so, i did a thing. i’m a 2nd-year cyber security student and this is my first ever hacking certification. i spent my entire holiday break grinding through the htb academy modules, taking insane am...

this is my personal cheatsheet collection for the Certified Web Exploitation Specialist (CWES) cert. i’m sharing the structure and tools i used while studying, not to hand you answers, but hopefull...

Devvortex is an easy Linux box featuring a vulnerable Joomla CMS with an information disclosure vulnerability (CVE-2023-23752) that leaks database credentials. After gaining admin access to Joomla,...

XSS (cross-site scripting) is all about injecting malicious scripts into pages viewed by other users. three main types – stored, reflected, and DOM-based. know when each one applies. additional re...

this section covers HTTP verb tampering, IDOR, and XXE — three classic web attack techniques. different mechanisms, but all very common in real-world apps and CTFs. HTTP Verb Tampering web serv...

sql injection is still one of the most impactful vulnerabilities out there. understand the fundamentals manually first, then let sqlmap do the heavy lifting. SQL injection fundamentals MySQL co...

server-side attacks target the server’s own processing logic. SSRF, SSTI, SSI, and XSLT are all different flavours – each with its own detection and exploitation path. SSRF (Server-Side Request ...

passive recon is all about gathering info without touching the target directly. no packets sent to them, no noise, just public sources and smart googling. the goal is to build a picture of the targ...

brute forcing logins is about throwing credentials at a target systematically. pair it with good wordlists and know when to crack hashes offline vs attack live services. password hash files lin...

obfuscated JavaScript is common in CTFs and real-world recon. learning to read and deobfuscate it helps you find hidden endpoints, credentials, and logic that devs didn’t want you to see. Code O...