intelligence_feed / offensive_research / writeups
Archive.
Research notes, bug bounty writeups, reverse engineering and offensive security.
Dependency-Track: Breaking Tenant Isolation with a Single PUT Request
OWASP Dependency-Track ships a Portfolio ACL feature that promises multi-tenant isolation. Turns out it only blocks reads. A low-privileged user can suppress any vulnerability, rewrite triage decisions, and poison audit trails on projects they cannot even see. Here is how, and why the maintainers called it a documented gap.
Copy Fail → Dirty Frag → Fragnesia: The Linux Page-Cache Exploit Family
Three kernel privilege escalation vulnerabilities in two weeks. All abuse page-cache corruption to overwrite read-only files in memory. No race condition required. Reliable root on every major distro. This is the technical breakdown and how to patch before you get hit.
ADCS: The Certificate Attacks That Actually Get You Domain Admin
ESC1 gets all the attention. The real kills happen through ESC9, ESC14, ESC15 and ESC16. These are the ADCS escalation paths that bypass modern hardening, abuse certificate mapping logic, and work even after KB5014754. Full chains, tooling, detection.
Shadow Credentials: Owning AD Through msDS-KeyCredentialLink
Shadow Credentials abuse msDS-KeyCredentialLink to authenticate as any user via PKINIT without touching their password. No reset, no ticket forging, no detection by most SOCs.
IP to SYSTEM: The Windows Compromise Playbook
You have an IP. You need SYSTEM. This is the decision tree: what to check, what each misconfiguration gives you, where to go next. From network enumeration to domain compromise, every fork is covered.
Bypassing EDR: Syscalls, Unhooking, and the Art of Living Undetected
Every EDR hooks ntdll. Every EDR monitors ETW. Every EDR scans AMSI. This covers the techniques to bypass all three: direct/indirect syscalls, manual unhooking, ETW patching, AMSI manipulation, and the execution patterns that keep your implant alive.
Lateral Movement and Persistence: The Tradecraft They Don't Teach
PsExec gets caught. WMI gets logged. RDP gets recorded. This covers the lateral movement techniques that APT groups actually use in long-duration operations: DCOM abuse, WinRM certificate auth, token manipulation, and persistence mechanisms that survive reimaging.
Building C2 Infrastructure That Doesn't Get Burned
Your Cobalt Strike beacon gets flagged in 30 seconds because your infrastructure is trash. This covers redirector chains, domain fronting alternatives, malleable C2 profiles, and the operational security that separates a red team from a pentest.
Diamond Tickets, Sapphire Tickets, and the DACL Chains Nobody Checks
Golden Tickets get caught. Silver Tickets have limitations. Diamond and Sapphire Tickets modify legitimate TGTs issued by the KDC, making them nearly invisible. Combined with DACL abuse chains, this is the current state of the art in AD persistence and escalation.
Cloud Pentest Playbook: AWS, Azure, GCP From Access to Exfil
Cloud security isn't 'someone else's problem.' Misconfigured IAM, exposed metadata, overprivileged service accounts. This is the decision tree for compromising AWS, Azure, and GCP environments: from initial access to data exfiltration.
Wi-Fi hacking, every protocol, every attack
The complete methodology for auditing wireless networks. From WEP to WPA3, from WPS bruteforce to PMKID capture, from deauth to evil twin. Every protocol, every attack vector, every terminal output. The guide I wish existed when I started.
ADB over internet, root access for everyone
Android Debug Bridge is a powerful developer tool. When left exposed on the internet, it becomes a root shell with zero authentication. This is the complete methodology: from recon to post-exploitation, and everything people forget to check.
Red-team an LLM, avoid false positives
garak is the tool for scanning LLM vulnerabilities. Although the technique seems simple, it's not straightforward to use without drowning in noise. This article is a writeup of my deep dive into the project's internals.
CVE-2024-29643: When a Single Header Breaks Everything
How a simple Host header manipulation poisoned Croogo's RSS feed and opened the door to phishing and domain spoofing.
CVE-2026-25050: How a 300ms Difference Unmasked Vendure Users
A deep dive into a timing attack vulnerability I discovered in Vendure's NativeAuthenticationStrategy.
Deep Dive: Kerberoasting Attacks
Understanding the mechanics of Kerberos tickets and how attackers crack service account passwords offline.
Blue Teamer
Une collection massive de 60+ outils et ressources pour la défense, le monitoring et la réponse aux incidents (Blue Teaming).
Red Teamer: Offensive Methodologies
Analyse des techniques d'intrusion et de post-exploitation en environnement sécurisé.