WhiteRabbit is a pentesting company. I’ll exploit their Uptime Kuma instance to find the domain for their WikiJS wiki. On that I’ll find documentation for a n8n pipeline, and find an SQL injection vulnerability in how it processes email, as well as the key for crafting signatures. I’ll make a proxy to add signatures using mitmproxy and then use sqlmap to dump the database. In the DB I’ll find restic commands, which I’ll use to get a backup with SSH keys. I’ll abuse restic command injection to get root on a container, and find SSH keys for a user on the host. From there I’ll find a custom password generator, and using logs from the DB that leak the time the command was run, generate the right password for the next user. That user can run any command as root.

Advent of Code 2025 Day 12 provides a challenge that on it's face I think is nearly impossibe, figuring out if I can place a lot of specific shapes into a sp...

Advent of Code 2025 Day 11 provides a list of nodes and the nodes that come after each one. I'll use recusrion to build a function that can count the number ...

Advent of Code 2025 Day 10 has some buttons that each control one or more outputs. In part 1, they toggle on and off a light, and I'll have to find the minim...

Advent of Code 2025 Day 9 processing the verticies of a polygon. First I'll loop over each pair of corners and find the largest possible square that can be m...

Advent of Code 2025 Day 8 involves connecting points in order of their distances apart. In part 1, I'll connect the closest 1000 points, and find the size of...

Advent of Code 2025 Day 7 visualizes a bean as it moves down the space hitting splitters. In part 1, I need to count the number of splits that happen. In par...

Editor is a Linux box hosting a code editor website, with documentation on an XWiki instance. I’ll exploit a vulnerability in XWiki’s Solr search that allows unauthenticated Groovy script injection to get remote code execution and a shell. From there, I’ll find database credentials in the XWiki Hibernate config and pivot to a user who reuses the password. Enumerating localhost services, I’ll find NetData running an older version that installs a vulnerable ndsudo SetUID binary that is vulnerable to PATH injection, which I’ll abuse to get root.

Advent of Code 2025 Day 6 is all about parsing columns of text. In part 1, I'll parse lines of integers and operators as columns, calculating their products ...

Advent of Code 2025 Day 5 plays with overlapping ranges. I get a long list of ranges for ids of fresh ingredients. In part 1, I work through another list of ...

Advent of Code 2025 Day 4 is the first grid challenge of the year. I'm given spaces in a warehouse that have pallets of paper on them. A forklift can only ac...

Advent of Code 2025 Day 3 provides lines of digits. I need to pick digits from each line without changing the order to make the largest integer possible. In ...

Advent of Code 2025 Day 2 offers input with a bunch of number ranges. I'll parse those, and then loop through each, check for any invalid numbers and summing...

Advent of Code 2025 Day 1 has a simple circular combination lock with a set of instructions. I'll count the number of times that it stops on 0, and then the ...

Advent of Code 2025 is a coding CTF with 12 days of challenges. In this video I'll preview the 2025 CTF and talk about my approach to it. I'm going to be sol...

Era starts with a custom file upload website full of insecure direct object reference vulnerabilities. I’ll create an account and abuse one IDOR to download a site backup from the admin account. Then I’ll abuse an IDOR like vulnerability to get admin access to the site. The admin panel has a PHP vulnerability where I can get it to use the SSH module to login to the host and run commands, providing a reverse shell. From there, I’ll create my own signed binary to replace one that I can run with sudo to get root.

Mirage is an Active Directory DC. I’ll start by finding a domain name in a report on an open NFS server. That name is not registered in DNS, so I’ll register it pointing to my host, and use that to capture NATS credentials. I’ll use those to enumerate NATS and find another set of creds. With those, I’ll Kerberoast another user to get a shell, and find another user logged into the box. A cross-session relay attack gets their hash which I can crack. That user can reset the password of a contractor user, and I’ll have to re-enable the account and set working hours to use it. From there, I’ll read a GMSA password, and use that service account to do a ESC10 attack, resulting in Administrator access.

Outbound starts with a RoundCube instance and a set of creds to login. I’ll abuse a authenticated deserialization vulnerability to get remote code execution and a shell. From there, I’ll recover another user’s email password from the RoundCube database, showing both how to do it manually and using a RoundCube script. Finally, I’ll abuse a CVE in below to make the passwd file writable and get root. In Beyond Root, I’ll dig into the PHP exploit, showcase some neat CyberChef tricks, and play with the sudo rules on the box.

RustyKey HTB walkthrough: Timeroasting to crack computer passwords, ForceChangePassword abuse, CLSID hijacking via registry, and RBCD for domain compromise.

Generative AI has many applications. An amazing one is to give it a writeup to a challenge you're trying to solve but stuck on and getting it to coach you th...

Dump has a website that collects packets on a specific port. It can also handle PCAP uploads and download all the current PCAP files in a zip archive. I’ll abuse wildcard injection in the zip command with some carefully crafted filenames to get RCE and a shell. I’ll pivot to the next user with a password from the database. I’ll then abuse how www-data can run sudo to run tcpdump to get root.

Voleur is an active directory box that starts with assume breach credentials. I’ll find an Excel notebook with credentials and get a shell. I’ll find a deleted user and switch to a service account to recover it. That user can access an SMB share with a user’s home directory backup, where I’ll find DPAPI encrypted credentials. I’ll recover those, getting access to an SSH key that provides access to a WSL instance. There I’ll find registry hive backups where I can dump the administrator hash.

HTB Store walkthrough: exploiting XOR encryption for arbitrary file read, SFTP tunneling to Node.js debugger, and Chrome webdriver RCE for root access.

Artificial starts with an AI website where I can upload models that are run with TensorFlow. I’ll exploit a deserialization vulnerability in how TensorFlow handles h5 files to get RCE and a foothold. I’ll find hashes in the database and crack one to pivot to the next user. That user has access to an instance of Backrest running on localhost. I’ll find the config and crack the hash to get access, and then show three ways to get execution as root through the application.