Category 'writeups'

writeups

28 ene 2026 · Manuel López Pérez · writeups
LLM Security: Threat Modeling and Prompt Injection
Comprehensive analysis of security threats in Large Language Models (LLMs), attack techniques like prompt injection, and practical case study from the A.D.I.C. 7 challenge at CyberH2O CTF.
21 ene 2026 · Manuel López Pérez · writeups
CyberH2O: Challenge 3 – Pentesting SCADA/ICS Environments
Write-up of the third and final machine from the CyberH2O cyberchallenge, an industrial environment with SNMP, OPC UA, Node-RED and privilege escalation.
14 ene 2026 · Manuel López Pérez · writeups
CyberH2O: Challenge 2 – Pentesting Hybrid Infrastructures
Write-up of the second machine from the CyberH2O cyberchallenge, a hybrid environment with Docker containers and privilege escalation via Portainer.
7 ene 2026 · Manuel López Pérez · writeups
CyberH2O: Challenge 1 – OSINT in Critical Infrastructures
Write-up of the first challenge of the CyberH2O cyberchallenge, focused on OSINT to locate an exposed PLC in a specific municipality.
22 jul 2020 · Manuel López Pérez · writeups
WriteUp – Vault (HackTheBox)
Vault write-up (HackTheBox): average Linux machine that exploits file upload with filter bypass to obtain initial shell, pivots through OpenVPN and internal networks to escalate privileges and obtain root.
21 jul 2020 · Pablo Plaza Martínez · writeups
Bypassing WAF - PHP code execution without letters
Write-up of a classic ASIS CTF challenge: bypassing a preg_match filter that prohibits letters (A-Za-z) using XOR to generate strings without letters that, when executed in eval(), call functions such as phpinfo() or show_source(). A very useful technique for understanding type juggling and WAF bypass in PHP.
- asis
- bypass
- ctf
- eval
- php
- preg_match
- waf
- xor
20 jul 2020 · Manuel López Pérez · writeups
WriteUp – Curling (HackTheBox)
Curling write-up (HackTheBox): easy Linux machine that exploits Joomla with credentials leaked in comments, uploads webshell via template, obtains floris credentials via password_backup, and escalates to root with DirtySock (CVE-2019-7304).
31 may 2020 · Manuel López Pérez · writeups
Attacking JSON Web Token (JWT)
Explanation of how to exploit a JWT vulnerability by changing the algorithm (RS256 → HS256) and using the public key as the secret. PoC based on the Moar Horse 4 challenge from TJCTF 2020.
28 may 2020 · Pablo Plaza Martínez · writeups
CSRF + XSS (filter bypass)
Exploiting XSS with filter bypass using HTML encoding and eval+atob to perform CSRF and exfiltrate sensitive administrator information in a CTF.
5 abr 2019 · Manuel López Pérez · writeups
Solving CTF Challenges - Part 1
Write-up of simple CTF challenges (web and stego/crypto): type juggling in PHP, impossible conditions with is_numeric, hidden parameters in source, and stego with Stegsolve/hex.
- ctf
- pwn
- web
- writeup
23 mar 2019 · Manuel López Pérez · writeups
WriteUp – Frolic (HackTheBox)
Descripción de Frolic (HackTheBox): máquina Linux de nivel medio que explota un servicio web con múltiples pasos de enumeración (Ook, base64, ZIP, brainfuck) para obtener acceso al shell, y luego se eleva a root a través de ret2libc en un binario setuid con NX habilitado y ASLR deshabilitado.
26 dic 2018 · Manuel López Pérez · writeups
PwnLab: Init - WriteUp (Vulnhub)
PwnLab write-up: Init (Vulnhub): LFI with wrappers, file upload for RCE and escalation via SUID/PATH and injection in echo.

Newer posts

Older posts