Writeups

A curated collection of practical writeups from the labs and platforms I use to sharpen my offensive security skills.

This section works as a central index for my walkthroughs, notes, and post-exploitation practice across different platforms. Each entry links to a dedicated markdown page where I document the methodology, tools, findings, and lessons learned during the exercise.

The goal is not only to keep a personal knowledge base, but also to build a structured archive of hands-on work that reflects how I approach enumeration, exploitation, privilege escalation, and reporting in controlled lab environments.

🐳 Dockerlabs

• Trust
• Chocolatefire
• BadPlugin
• WalkingCMS
• Ejotapete
• Domain
• FindYourStyle
• LittlePivoting

🐱‍💻 HackMyVM

• DC01

🟩 HTB

• Active

• Forest

• Sauna

• Resolute

• Return

• Cicada

• Certified

• Administrator

• Support

• Cascade

• BabyTwo

• Escape

• Manager

• EscapeTwo

🕷️ PortSwigger Web Security Academy

SQL Injection

• SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
• SQL injection vulnerability allowing login bypass
• SQL injection attack, querying the database type and version on Oracle
• SQL injection attack, querying the database type and version on MySQL and Microsoft
• SQL injection attack, listing the database contents on non-Oracle databases
• SQL injection attack, listing the database contents on Oracle
• SQL injection UNION attack, retrieving multiple values in a single column
• Blind SQL injection with conditional responses
• Blind SQL injection with conditional errors
• Visible error-based SQL injection
• Blind SQL injection with time delays and information retrieval
• Blind SQL injection with out-of-band data exfiltration
• SQL injection with filter bypass via XML encoding

Cross-Site Scripting (XSS)

• Reflected XSS into HTML context with nothing encoded
• Stored XSS into HTML context with nothing encoded
• DOM XSS in document.write sink using source location.search
• DOM XSS in innerHTML sink using source location.search
• DOM XSS in jQuery anchor href attribute sink using location.search source
• DOM XSS in jQuery selector sink using a hashchange event
• Reflected XSS into attribute with angle brackets HTML-encoded
• Stored XSS into anchor href attribute with double quotes HTML-encoded
• Reflected XSS into a JavaScript string with angle brackets HTML encoded
• DOM XSS in document.write sink using source location.search inside a select element
• DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
• Reflected DOM XSS
• Stored DOM XSS
• Reflected XSS into HTML context with most tags and attributes blocked
• Reflected XSS into HTML context with all tags blocked except custom ones
• Reflected XSS with some SVG markup allowed
• Reflected XSS in canonical link tag
• Reflected XSS into a JavaScript string with single quote and backslash escaped
• Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
• Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
• Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
• Exploiting cross-site scripting to steal cookies
• Exploiting cross-site scripting to capture passwords
• Exploiting XSS to bypass CSRF defenses
• Reflected XSS with AngularJS sandbox escape without strings
• Reflected XSS with AngularJS sandbox escape and CSP
• Reflected XSS with event handlers and href attributes blocked
• Reflected XSS in a JavaScript URL with some characters blocked
• Reflected XSS protected by very strict CSP, with dangling markup attack
• Reflected XSS protected by CSP, with CSP bypass

CSRF

• CSRF vulnerability with no defenses
• CSRF where token validation depends on request method
• CSRF where token validation depends on token being present
• CSRF where token is not tied to user session
• CSRF where token is tied to non-session cookie
• CSRF where token is duplicated in cookie
• SameSite Lax bypass via method override
• SameSite Strict bypass via client-side redirect
• SameSite Strict bypass via sibling domain
• SameSite Lax bypass via cookie refresh
• CSRF where Referer validation depends on header being present
• CSRF with broken Referer validation

Clickjacking

• Basic clickjacking with CSRF token protection
• Clickjacking with form input data prefilled from a URL parameter
• Clickjacking with a frame buster script
• Exploiting clickjacking vulnerability to trigger DOM-based XSS
• Multistep clickjacking

More writeups will be added over time as I continue documenting labs, refining methodology, and turning hands-on practice into structured notes.