YPYogesh Peelainexploitnotes.hashnode.dev·22h ago · 8 min readHackTheBox: NeoVault Challenge WriteupSummary NeoVault is a small banking app (Next.js frontend + REST API) that lets users register, transfer funds, and download PDF statements. The API ships in two parallel versions, v1 and v2. v2 patch00
YPYogesh Peelainexploitnotes.hashnode.dev·Jul 2 · 7 min readHackTheBox: vulnEscape WriteupSummary Escape is a Windows box that exposes only RDP (3389). The RDP session drops you into a locked-down kiosk account (KioskUser0) meant for a "Conference Display" app. The box is solved entirely t00
YPYogesh Peelainexploitnotes.hashnode.dev·Jul 1 · 9 min readHackTheBox: Reset WriteupSummary Reset is a Linux box built around a chain of web application logic flaws and a legacy authentication misconfiguration. Initial access starts with a password reset endpoint that leaks the new a00
YPYogesh Peelainexploitnotes.hashnode.dev·Jun 29 · 10 min readHackTheBox: Sendai WriteupSummary Sendai is a Windows Active Directory machine exposed with SMB guest access. RID brute-forcing reveals a full user list, and two accounts have expired passwords that can be reset with no knowle00
YPYogesh Peelainexploitnotes.hashnode.dev·Jun 28 · 7 min readHackTheBox: Sloink WriteupSummary NFS shares exposed the target's home directory and PostgreSQL backups. The user's psql history contained an MD5 hash that cracked to service. SSH with that account drops you immediately (shell00
YPYogesh Peelainexploitnotes.hashnode.dev·Jun 27 · 11 min readHackTheBox: Down WriteupExecutive Summary Down is an easy Linux machine running a simple "Is it down or just me?" web checker. The site uses curl server-side to test URLs - making it a classic SSRF target. The protocol filte00
APAmal PKinblog.amalpk.in·May 8 · 7 min readHackthebox Fluffy Walkthrough — Windows Seasonal BoxFluffy is a realistic Windows Active Directory (AD) machine on Hack The Box's Seasonal track that simulates a corporate environment with common misconfigurations and vulnerabilities often seen in real00
Cctfsecinblog.ctfsecurity.com·May 2 · 2 min readHackTheBox: Freelancer - Blind SQLi to Domain AdminFreelancer is a medium-rated HackTheBox machine that chains a blind SQL injection vulnerability into full Active Directory compromise. Here's my full walkthrough. Reconnaissance Starting with a standa00
MSMOHIT SINGH PAPOLAinblog.reapsec.com·Apr 19 · 11 min readAirTouchOVERVIEW So as always we are given an IP so let’s start the enumeration using NMAP ENUMERATION So there are only two ports that are opened one is SSH and other one is SNMP so if you do script sca00
LSLakshaya Sharmainblog.langersword.in·Apr 19 · 8 min readMaking Sense of Noncesense: Breaking Crypto with CRTCryptography is one of the most important safeguards applied over any data. To make data unreadable for unintended people is a really complex task, since if the encryption is not complex enough, it co00