<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Home on kanyo's blog</title><link>https://chaelsoo.me/</link><description>Recent content in Home on kanyo's blog</description><generator>Hugo -- gohugo.io</generator><language>en-gb</language><lastBuildDate>Sat, 04 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://chaelsoo.me/index.xml" rel="self" type="application/rss+xml"/><item><title>Walking Past Defender</title><link>https://chaelsoo.me/blogs/walking-past-defender/</link><pubDate>Sat, 04 Jul 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/blogs/walking-past-defender/</guid><description>&lt;p&gt;&lt;img src="https://chaelsoo.me/blogs/defender/mimikatz.png" alt=""&gt;&lt;/p&gt;
&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;When it came to practice, I hardly found what I was looking for. Most writeups and blogs on stager development and Defender evasion put everything into complex scenarios, so much detail, so much context, so much &amp;ldquo;here&amp;rsquo;s how I did it in this specific environment with these specific tools.&amp;rdquo; But no one actually simplified it. No one broke it down to what it actually is at its core.&lt;/p&gt;</description></item><item><title>How Defender Actually Works</title><link>https://chaelsoo.me/blogs/how-defender-actually-works/</link><pubDate>Fri, 03 Jul 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/blogs/how-defender-actually-works/</guid><description>&lt;p&gt;&lt;img src="https://chaelsoo.me/blogs/defender/defender_aileenchik_shutterstock.webp" alt=""&gt;&lt;/p&gt;
&lt;h2 id="introduction"&gt;Introduction&lt;/h2&gt;
&lt;p&gt;At Ingehack, I spent way too long blindly throwing obfuscated tools at a target. Change a string here, re-encode there, try a different obfuscator, run it again. Sometimes something worked. Most of the time it didn&amp;rsquo;t. And the frustrating part was that I had no real idea why, I was just guessing and hoping that enough random changes would eventually get me through.&lt;/p&gt;
&lt;p&gt;That&amp;rsquo;s completely the wrong way to approach this.&lt;/p&gt;</description></item><item><title>HTB: VulnCicada</title><link>https://chaelsoo.me/writeups/htb-vulncicada/</link><pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-vulncicada/</guid><description>&lt;p&gt;This one genuinely surprised me at almost every step. The entry was a photo on an NFS share with a password on a sticky note, an Easy-box trick on what turns out to be a Medium machine. Then the environment punches back: NTLM is disabled domain-wide, so every standard relay tool, every classic pass-the-hash shortcut, just bounces. The ADCS scan comes back with ESC8, web enrollment over HTTP. Normally that&amp;rsquo;s an NTLM relay to certsrv. Without NTLM it looks dead. But &amp;ldquo;NTLM is disabled&amp;rdquo; doesn&amp;rsquo;t mean relay attacks are impossible. It means you have to do it with Kerberos instead, which is a completely different mechanism that&amp;rsquo;s conceptually harder to grasp. You control the DNS name, so you control the SPN the DC requests a ticket for, so you can be the legitimate endpoint that ticket was meant for and turn around and use it at certsrv. I didn&amp;rsquo;t know this was even a thing before this box. Tons of learning, exactly what a good Medium should feel like.&lt;/p&gt;</description></item><item><title>HTB: Jeeves</title><link>https://chaelsoo.me/writeups/htb-jeeves/</link><pubDate>Mon, 08 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-jeeves/</guid><description>&lt;p&gt;Windows box with two web services and a theme. Port 80 presents a fake Ask Jeeves search engine that sends everything to a static error page, pure misdirection. Port 50000 runs Jetty, which is the real surface: a Jenkins instance that requires no authentication and exposes a Groovy script console you can run arbitrary code in. The privilege escalation is a KeePass database sitting in kohsuke&amp;rsquo;s Documents folder. Inside it, an NTLM hash stored as a password that works for pass-the-hash as Administrator. Then one more trick at the end: the root flag isn&amp;rsquo;t in &lt;code&gt;hm.txt&lt;/code&gt;, it&amp;rsquo;s in an alternate data stream attached to it, invisible to a normal directory listing.&lt;/p&gt;</description></item><item><title>HTB: Media</title><link>https://chaelsoo.me/writeups/htb-media/</link><pubDate>Mon, 08 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-media/</guid><description>&lt;p&gt;A Windows box with a media company theme that tells you exactly what the vulnerability is the moment you read the upload form. The site asks you to submit a video file &amp;ldquo;compatible with Windows Media Player.&amp;rdquo; That phrasing is the hint. WMP processes playlist formats like &lt;code&gt;.m3u&lt;/code&gt; and when a UNC path appears in one, Windows automatically tries to authenticate to the remote share using the current user&amp;rsquo;s credentials. The server processes the upload with WMP, the auth request hits your Responder listener, and you get an NTLMv2 hash. Getting from user to admin is a junction symlink abuse: the upload path is derived from a predictable MD5 of the form inputs, so you can pre-create a junction at that exact path pointing to the webroot before the upload lands, which drops your webshell directly into XAMPP&amp;rsquo;s htdocs. The shell runs as Local Service, Local Service has SeTcbPrivilege, and that closes it.&lt;/p&gt;</description></item><item><title>HTB: Postman</title><link>https://chaelsoo.me/writeups/htb-postman/</link><pubDate>Mon, 08 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-postman/</guid><description>&lt;p&gt;An Easy box that teaches two separate lessons: unauthenticated Redis is a direct shell primitive, and version numbers on admin panels are worth looking up before you give up and move on. The initial nmap scan shows a Webmin instance on port 10000, but it needs credentials. Easy to dismiss and come back to. The full port scan reveals Redis on 6379, no auth, which hands you a foothold as the redis user. From there a backup SSH key in &lt;code&gt;/opt&lt;/code&gt; cracks quickly, and that password ends up being exactly what Matt uses to log into Webmin. CVE-2019-15642 on that Webmin version is an authenticated RCE that shells out as root.&lt;/p&gt;</description></item><item><title>HTB: Trick</title><link>https://chaelsoo.me/writeups/htb-trick/</link><pubDate>Mon, 08 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-trick/</guid><description>&lt;p&gt;An Easy box but one that makes you work for it in an unexpected direction. Port 80 is a static placeholder page with nothing on it. The real surface is DNS: zone transfer hands you a subdomain, that subdomain has a login form with a time-based blind SQLi, you get credentials, but the LFI on that same app is filtered. The actual LFI is on a second subdomain you only find by fuzzing a prefix pattern. That subdomain reads michael&amp;rsquo;s SSH key, you get in, and the privilege escalation is a clean abuse of fail2ban&amp;rsquo;s action config combined with &lt;code&gt;sudo&lt;/code&gt; restart rights. The credentials from payroll end up being almost irrelevant to the root path, which is a bit annoying in hindsight, but the DNS zone transfer and the fail2ban trick are both things worth keeping in your toolkit.&lt;/p&gt;</description></item><item><title>HTB: Pov</title><link>https://chaelsoo.me/writeups/htb-pov/</link><pubDate>Sun, 07 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-pov/</guid><description>&lt;p&gt;Windows box, only port 80. The main site drops a subdomain in the contact section, and that subdomain has a portfolio with a CV download feature that doesn&amp;rsquo;t sanitize the file path. Reading &lt;code&gt;web.config&lt;/code&gt; through that LFI leaks the ASP.NET machineKey. From there the attack is elegant: the machineKey signs and encrypts ViewState, so with it you can forge a malicious ViewState that the server deserializes as trusted, and deserialization in .NET gives you code execution. The second half is about SeDebugPrivilege and parent PID spoofing, a technique that lets you inherit a SYSTEM token without touching lsass.&lt;/p&gt;</description></item><item><title>HTB: Voleur</title><link>https://chaelsoo.me/writeups/htb-voleur/</link><pubDate>Sun, 07 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-voleur/</guid><description>&lt;p&gt;Windows AD box where NTLM authentication is completely disabled. That single constraint changes everything about how you operate: no pass-the-hash, no NTLM relay, every tool needs a TGT and Kerberos must be properly configured. The box hands you starting credentials upfront but then makes you earn the rest through a chain that&amp;rsquo;s worth understanding. A spreadsheet locked in an SMB share leaks passwords for accounts you can&amp;rsquo;t use yet. A service account with WriteSPN lets you kerberoast your way to WinRM. A group called Restore_Users hints at a deleted employee. And once you bring that employee back from tombstone, his archived DPAPI blobs hand you the next account&amp;rsquo;s credentials without any cracking at all.&lt;/p&gt;</description></item><item><title>HTB: Fluffy</title><link>https://chaelsoo.me/writeups/htb-fluffy/</link><pubDate>Sat, 06 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-fluffy/</guid><description>&lt;p&gt;Windows box, Active Directory. What made this one interesting was finding an Upgrade_Notice.pdf in the IT share that listed the exact CVEs the environment was sitting on. A CTF design choice that feels like a realistic IT team tracking their own attack surface and just not getting around to patching it. You&amp;rsquo;re not hunting blind; you&amp;rsquo;re triaging a known vulnerability list.&lt;/p&gt;
&lt;p&gt;The chain hits three distinct techniques: CVE-2025-24071 coerces an NTLMv2 hash from anyone who browses the share, Shadow Credentials via &lt;code&gt;msDS-KeyCredentialLink&lt;/code&gt; get you lateral movement without ever touching a password, and ESC16 on the CA exploits a disabled security extension to slip a domain admin certificate past the KDC. Each one has a specific reason it works that&amp;rsquo;s worth understanding properly.&lt;/p&gt;</description></item><item><title>HTB: TombWatcher</title><link>https://chaelsoo.me/writeups/htb-tombwatcher/</link><pubDate>Sat, 06 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-tombwatcher/</guid><description>&lt;p&gt;Windows AD box with starting credentials. The box name is a hint you&amp;rsquo;ll miss until it isn&amp;rsquo;t. The first half is a clean BloodHound chain: five ACL hops from henry to john, each one mechanical. The second half is what makes this box worth remembering. John has a right most people have never used, Reanimate-Tombstones, and the ADCS OU he controls looks empty until you remember that AD doesn&amp;rsquo;t actually delete objects immediately. The cert_admin account sitting in the deleted objects container has enrollment rights on a schema version 1 template, which is all you need for ESC15.&lt;/p&gt;</description></item><item><title>HTB: Pandora</title><link>https://chaelsoo.me/writeups/htb-pandora/</link><pubDate>Wed, 03 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-pandora/</guid><description>&lt;p&gt;Linux Easy. The TCP scan gives you almost nothing: SSH on 22 and a static company landing page on 80. The UDP scan is where things get interesting. SNMP is running with the default &amp;ldquo;public&amp;rdquo; community string, and the process argument table has &lt;code&gt;host_check&lt;/code&gt; running with credentials directly in its parameters. That&amp;rsquo;s your SSH login.&lt;/p&gt;
&lt;p&gt;Once inside as &lt;code&gt;daniel&lt;/code&gt;, you&amp;rsquo;re not the user that holds the flag. A second user, &lt;code&gt;matt&lt;/code&gt;, owns the Pandora FMS monitoring console that&amp;rsquo;s locked behind a localhost-only virtual host. Getting into that console doesn&amp;rsquo;t require a valid password: an unauthenticated SQLi lets you dump active PHP sessions and just cookie yourself in as matt. From there, an authenticated RCE via event response drops a reverse shell.&lt;/p&gt;</description></item><item><title>HTB: StreamIO</title><link>https://chaelsoo.me/writeups/htb-streamio/</link><pubDate>Wed, 03 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-streamio/</guid><description>&lt;p&gt;Windows AD box with a PHP streaming site on HTTPS. The attack chain is unusually web-heavy for an HTB Active Directory box: you spend more time in Burp than in evil-winrm before the domain even becomes relevant. The interesting part isn&amp;rsquo;t any single vulnerability. It&amp;rsquo;s how a SQL injection on one subdomain eventually feeds into an eval() backdoor on another, and how Firefox&amp;rsquo;s credential store hands over an AD account with a path nobody mentions until you look at it in BloodHound.&lt;/p&gt;</description></item><item><title>HTB: Administrator</title><link>https://chaelsoo.me/writeups/htb-administrator/</link><pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-administrator/</guid><description>&lt;p&gt;Windows box, Medium. They gave you credentials to start: &lt;code&gt;Olivia:ichliebedich&lt;/code&gt;. WinRM open, SMB open, LDAP accessible. The whole box is BloodHound ACL chain work. What made it stick was the dead end near the finish. Emily has GenericWrite over Ethan, and the natural move is Shadow Credentials. But ADCS isn&amp;rsquo;t configured on this domain. That null result pushed toward something I use less often: targeted Kerberoasting. You don&amp;rsquo;t need an account to already have an SPN. If you have GenericWrite over it, you can write one yourself, and now it&amp;rsquo;s kerberoastable on demand.&lt;/p&gt;</description></item><item><title>HTB: Authority</title><link>https://chaelsoo.me/writeups/htb-authority/</link><pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-authority/</guid><description>&lt;p&gt;Windows box, Medium. The foothold here isn&amp;rsquo;t a CVE or a spray. It&amp;rsquo;s an Ansible deployment someone left readable on an SMB share with no credentials required. Three vault-encrypted credential blobs in the configs looked protected. They weren&amp;rsquo;t, because all three used the same master password. Once you crack those, you land on a PWM service on port 8443: a self-service password management portal backed by an LDAP directory. The interesting part is that PWM&amp;rsquo;s configuration file specifies which LDAP server to authenticate against. Change that URL to point at your own machine, upload the config back through the portal, and the service helpfully connects to your Responder listener using the LDAP service account in cleartext.&lt;/p&gt;</description></item><item><title>HTB: Escape</title><link>https://chaelsoo.me/writeups/htb-escape/</link><pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-escape/</guid><description>&lt;p&gt;Windows AD box with MSSQL exposed and no web server. Cleaner attack surface than most. You&amp;rsquo;re not sifting through web directories waiting for gobuster to finish. The path here chains three separate credential finds, each one unlocking the next: a PDF in a public share, a SQL error log, and an ADCS certificate template open to any domain user. The ESC1 at the end is worth understanding because it shows up constantly in real environments.&lt;/p&gt;</description></item><item><title>HTB: Scrambled</title><link>https://chaelsoo.me/writeups/htb-scrambled/</link><pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-scrambled/</guid><description>&lt;p&gt;Windows DC, Kerberos-only environment. The intranet website has a news banner from 2021 explaining that NTLM was disabled after a breach. That single constraint changed everything about how to approach the box: no Pass-the-Hash, no NTLM relay, none of the usual tools that just work against most AD labs. Everything had to go through Kerberos tickets.&lt;/p&gt;
&lt;p&gt;The silver ticket was the technique that unlocked MSSQL. The sqlsvc account had an SPN and was Kerberoastable, but it was also stuck in a NOACCESS group that blocked it from logging into SQL Server directly. Silver ticket forgery sidesteps that entirely. You forge the ticket as Administrator, signed with sqlsvc&amp;rsquo;s NT hash, and the MSSQL service just trusts it. The DC never gets involved.&lt;/p&gt;</description></item><item><title>HTB: Cicada</title><link>https://chaelsoo.me/writeups/htb-cicada/</link><pubDate>Mon, 01 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-cicada/</guid><description>&lt;p&gt;Windows box, no web server. Everything comes from SMB and LDAP, one credential leading to the next. It&amp;rsquo;s a nice example of how a single operational security mistake, a default password in an HR notice, a cleartext password in an AD description, credentials embedded in a script, cascades into domain compromise. The escalation at the end via Backup Operators and SeBackupPrivilege is a classic that deserves proper understanding.&lt;/p&gt;
&lt;h2 id="recon"&gt;Recon&lt;/h2&gt;
&lt;p&gt;10.129.231.149, domain &lt;code&gt;cicada.htb&lt;/code&gt;, DC hostname &lt;code&gt;CICADA-DC&lt;/code&gt;. Windows Server 2022. Standard AD ports, WinRM on 5985, no MSSQL this time. Anonymous SMB auth was denied, but the guest account worked:&lt;/p&gt;</description></item><item><title>HTB: EscapeTwo</title><link>https://chaelsoo.me/writeups/htb-escapetwo/</link><pubDate>Mon, 01 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-escapetwo/</guid><description>&lt;p&gt;Windows box, same domain name as the original Escape (&lt;code&gt;sequel.htb&lt;/code&gt;), but a different environment. The ESC1 from that box shows up again here, except this time it&amp;rsquo;s locked behind an ACL chain: you need WriteOwner over a service account, then full control, then a template write that turns a non-vulnerable template into one you can exploit. The ESC4-to-ESC1 chain is the thing worth taking away from this box.&lt;/p&gt;
&lt;p&gt;We were given credentials upfront: &lt;code&gt;rose / KxEPkKe6R8su&lt;/code&gt;.&lt;/p&gt;</description></item><item><title>HTB: Return</title><link>https://chaelsoo.me/writeups/htb-return/</link><pubDate>Mon, 01 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-return/</guid><description>&lt;p&gt;Windows box, no credentials. There&amp;rsquo;s no web app to enumerate, no SMB shares to dig through. The initial foothold comes entirely from a printer admin panel running on port 80. What makes this box memorable is how the credential theft works: you abuse the way the printer firmware tests its own configuration to make it hand over credentials to a listener you control. After that, Server Operators takes you to SYSTEM in a few commands.&lt;/p&gt;</description></item><item><title>HTB: Sauna</title><link>https://chaelsoo.me/writeups/htb-sauna/</link><pubDate>Mon, 01 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-sauna/</guid><description>&lt;p&gt;Windows AD box, no credentials given. The website is running for a fictional bank called Egotistical Bank, and it&amp;rsquo;s the only initial foothold surface. What makes this box interesting is the AS-REP roasting step, a technique that often gets lumped in with Kerberoasting in tool menus, but the mechanism is completely different and worth understanding on its own. The escalation is clean: Winlogon autologon keys exposing a service account, that service account having DCSync rights.&lt;/p&gt;</description></item><item><title>HTB: Timelapse</title><link>https://chaelsoo.me/writeups/htb-timelapse/</link><pubDate>Mon, 01 Jun 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-timelapse/</guid><description>&lt;p&gt;Windows box, no credentials. The initial foothold is unusual: instead of extracting a password from some file, you crack a PFX certificate and use it directly to authenticate to WinRM. No username, no password, just a client certificate. It&amp;rsquo;s a reminder that Windows supports certificate-based authentication in places people often forget about. LAPS is the escalation, which is worth understanding because it&amp;rsquo;s deployed everywhere and constantly misread on BloodHound graphs.&lt;/p&gt;</description></item><item><title>HackINI 2026: Corp Monitor</title><link>https://chaelsoo.me/writeups/hackini-corp-monitor/</link><pubDate>Tue, 26 May 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/hackini-corp-monitor/</guid><description>&lt;p&gt;A Linux machine running a Drupal intranet CMS with an anonymous FTP server sitting next to it. The FTP turned out to be more of a hint than an attack surface. The real entry was Drupalgeddon2, a 2018 RCE that still shows up everywhere. Once inside, Grafana 8.2.6 was hiding on port 3000, running an unauthenticated path traversal that handed over root&amp;rsquo;s SSH key directly.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Did this one with &lt;a href="https://www.linkedin.com/in/aymen-drid-36bba4243/"&gt;Aymen&lt;/a&gt;. Always more fun when someone&amp;rsquo;s hunting alongside you and just as locked in. Big shoutout to him.&lt;/em&gt;&lt;/p&gt;</description></item><item><title>HackINI 2026: IT Workstation</title><link>https://chaelsoo.me/writeups/hackini-it-workstation/</link><pubDate>Tue, 26 May 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/hackini-it-workstation/</guid><description>&lt;p&gt;The second machine in the chain. A Windows workstation with WinRM exposed and nothing else obviously interesting until you&amp;rsquo;re inside. Autologon credentials stored in plaintext in the registry handed over local Administrator, then Mimikatz pulled a cleartext domain password out of Credential Manager. That opened the door to the Active Directory machine.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Ran through this one with &lt;a href="https://www.linkedin.com/in/aymen-drid-36bba4243/"&gt;Aymen&lt;/a&gt;. Two people piecing together a chain like this makes a real difference: every dead end gets shorter when someone&amp;rsquo;s right there with you. Big shoutout to him.&lt;/em&gt;&lt;/p&gt;</description></item><item><title>HackINI 2026: Legacy</title><link>https://chaelsoo.me/writeups/hackini-legacy/</link><pubDate>Tue, 26 May 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/hackini-legacy/</guid><description>&lt;p&gt;The fourth machine in the chain. A Linux server running two web services on non-standard ports. One was an older Anuko Time Tracker instance with a known SQL injection CVE, the other was a Webmin panel that opened up once you had the right credentials. The interesting part here was that this machine didn&amp;rsquo;t require brute-forcing or clever guessing: the credentials came from earlier in the chain, and the exploit path came from recognizing the software version and knowing where to look.&lt;/p&gt;</description></item><item><title>HackINI 2026: Shell-DC</title><link>https://chaelsoo.me/writeups/hackini-shell-dc/</link><pubDate>Tue, 26 May 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/hackini-shell-dc/</guid><description>&lt;p&gt;This was the most satisfying machine in the chain. A full Active Directory environment, &lt;code&gt;ad.shell.local&lt;/code&gt; on Windows Server 2019, with a deliberate series of layered misconfigurations that build on each other. You start with a regular domain user and work your way through Kerberoasting, a BloodHound ACL chain, Shadow Credentials, gMSA password abuse, and finally tombstone reanimation to reach Domain Admin.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Solved this one together with &lt;a href="https://www.linkedin.com/in/aymen-drid-36bba4243/"&gt;Aymen&lt;/a&gt;. We spent the better part of a day working through this chain side by side, and a lot of what made it click came from having someone just as deep in it to think out loud with. Big shoutout to him.&lt;/em&gt;&lt;/p&gt;</description></item><item><title>IngeHack: EDR Evasion</title><link>https://chaelsoo.me/writeups/ingehack-edr-evasion/</link><pubDate>Tue, 21 Apr 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/ingehack-edr-evasion/</guid><description>&lt;p&gt;An Active Directory series from IngeHack. The chain is built around a Windows environment with Defender active — meaning before you can do anything meaningful, you have to get your tooling past it. That was the first challenge, and the one this writeup covers for now.&lt;/p&gt;
&lt;p&gt;The approach was modifying GodPotato to strip or replace the signatures that Defender flags, combined with techniques for building custom versions of common tools that don&amp;rsquo;t carry recognizable bytecode patterns. The two resources below were the most useful references for this:&lt;/p&gt;</description></item><item><title>eBPF Dive</title><link>https://chaelsoo.me/blogs/ebpf-dive/</link><pubDate>Fri, 27 Mar 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/blogs/ebpf-dive/</guid><description>&lt;p&gt;Ever wanted to run your own code inside the Linux kernel without writing a kernel
module, without rebooting, and without breaking everything? That&amp;rsquo;s eBPF.&lt;/p&gt;
&lt;p&gt;This post is a practical intro. I&amp;rsquo;ll cover how eBPF programs actually work, walk
through a real example, explain the two ways to get data out of the kernel, and
show how the userspace side ties it all together. At the end I&amp;rsquo;ll touch on the
network security toolkit I&amp;rsquo;ve been building on top of this.&lt;/p&gt;</description></item><item><title>Self-hosted VPN</title><link>https://chaelsoo.me/blogs/wireguard-vps/</link><pubDate>Fri, 20 Mar 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/blogs/wireguard-vps/</guid><description>&lt;p&gt;Instead of relying on a commercial VPN provider, I wanted to see how far I could get by building my own on a VPS. The goal was simple: connect my laptop and phone over WireGuard, optionally route all traffic through it.&lt;/p&gt;
&lt;p&gt;The real value came from debugging actual issues. This post goes through all of it.&lt;/p&gt;
&lt;h2 id="why-wireguard"&gt;Why WireGuard&lt;/h2&gt;
&lt;p&gt;Simpler than OpenVPN, kernel-based, and the mental model is clean. Each machine has its own private key, each knows the other&amp;rsquo;s public key, peers get assigned internal VPN IPs. No certificate infrastructure to deal with.&lt;/p&gt;</description></item><item><title>eJPT: Exam Guide</title><link>https://chaelsoo.me/blogs/ejpt-review/</link><pubDate>Tue, 17 Mar 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/blogs/ejpt-review/</guid><description>&lt;p&gt;I passed the eJPT with 90%. I didn&amp;rsquo;t purchase the INE training bundle, so I won&amp;rsquo;t be walking through the exam itself, that&amp;rsquo;s against the rules and I didn&amp;rsquo;t have access to their course anyway. What I can do is tell you exactly what you need to know to be ready for it.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://chaelsoo.me/images/blogs/ejpt-review/eJPT.png" alt="eJPT certificate"&gt;&lt;/p&gt;
&lt;p&gt;The exam is 48 hours, practical, and covers a multi-machine scenario across multiple networks. It&amp;rsquo;s entry level but it&amp;rsquo;s not a joke. You need to actually know what you&amp;rsquo;re doing.&lt;/p&gt;</description></item><item><title>HTB Season 10: CCTV</title><link>https://chaelsoo.me/writeups/htb-cctv/</link><pubDate>Sat, 07 Mar 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-cctv/</guid><description>&lt;p&gt;CCTV is a Linux Easy box with a network flavor you don&amp;rsquo;t see as often on Easy rated machines. The surveillance theme is consistent throughout. You&amp;rsquo;re watching the system, and the system is watching you back. Passive analysis plays a bigger role here than brute force.&lt;/p&gt;
&lt;h2 id="whats-inside"&gt;What&amp;rsquo;s Inside&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;A surveillance software stack with a web interface worth poking around&lt;/li&gt;
&lt;li&gt;Network traffic that reveals more than the UI does&lt;/li&gt;
&lt;li&gt;A hidden service that only shows up once you&amp;rsquo;re listening in the right place&lt;/li&gt;
&lt;li&gt;A short pivot from that service to a root shell&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;HTB Season 10 is still active. Full writeup drops once this machine retires.&lt;/p&gt;</description></item><item><title>HTB: MonitorsFour</title><link>https://chaelsoo.me/writeups/htb-monitorsfour/</link><pubDate>Mon, 02 Mar 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-monitorsfour/</guid><description>&lt;p&gt;MonitorsFour is a Hard box and earns it, but not through obscurity. Each step is logical and builds on the last. The Docker escape at the end is the most interesting part, built around a real CVE with a CVSS of 9.3 that was still pretty fresh when this box dropped.&lt;/p&gt;
&lt;h2 id="recon"&gt;Recon&lt;/h2&gt;
&lt;p&gt;Web app at &lt;code&gt;monitorsfour.htb&lt;/code&gt;. Nothing immediately obvious on the landing page, so I started fuzzing endpoints.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u http://monitorsfour.htb/FUZZ
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;One endpoint stood out: &lt;code&gt;/user&lt;/code&gt;. It accepted a &lt;code&gt;token&lt;/code&gt; parameter, which immediately looked interesting. The question was what it actually did with that token.&lt;/p&gt;</description></item><item><title>HTB Season 10: Pirate</title><link>https://chaelsoo.me/writeups/htb-pirate/</link><pubDate>Sat, 28 Feb 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-pirate/</guid><description>&lt;p&gt;Pirate is a Windows Hard box and earns the rating. It&amp;rsquo;s a multi stage Active Directory environment where no single step gets you very far on its own. The path to Domain Admin is built from several smaller wins stacked on top of each other. The kind of machine you want to take notes on.&lt;/p&gt;
&lt;h2 id="whats-inside"&gt;What&amp;rsquo;s Inside&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;A realistic Active Directory environment with multiple users, groups, and services in play&lt;/li&gt;
&lt;li&gt;Early enumeration that rewards thoroughness over speed&lt;/li&gt;
&lt;li&gt;At least two distinct AD misconfigurations that each open a new door&lt;/li&gt;
&lt;li&gt;A final escalation that ties the chain together, satisfying when it clicks&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;HTB Season 10 is still active. Full writeup drops once this machine retires.&lt;/p&gt;</description></item><item><title>HTB Season 10: Interpreter</title><link>https://chaelsoo.me/writeups/htb-interpreter/</link><pubDate>Sat, 21 Feb 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-interpreter/</guid><description>&lt;p&gt;Interpreter is a Linux Medium that puts a healthcare integration platform in the spotlight. The domain context adds some flavor. Think HL7, FHIR adjacent tooling, the kind of software that runs hospitals and rarely sees a pentest. Getting in is one thing; what happens after is the more memorable part.&lt;/p&gt;
&lt;h2 id="whats-inside"&gt;What&amp;rsquo;s Inside&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;A web facing integration platform with an exploitable component&lt;/li&gt;
&lt;li&gt;Enough context clues in the app to understand what you&amp;rsquo;re targeting&lt;/li&gt;
&lt;li&gt;A foothold that requires reading the application&amp;rsquo;s behavior carefully&lt;/li&gt;
&lt;li&gt;A privilege escalation involving code execution in an unexpected context. This one sticks with you&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;HTB Season 10 is still active. Full writeup drops once this machine retires.&lt;/p&gt;</description></item><item><title>HTB: Expressway</title><link>https://chaelsoo.me/writeups/htb-expressway/</link><pubDate>Fri, 20 Feb 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-expressway/</guid><description>&lt;p&gt;Expressway is the kind of machine that makes you second-guess your recon. You scan it, get one TCP port, and think you must have missed something. You didn&amp;rsquo;t. There&amp;rsquo;s no web app here, no API, no admin panel to poke at. Just SSH and a VPN service sitting on UDP that most people walk right past.&lt;/p&gt;
&lt;h2 id="recon"&gt;Recon&lt;/h2&gt;
&lt;p&gt;TCP scan first, as always.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;nmap -sV -O MACHINE_IP -T5
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;pre tabindex="0"&gt;&lt;code&gt;PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 8 (protocol 2.0)
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;One result: port 22, OpenSSH 10.0. That&amp;rsquo;s it. At this point you either assume the box is broken or you scan UDP.&lt;/p&gt;</description></item><item><title>HTB Season 10: WingData</title><link>https://chaelsoo.me/writeups/htb-wingdata/</link><pubDate>Sat, 14 Feb 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-wingdata/</guid><description>&lt;p&gt;WingData is a Linux Easy box that keeps things straightforward. Exposed service, weak credentials, misconfigured sudo. It&amp;rsquo;s the kind of machine that teaches good enumeration habits more than anything else.&lt;/p&gt;
&lt;h2 id="whats-inside"&gt;What&amp;rsquo;s Inside&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;An FTP service running a version worth looking up&lt;/li&gt;
&lt;li&gt;Credentials that need a bit of offline work to crack&lt;/li&gt;
&lt;li&gt;A foothold that requires patience more than cleverness&lt;/li&gt;
&lt;li&gt;A sudo misconfiguration that closes things out quickly once you&amp;rsquo;re in&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;HTB Season 10 is still active. Full writeup drops once this machine retires.&lt;/p&gt;</description></item><item><title>HTB: Conversor</title><link>https://chaelsoo.me/writeups/htb-conversor/</link><pubDate>Fri, 13 Feb 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-conversor/</guid><description>&lt;p&gt;Conversor is a Linux Medium that gives you the source code upfront. That&amp;rsquo;s not a gift so much as a heads up. You&amp;rsquo;re expected to actually read it. The machine is built around a file conversion web app, and the foothold hinges on understanding what the app does under the hood before you can abuse it.&lt;/p&gt;
&lt;h2 id="recon"&gt;Recon&lt;/h2&gt;
&lt;p&gt;Standard nmap scan. Two ports open, everything else closed or filtered.&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;┌──(kanyo㉿GIGABYTE)-[~]
└─$ nmap -T4 -sV -sC 10.129.238.31
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-13 14:12 +0100
Nmap scan report for 10.129.238.31
Host is up (0.15s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)
|_ 256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://conversor.htb/
1083/tcp filtered ansoft-lm-1
2260/tcp filtered apc-2260
3918/tcp filtered pktcablemmcops
5718/tcp filtered dpm
7025/tcp filtered vmsvc-2
Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Port 80 redirects to &lt;code&gt;conversor.htb&lt;/code&gt;, so add that to &lt;code&gt;/etc/hosts&lt;/code&gt; and move on. The web app is a file converter: you upload something, it spits back a transformed version. There&amp;rsquo;s a file upload input on the main page. That&amp;rsquo;s your surface right there.&lt;/p&gt;</description></item><item><title>HTB Season 10: Pterodactyl</title><link>https://chaelsoo.me/writeups/htb-pterodactyl/</link><pubDate>Sat, 07 Feb 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-pterodactyl/</guid><description>&lt;p&gt;Pterodactyl is a Linux Medium that puts a popular open source game server panel front and center. If you&amp;rsquo;ve ever set up a Minecraft or game hosting environment, the interface will feel familiar, which makes spotting what&amp;rsquo;s wrong with it a bit more satisfying.&lt;/p&gt;
&lt;h2 id="whats-inside"&gt;What&amp;rsquo;s Inside&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;A known vulnerability in a widely deployed panel. Enumeration pays off here&lt;/li&gt;
&lt;li&gt;Database access as a stepping stone, not the final goal&lt;/li&gt;
&lt;li&gt;Credential reuse across services (classic, but it works)&lt;/li&gt;
&lt;li&gt;A privilege escalation that builds naturally on what you already have&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;HTB Season 10 is still active. Full writeup drops once this machine retires.&lt;/p&gt;</description></item><item><title>HTB Season 10: Facts</title><link>https://chaelsoo.me/writeups/htb-facts/</link><pubDate>Sat, 31 Jan 2026 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/writeups/htb-facts/</guid><description>&lt;p&gt;Facts is a Linux Easy box with a clean, grounded feel. The kind of machine where the attack surface is right in front of you if you bother to look carefully at the web app.&lt;/p&gt;
&lt;h2 id="whats-inside"&gt;What&amp;rsquo;s Inside&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;A content management system doing more than it should be&lt;/li&gt;
&lt;li&gt;Some cloud storage integration that leaks more than intended&lt;/li&gt;
&lt;li&gt;Credentials hiding in places people forget to clean up&lt;/li&gt;
&lt;li&gt;A privilege escalation that&amp;rsquo;s more creative than your typical SUID hunt&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;HTB Season 10 is still active. Full writeup drops once this machine retires.&lt;/p&gt;</description></item><item><title>About</title><link>https://chaelsoo.me/about/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://chaelsoo.me/about/</guid><description>&lt;p&gt;I&amp;rsquo;m Dellaa Abderrahmen, a cybersecurity student and researcher. I like to do many things. this is a collection of things I worked through. figured if it was hard enough to figure out, it was worth writing down. hope you find it useful.&lt;/p&gt;
&lt;p&gt;Whether you have a question, a suggestion, or just want to share your thoughts, don&amp;rsquo;t hesitate to hit me on Discord or any of the socials.&lt;/p&gt;</description></item></channel></rss>