TryHackMe / DFIR
Volt Typhoon Intrusion Investigation
14 May 2026
TryHackMe room focused on reconstructing a Volt Typhoon-style intrusion from Windows and application logs. The investigation followed ADSelfService Plus account takeover, WMIC execution, PowerShell staging, web shell persistence, Mimikatz credential access, netsh proxying and log cleanup. Splunk searches, base64 decoding and MITRE ATT&CK mapping were used to connect the events into one timeline. The writeup demonstrates practical threat hunting through attacker behavior instead of isolated keyword matching.
SplunkPowerShellDFIRMITRE ATT&CK
CTF / Team GHOSTSHELL
CSIA CTF 2026 first-place writeups
29 April 2026
Collection of CSIA CTF 2026 solutions covering web exploitation, forensics, reverse engineering, steganography, misc decoding and OSINT. The key techniques included JWT alg=none abuse, prototype pollution, Apache 2.4.49 traversal and RCE, LSB extraction with zsteg, signal decoding from JSON and social-archive pivots. Tools included curl, ffuf, Python, zsteg, grep and browser source inspection. The notes show how the team converted small clues into reproducible solve paths.
1st placeWebStegoOSINT
ENSET Challenge 2026 / Pwn
Browzi MiniBrowser heap exploitation
20 April 2026
Pwn challenge based on a minimal browser engine that parsed HTML into heap-allocated Node and RenderOps structures. The vulnerability was an unchecked img src copy into data[128], allowing an adjacent function pointer to be overwritten. GDB was used to map the heap layout, calculate the 144-byte offset and validate the partial overwrite constraint. pwntools completed the exploit by leaking render_div, computing win and overwriting ops->render with a 6-byte pointer.
PwnHeapGDBpwntools
CITEFLAG Qualifiers 2026 / Web
deepwash PHP DateTime parser logic
15 March 2026
Web challenge built around PHP DateTimeImmutable::createFromFormat and strict hash checks over parsed values. The weakness was silent date normalization: invalid days, day-of-year overflow and hour overflow were accepted and normalized instead of rejected. The solution used source review, PHP parser behavior and curl to construct a three-line payload that satisfied md5 and sha256 constraints. The writeup demonstrates why parser edge cases matter when validation depends on formatted output.
WebPHPParser logic
Academia Cyber / Active Directory
SOKOLO AD lab attack chain
1 February 2026
Active Directory lab progress note following an attack chain from provided user credentials to workstation administrator access. The work covered RDP access, SMB enumeration, SAM hash extraction, pass-the-hash with Impacket, DPAPI credential discovery, BloodHound review and Kerberos ticket attempts. The main techniques were local privilege pivoting, machine-account analysis and Resource-Based Constrained Delegation reasoning. The note documents both successful steps and the Kerberos/SPN issues that still needed correction.
Active DirectoryBloodHoundImpacket
Dedicated blog
All long-form notes
Chirpy / Categories / Tags
The full blog is the best place for longer reading, syntax highlighting and archive navigation. This portfolio page stays as the quick review layer for recruiters and technical reviewers.
syntaxtagsarchives