// offensive security

Maks Huseynli

Offensive Security Practitioner

Structured offensive analysis and exploit breakdowns.
Documenting the methodology behind the compromise.

View case studies
12
Writeups
Web
Primary Focus
OSCP
In Progress

Case Studies

Web Linux Hard

BackTrack — TryHackMe

Path traversal on a Node static server leaks Tomcat creds → WAR deploy foothold. sudo ansible-playbook wildcard bypassed via fnmatch ../ for tomcat→wilbur. Double-extension + path-traversal upload bypass for wilbur→orville. SIGSTOP + TIOCSTI ioctl TTY pushback for orville→root.

Read writeup →
Web Access Control Medium

Support — TryHackMe

Password spray for a helpdesk foothold, a theme switcher hiding a local file disclosure, source-leaked secrets, a forged isITUser cookie (md5 of "true") for broken access control, IDOR to the admin account, and a "date" command that pipes straight into shell_exec for RCE.

Read writeup →
Web Linux Medium

Domino — TryHackMe

AES key hardcoded in frontend JS decrypts backup config. Hydra cracks DevOps credentials, session cookie forged for admin. JWT signature verification is commented out. RFI via eval() gives RCE. Password reuse and writable root cron finish the job.

Read writeup →
ICS / OT Linux Medium

Helix — Hack The Box

Anonymous NiFi write triggers CVE-2023-34468 H2 RCE. AES-GCM property decryption and a private key from a support bundle yield user. OPC UA reactor manipulation unlocks a NOPASSWD maintenance console for root.

Read writeup →
Web Linux Easy

Coldstart — TryHackMe

Anonymous FTP leaks source code. SSRF bypasses hostname allowlist to read internal admin notes. Wildcard injection in cron job escalates to root.

Read writeup →
Web Linux Medium

Silent Monitor — TryHackMe

SQLi auth bypass in both login fields. Command injection with newline WAF bypass for RCE. KeePass KDBX v4 database cracked with pykeepass to recover credentials.

Read writeup →
Web Linux Medium

Interceptor — TryHackMe

.bak source disclosure leaks admin credentials. OTP bypassed via mass-assignment. Client-side-only filter leaves feed importer open to backtick command injection.

Read writeup →
Web Linux Medium

Recruit Portal — TryHackMe

Exposed mail log leaks internal email hinting at config.php. SSRF via file:// reads credentials. Authenticated dashboard has raw SQLi — dumped with sqlmap for full admin access.

Read writeup →
Active Directory Windows Hard

Logging — Hack The Box

Shadow Credentials against an MSA, DLL hijack via scheduled task, ESC17 ADCS abuse and WSUS MitM for SYSTEM on a Windows Server 2019 DC.

Read writeup →
Web Linux Medium

DevArea — Hack The Box

JAR analysis, CVE-2022-46364 SSRF→LFI for credential extraction, Hoverfly command injection RCE, and writable bash binary replacement for root.

Read writeup →
Web Medium

Conversor — Hack The Box

Input validation analysis on a conversion utility. Exploitation via crafted payloads to achieve unintended code paths and flag extraction.

Read writeup →
Web Medium

Bookstore — TryHackMe

REST API enumeration through fuzzing, authentication bypass, and local file inclusion chain leading to remote code execution.

Read writeup →

No results found for that query.

Security Research

Security Research Advanced

Exploit-Chain-CVE-2025-6018-6019

In-depth analysis of a chained exploit path across two CVEs. Vulnerability interaction, root cause breakdown, and weaponization logic.

Read analysis →