Writeups
Walkthroughs from the rooms I break into for practice — methodology first, flags redacted, with notes on how you'd detect and prevent each step.
TryHackMe
Hands-on offensive security — cloud, Active Directory, and web.
- 252Rooms
- 45Badges
- 112Day streak
HA pfSense on Proxmox, with dual-WAN failover
Why I run pfSense as a virtualized active/passive CARP pair split across two Proxmox nodes, fronting a dual-WAN (fibre + Starlink) edge, and the firewall-virtualization gotchas that actually bite.
Giving an LLM the keys to my Proxmox cluster (carefully)
I built an n8n workflow that lets an LLM act as an ops agent over my four-node Proxmox cluster, and the interesting part wasn't the wiring — it was deciding how to scope a confident, occasionally-wrong model so it can't take down my lab.
When UDP-only firewall rules quietly broke DNSSEC
A home-lab outage where one protocol checkbox took down every .ai domain — and why DNS needs TCP.
Azure: Tapper
Part 1 Azure: Tapper — foothold and the managed identity
From an SSH foothold to an over-privileged VM managed identity that opens the Azure control plane — and lateral movement without ever guessing a password.
Part 2 Azure: Tapper — one permission to own the tenant
How an app-only Microsoft Graph token with a single narrow-looking permission — UserAuthenticationMethod.ReadWrite.All — becomes tenant-wide account takeover via a Temporary Access Pass.
MedBay.AI — Stored XSS in a Privileged Reviewer Bot and Coaxing EPOCH-1 with Prompt Injection
A medical-AI room where a "file a note" feature lands stored XSS in a privileged reviewer browser — and HttpOnly cookies push you from cookie theft to a same-origin fetch proxy, while a parallel prompt-injection path leaks restricted data straight out of the agent.
MD2PDF: SSRF via a Server-Side PDF Renderer
A Markdown-to-PDF converter renders attacker-supplied HTML server-side, turning its remote-resource fetching into an SSRF that reaches a loopback-only admin page.
Cracking an MSSQL Hash with Hashcat — and Why Your GPU Vanishes Inside a VM
A captured MSSQL login hash, a wordlist that runs dry, and the methodical climb from rockyou to rules to masks to a length-bounded brute force — plus the VMware gotcha that quietly drops you to CPU-only and triples your crack time.