Cyber Blog​

| CVE-2025-29927 (auth bypass in Next.js) | SSRF to scan and find internal services | LFI to steal secrets | Redis injection for command execution

This lab's live chat feature is vulnerable to cross-site WebSocket hijacking (CSWSH)

This lab's change email function is vulnerable to CSRF.

Engagement Flow Tools used Burpsuite EVTX Parser by omerbenamram WhatWeb Netcat SCP Ghidra Moonwalk Tactics/Techniques File upload abuse...

YouTube Index: Introduction What is Server-Side Parameter Pollution Understanding the Query String in an API Request Example Injecting...

High Level Details: Attacker 1: 40.80.148.42 Attacker 2: 23.22.63.114 CMS: Joomla Site: imnotreallybatman.com Site IP: 192.168.250.70...

This challenge demonstrates a classic prototype pollution vulnerability.

A Classic MD5 SQL Injection Bypass Attack.

Extract a plain text RSA key from HTTP, format it, save as .key, and import into Wireshark with the correct IP, PORT, and protocol for decr

Visual Workflow Summary Summary Identifying hidden functions generated dynamically was at the core of this challenge. While the giveFlag...

Follow along with my YouTube video for an interactive walkthrough. Visual Workflow summary The challenge starts with a provided PCAP file...

Note - You can view my video writeup below  📺🎬🎥 https://youtu.be/xnjWVL7i7HA 📺🎬🎥 This room covers an incident Handling scenario...

Checkout my YouTube Video Writeup https://youtu.be/BbXbbBDW48c Engagement Flow Tools used John Chat GPT Moonwalk Tactics/Techniques...

Attackers workflow mapped Attacker's Summary This summary will cover the attackers workflow as discovered from my point of view. I...

CHALLENGE DESCRIPTION In the race for Vitalium on Mars, the villainous Board of Arodor resorted to desperate measures, needing funds for...

CHALLENGE DESCRIPTION An organization seems to possess knowledge of the true nature of pumpkins. Can you find out what they honestly know...

Attackers workflow mapped Attacker's Summary This summary will cover the attackers workflow as discovered from my point of view. I...

This machine involves RPC servers, command injection and a CVE with a twist on SQL injection and burpsuite.

This room covers an incident Handling scenario using Splunk.

SQL Injection manual (NO AUTOMATION)

Engagement flow Summary This machine starts off with some basic web enumeration. The user learns about a web page pdf conversion...

Engagement Flow Summary This is my writeup for the Hack the Box Machine "Soccer". Tools Used whatweb Processes/Techniques Web enumeration...

Engagement Map Enumeration We start off with a casual NMAP scan including the flags for service scanning and version discovery. Initially...

Summary Docker images offer many benefits, they can also present challenges for developers and security professionals who need to...