Chief Dennis' Blog

Sorcerer Offsec Walkthrough

Thu, 11 Dec 2025 13:07:16 +0100

Sorcerer OffSec Walkthrough Link to heading

1. Introduction Link to heading

This walkthrough documents the compromise of the Sorcerer machine from CyberSecLabs (CFT).

We compromised the Sorcerer machine through classic multi-surface enumeration: multiple web servers, exposed ZIP archives leaking Tomcat credentials and SSH keys, restricted SSH bypass through editing authorized_keys, and final privilege escalation via a misconfigured SUID start-stop-daemon binary (GTFOBins).

Payday Offsec Walkthrough

Sat, 29 Nov 2025 19:00:00 +0100

Payday OffSec Walkthrough Link to heading

This walkthrough documents the full compromise of the OffSec “Payday” target machine. The attack path involves classic recon, discovery of an outdated CS-Cart e-commerce panel, authenticated file upload leading to RCE, and finally a privilege escalation via weak local user credentials and unrestricted sudo access. Despite a large attack surface (SMTP/IMAP/SSLv2/Samba 3.x/etc.), the intended path is surprisingly simple—but easy to overlook.

Pelican Offsec Walkthrough

Sat, 29 Nov 2025 11:00:00 +0100

Pelican OffSec Walkthrough Link to heading

This walkthrough covers the full exploitation path for the Pelican target, from initial reconnaissance to root compromise and post-exploitation considerations. We focus on service enumeration, misconfigurations, abusing an exposed Exhibitor instance, credential extraction through memory dumping, and privilege escalation.

1. Reconnaissance Link to heading

First, a ping is made to verify connection with the machine:

ClamAV Offsec Walkthrough

Fri, 29 Aug 2025 18:00:00 +0100

ClamAV OffSec Walkthrough Link to heading

1. Reconnaissance Link to heading

First, a ping is made to verify connection with the machine:

A high TTL of ~130 is observed. However, the later Nmap scan will show a TTL of 61, which is more typical for Linux machines.

A nmap SYN scan is run to discover all open ports:

sudo nmap -sS -T5 -vvv -p- 192.168.199.42 -Pn -oG nmap_inicial

Internal Offsec Walkthrough

Mon, 09 Jun 2025 15:43:16 +0100

Introduction Link to heading

This post analyzes the process of privilege analysis, exploitation, and escalation in a vulnerable Windows environment. To do this, a network scan is carried out using Nmap, identifying open ports and services on the target system. Subsequently, using Metasploit, the presence of vulnerabilities in the SMB service is searched for and verified.

In particular, the system is found to be vulnerable to CVE-2009-3103, a security flaw in SMB 2.0.2 that allows remote execution of code with elevated privileges. By exploiting this vulnerability, access is gained to the victim machine with NT AUTHORITY\SYSTEM privileges, granting full control over the system.

WPA/WPA2 Protocol: Packet format analysis and attacks against it

Sun, 01 Jun 2025 15:43:16 +0100

Identification of the different types of WPA protocol packets. Link to heading

In this first phase, the analysis of a traffic capture corresponding to a WiFi network with WPA2-PSK authentication has been carried out. The tool used has been Wireshark, due to its ability to interpret and decompose network protocols in a detailed way. The purpose of this point is to identify the different types of packets involved in the WPA2 connection and authentication process, as well as to examine the most relevant fields of each and understand their function within the overall context of the capture.

Operational installation of a VPN with OpenVPN

Tue, 20 May 2025 15:43:16 +0100

Introduction Link to heading

Currently, Virtual Private Networks (VPNs) are a widely used solution to establish secure communication channels over public or shared networks. Its main objective is to offer confidentiality, authentication and integrity in the transmission of data between different devices, simulating a private local network by encrypting the information that circulates through the network.

In this practice, a VPN has been implemented using OpenVPN, an open-source toolthat allows you to create encrypted tunnels based on the SSL/TLS protocol. The work environment is composed of three Kali Linux virtual machines:

Cockpit Offsec Walkthrough

Sun, 18 May 2025 13:07:16 +0100

Introduction Link to heading

SQL injection vulnerability Link to heading

A SQL Injection (SQLi) vulnerability is one of the most critical threatsin web applications that interact with databases. This vulnerability occurs when an application does not properly validate and sanitize user input before using it in SQL queries, allowing an attacker to manipulate these queries to access, modify, or delete data in the database.

WifiChallenge Lab CTF

Thu, 15 May 2025 15:43:16 +0100

Introduction Link to heading

This write-up summarizes the completion of the WiFiChallenge Lab, a practical cybersecurity exercise focused on wireless network security. Throughout the lab, various Wi-Fi attack techniques were explored and executed, including packet capture, handshake extraction, password cracking, and exploiting common vulnerabilities in WEP and WPA/WPA2 networks. The objective was to simulate real-world scenarios, enhance practical skills in wireless penetration testing, and deepen understanding of Wi-Fi security protocols and their weaknesses. This walkthrough outlines the methodology, tools used, challenges encountered, and key takeaways from the experience.

DVR4 Offsec Walkthrough

Tue, 01 Apr 2025 13:07:16 +0100

DVR4 Offsec Walkthrough Link to heading

LFI Vulnerability Link to heading

Local File Inclusion (LFI) is a security vulnerability in web applications that allows an attacker to access files stored on the server. This failure occurs when an applicationconstructs file paths based on user input without properly validating its contents. As a result, an attacker can manipulate those paths to read sensitive system files and, in some cases, execute malicious code.

Snookum Offsec Walkthrough

Sun, 16 Mar 2025 13:07:16 +0100

Snookum OffSec Walkthrough Link to heading

RFI Vulnerability Link to heading

Remote File Inclusion (RFI) is a vulnerability in web applications that allows an attacker to upload and execute files hosted on external servers. This flaw occurs when an applicationdynamically includes files without properly validating user input, which can lead to the execution of malicious code. If proper security measures are not taken, RFI can completely compromise a system, facilitating data theft, malware execution, or even full control of the server.

Reconnaissance of Vulnerable Software with Nessus and OpenVAS

Sun, 23 Feb 2025 15:43:16 +0100

1. Introduction

2. Analysis Tools

3. Scan Settings

3.1. Nessus Scanning Parameters

3.2. OpenVAS Scanning Parameters

4. Analysis Process

4.1. Running the Scan with Nessus

4.2. Running the Scan with OpenVAS

5. Comparison of Results

6. Conclusions

Introduction Link to heading

The purpose of this report is to examine the security of a system through specialized tools for detecting vulnerabilities. To do this, exhaustive scans have been carried out using Nessus and OpenVAS on the Metasploitable3 virtual machine (Linux). After data collection, the findings will be analyzed and a detailed comparison of both tools will be made.

ARP and DNS spoofing with Bettercap

Sun, 09 Feb 2025 15:43:16 +0100

2.3. Fake Web Page Setup

2.4. Credential Theft

3. Stopping the attack

4. Conclusions

Introduction Link to heading

In the field of cybersecurity, analyzing vulnerabilities in local networks is a fundamental task for understanding potential threats and designing appropriate defense mechanisms. Among the most common attacks affecting the integrity and confidentiality of information in a network are ARP Spoofing and DNS Spoofing, techniques used to intercept, modify, and redirect traffic from devices connected to a LAN.

Steganographic techniques, analysis, and usage of S-Tools

Wed, 01 Jan 2025 15:43:16 +0100

1.- Introduction Link to heading

This post is about steganographic tools and analysis techniques in search of hidden information. In this case, the S-Tools tool is used. We will also use a custom python script to help us analyze the images bit by bit in search for hidden information. Lastly, we will also perform a histogram analysis, coding another custom python script.

S-Tools is a very powerful tool developed by Andy Brown. It allows you to hide messages using steganography in BMP, GIF, and WAV images. It is a very simple tool that allows drag-and-drop to process the relevant files. Additionally, it can encrypt the hidden information so that even if the message is discovered, the information cannot be decrypted without the password.

Blurry HTB Walkthrough

Sun, 16 Jun 2024 13:07:16 +0100

The Blurry HTB machine is a medium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- ClearML
- CVE-2024-24590
- Json deserialization
- Scipt analysis
- Fickling
- Python scripting

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.19 -Pn -oG nmap_inicial

Where the arguments mean:

Runner HTB Walkthrough

Mon, 10 Jun 2024 13:07:16 +0100

The Runner HTB machine is a medium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Subdirectory discovery with ffuf
- CVE-2024-27198
- Hash cracking with JohnTheRipper
- Docker escape
- CVE-2024-21626

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.13 -Pn -oG nmap_inicial

Where the arguments mean:

BoardLight HTB Walkthrough

Tue, 04 Jun 2024 13:07:16 +0100

The BoardLight HTB machine is a medium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Grep / Find
- Subdomain discovery with ffuf
- CVE-2023-30253
- CVE-2022-37706

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.11 -Pn -oG nmap_inicial

Where the arguments mean:

Usage HTB Walkthrough

Wed, 29 May 2024 13:07:16 +0100

The Usage HTB machine is a madium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Blind SQL injection with SQLmap
- Burpsuite
- Hash cracking with JohnTheRipper
- 7z Wildcard Spare exploitation

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.18 -Pn -oG nmap_inicial

Where the arguments mean:

Configure and deploy Azure Firewall Manager Part 3: Test the Firewall

Thu, 11 Apr 2024 08:43:16 +0100

For part 3 of the series, test the firewall in two steps. First, we’ll test the application rule; then, we’ll test the network rule. To test the firewall rules, we’ll connect a remote desktop using the firewall’s public IP address, which is NATed to Workload-1. From there, we’ll use a browser to test the application rule and connect a remote desktop to Workload-2 to test the network rule. It is important to remember, as with all testing, firewall testing is essential to maintaining a secure network and mustn’t be overlooked.

Configure and deploy Azure Firewall Manager Part 2: Deploy the servers

Sat, 09 Mar 2024 08:43:16 +0100

For part 2 of the series, we will deploy our workloads/servers. This process is similar as to any virtual machine deployment in the Azure Cloud.

Deploy the servers Link to heading

Deploying servers involves setting up and preparing a server to host and run applications or services. When discussing deploying servers in a cloud environment, this process often consists of creating and configuring virtual machines, setting up network connectivity and security, and installing and configuring software, all done within the cloud provider’s management interface or using infrastructure as code (IaC) tools such as Terraform.

Configure and deploy Azure Firewall Manager Part 1: Create a hub and spoke architecture

Mon, 26 Feb 2024 08:43:16 +0100

Azure Firewall Manager is a central network security policy and route management service for globally distributed, software-defined perimeters. It can provide security management for two network architecture types, the secured virtual hub and the hub virtual network.

Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there’s no need to create user-defined routes (UDRs).

Monitored HTB Walkthrough

Sat, 17 Feb 2024 13:07:16 +0100

The Monitored HTB machine is a medium difficulty level HackTheBox Machine. The main tools and techniques used to crack this machine are:

 - Dirsearch
 - CVE-2023-40931
 - NMAP UDP scan
 - SNMP enumeration with SNMPwalk
 - JohnTheRipper
 - SQL injection with SQLmap

Reconnaissance Link to heading

We start a broad Nmap TCP scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.248 -Pn -oG nmap_inicial

Where the arguments mean:

Bizness HTB Walkthrough

Fri, 02 Feb 2024 13:07:16 +0100

The Bizness HTB machine is an easy difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

 - Dirsearch
 - CVE-2023-51467
 - Grep, find and strings
 - Hashcat

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.252 -Pn -oG nmap_inicial

Where the arguments mean:

About

Sun, 28 Jan 2024 19:19:53 +0100

Hello! I’m Dennis, a cybersecurity engineer with a background in aerospace engineering and a passion for complex technical systems. My academic journey began with a Bachelor’s in Aerospace Engineering, where I developed strong analytical and problem-solving skills that continue to shape the way I approach technology and security.

Over the years, I’ve worked in environments that blend telecommunications, IT security, and critical infrastructure. These roles have allowed me to gain hands-on experience with Linux systems, networking, cloud architectures, firewalls, IDS/IPS, automation, and secure system design. I’ve also been deeply involved in vulnerability management, patch orchestration, and the development of technical solutions that improve the reliability and security of large-scale operational systems.

Contact me!

Sun, 28 Jan 2024 19:19:53 +0100

Hey! You can contact me via my LinkedIn profile.

TwoMillion HTB Walkthrough

Tue, 16 Jan 2024 13:07:16 +0100

The TwoMillion HTB machine is an easy difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Command Injection
- Burpsuite
- CVE-2023-0386
- JS deobfuscation with Cyberchef
- API enumeration

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.221 -Pn -oG nmap_inicial

Where the arguments mean:

GPS NMEA TCP/IP stream to COM port via com0com and com2tcp

Fri, 29 Dec 2023 15:43:16 +0100

In this project we will explore how we can serve TCP/IP data coming in through an open port, and turn it into a virtual serial port or COM port. In this case, I have a router that has an internal GPS that can serve the NMEA sentences to a given IP and port via TCP/IP. However, most programs that use GPS (like Google Earth) do it through a COM port. So, how can we ’translate’ the TCP/IP data into a serial COM stream?

Manage Entra ID users via Azure Portal

Sun, 03 Dec 2023 15:43:16 +0100

In this post we will learn how to create, edit and delete Microsoft Entra ID users. Microsoft Entra ID is an integrated cloud identity and access solution, and a leader in the market for managing directories, enabling access to applications, and protecting identities.

To create a user, first navigate to Microsoft Entra ID in the Azure Portal.

Then click on Users.

You will be seeing the Users page. On the left hand menu, we can see the following tabs:

Clicker HTB Walkthrough

Mon, 27 Nov 2023 13:07:16 +0100

The Clicker HTB machine is a medium difficulty level HackTheBox Machine. The main techniques used to crack this machine are:

- SQL Injection
- CRLF Injection
- Parameter Tampering
- PHP Reverse Shell
- Perl_startup Local Privilege Escalation

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.232 -Pn -oG nmap_inicial

Where the arguments mean:

Codify HTB Walkthrough

Wed, 13 Sep 2023 13:07:16 +0100

The Codify HTB machine is a easy difficulty level HackTheBox Linux Machine. The main techniques used to crack this machine are:

- Hash cracking with JohnTheRipper
- Sandbox escape
- Batch Script Analysis
- Python Scripting

Reconnaissance Link to heading

I started by running a NMAP scan to look for services and versions running on open ports;

We can see that the usual ports 22 and 80 are open. However, port 3000 is also open running node.js, which could be useful in the future since node.js has some known vulnerabilities in older versions.