 mins read
INTRO Hi all, I finished Kerberos module in HTB academy and it inspires me to write this article or blog idk. Why? this attack really cool because I love how connectivity of it and testing your knowledge in how the AD features can combine together to craft attack that lead to DC TGT then using DCSync to dump any NTLM hash user, even krbtgt user If you are reading this and don’t understand how Kerberos works, you are in for a headache just like what I’m experiencing with the HTB model.
Read More…