xsspresso
xsspresso

A personal log of my offensive security journey, including CTF writeups, projects, blog posts, certifications, and more. Built as a way to learn, share, reflect, and keep improving over time.

View Writeups Browse Projects
color220°

CTF Writeups

CTF solutions, events and more.

View all
WebMediumLinux

HTB — Facts

Cacti LFI via CVE-2024-46987 reads configuration files and credentials. Sudo abuse on a custom binary escalates to root.

#Cacti#LFI#CVE-2024-46987
Mar 8, 2026HackTheBox
WebMedium

Wiz Bug Bounty

Bug bounty masterclass covering exposed databases, SSRF, subdomain takeover, blind XSS, GitHub secret leaks, Spring Boot heapdump, and session confusion ATO.

#Bug Bounty#SSRF#Subdomain Takeover
Jan 24, 2026Wiz Bug Bounty
ADMediumWindows

HTB — Haze

Splunk misconfiguration leaks credentials. Active Directory enumeration reveals a privilege escalation path through ACL abuse to Domain Admin.

#Splunk#AD#ACL Abuse
Jan 10, 2026HackTheBox
ADMediumWindows

HTB — TombWatcher

Active Directory with ADCS misconfiguration. ESC1 certificate template abuse allows requesting a certificate as Domain Admin for full compromise.

#AD#ADCS#ESC1
Dec 1, 2025HackTheBox
ADMediumWindows

HTB — Signed

MSSQL with xp_cmdshell for initial RCE. Active Directory certificate abuse (ADCS) to impersonate Domain Admin.

#AD#MSSQL#ADCS
Nov 20, 2025HackTheBox
MiscMediumLinux

HTB — Giveback

Custom network service with an authentication logic flaw. Protocol reverse engineering reveals a bypass path to root.

#Protocol Analysis#Auth Bypass#Reverse Engineering
Nov 8, 2025HackTheBox

From the Blog

Latest CVEs, certifications, tools, anything security related.

View all
#OSCP#Certifications

My Experience with OSCP+ in 2025

A full breakdown of my OSCP+ journey — preparation, lab time, the exam, and lessons learned.

Projects

Personal projects for learning.

View all
Vulnerable Blog App

Vulnerable Blog App

Full-stack intentionally vulnerable application built for CCNY EE I7700 Penetration Test & Ethical Hacking. Covers the full attacker kill chain from initial access to root via XSS, node-serialize deserialization RCE, and privilege escalation through a world-writable script run by root.