Writeups & Challenge Solutions
Thinking through
the problem.

Detailed writeups from CTF competitions and challenge platforms — covering methodology, tooling, and lessons learned. Also includes original threat analysis from my Pi Lab honeypot.

3
Writeups
2
Platforms
6+
Tools Used
1
Original Research
Platforms
HackTheBox
Windows · Active Directory · Medium
Pro
TryHackMe
Web · Linux · Beginner–Medium
Top 5%
Pi Lab
Original research — live honeypot data
Live
All Writeups
HackTheBox Medium Active Directory Windows
Cascade
LDAP enumeration → legacy credential in AD attribute → .NET assembly decryption → AD Recycle Bin privilege escalation

A Windows machine that teaches the danger of stale Active Directory configurations. The entry point was a legacy user account storing a cleartext password in a non-standard LDAP attribute — found by dumping all AD attributes via anonymous LDAP bind. From there: SMB share → encrypted .NET assembly → decompile with DNSpy → decrypt VNC password → escalate via AD Recycle Bin group membership.

Attack Chain
nmap scan reveals LDAP, SMB, WinRM open
Anonymous LDAP bind → enumerate all user attributes → legacy user r.thompson has cascadeLegacyPwd set
Base64-decode password → SMB login → access Data share → find VNC install log with encrypted password
SMB as s.smith → access IT share → CascAudit.exe and CascCrypto.dll
Decompile with DNSpy → extract AES key + IV → decrypt password for ArkSvc account
ArkSvc is member of AD Recycle Bin → restore deleted admin account → retrieve password → Domain Admin
LDAP Active Directory SMB .NET Reversing AES Decryption AD Recycle Bin
HTB Machine ↗
6
Steps to root
4
Tools used
AD
Key skill
TryHackMe Medium Web / Linux Linux
Mr Robot
WordPress enumeration → brute force login → reverse shell → nmap SUID privilege escalation

A Mr Robot themed room that walks through a real-world WordPress compromise chain. The key lesson: never expose wp-login.php without rate limiting, and never leave an SUID binary like nmap in place after a pentest. Three flags hidden across the system, each requiring escalating privilege.

Attack Chain
robots.txt leaks a dictionary wordlist and the first flag
gobuster directory scan → /wp-login.php discovered
wpscan enumerates username → hydra brute forces password using leaked dictionary
WP admin → Theme Editor → inject PHP reverse shell into 404.php template
Stabilize shell → find second flag and MD5 password hash in /home/robot
Crack hash offline → su robot → find nmap with SUID bit → interactive mode → !sh → root
WordPress gobuster wpscan Hydra Reverse Shell SUID Escalation
THM Room ↗
3
Flags found
5
Tools used
WP
Key skill
Pi Lab — Original Research Blue Team Threat Analysis
Cowrie Honeypot — 30-Day Attacker Profiling
Real-world SSH attacker behavior analysis from live Raspberry Pi 5 honeypot data

After running Cowrie on port 2223 for 30 days, I analysed the captured logs to profile automated attacker behavior: which credential pairs are tried first, what commands attackers run on successful entry, and how quickly sessions escalate from login to persistence attempts. The findings reveal that 94% of attacks are fully automated bots following identical playbooks — and that a handful of credentials account for the majority of attempts.

Key Findings
Top credential pair: root/123456 — attempted in 67% of sessions within the first 3 tries
Average time from first login attempt to command execution: 1.2 seconds (fully automated)
Most common post-login commands: wget, curl, chmod +x — consistent with dropper download pattern
43% of attacker IPs appear in CrowdSec community blocklist within 24 hours of hitting the honeypot
Geographic distribution: CN (38%), US (21%), RU (12%), NL (9%) — NL likely VPS exit nodes
Sessions per day spiked 4x after exposing port 22 for 48 hrs — confirming active scanner targeting
Cowrie Threat Intelligence Log Analysis Python Grafana CrowdSec
↓ Download Report GitHub ↗
30
Days of data
94%
Automated bots
Live
Still running