Cybersecurity writeups, research notes, and offensive security experiments from Eddison King.https://adversarial.work/https://adversarial.work/blog/writeup-freelancer/https://adversarial.work/blog/writeup-freelancer/**No Spoilers Hints** - Registration flows reveal more than they should. - Look for admin tooling and backend trust mistakes. Enumeration We start off with a...Thu, 20 Feb 2025 00:00:00 GMTHTBwriteupWindowsWebActiveDirectoryEddison Kinghttps://adversarial.work/blog/writeup-cicada/https://adversarial.work/blog/writeup-cicada/**No Spoilers Hints** - Start with SMB and read-only shares. - Directory data leaks more than the login screen. Enumeration As usual, we start off with an nm...Mon, 10 Feb 2025 00:00:00 GMTHTBwriteupWindowsEddison Kinghttps://adversarial.work/blog/writeup-caption/https://adversarial.work/blog/writeup-caption/**No Spoilers Hints** - Git hosting and SQL tooling both deserve attention. - Internal services sit behind a trust boundary. Enumeration As usual, we start o...Wed, 15 Jan 2025 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-gobox/https://adversarial.work/blog/writeup-gobox/**No Spoilers Hints** - Template rendering deserves a closer look. - Go-based services often hide surprising injection paths. Enumeration As per usual, we st...Sun, 05 Jan 2025 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-sightless/https://adversarial.work/blog/writeup-sightless/**No Spoilers Hints** - The first foothold is a browser-based SQL tool. - Local-only services and admin panels matter later. Enumeration As usual, we start o...Fri, 20 Dec 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-blurry/https://adversarial.work/blog/writeup-blurry/**No Spoilers Hints** - The web app wants local setup before anything useful. - Look closely at ML tooling and model handling. Enumeration As usual, we start...Sun, 01 Dec 2024 00:00:00 GMTHTBwriteupLinuxPythonClearMLEddison Kinghttps://adversarial.work/blog/writeup-trickster/https://adversarial.work/blog/writeup-trickster/**No Spoilers Hints** - Source control leaks the important admin path. - Containerized tooling hides the real privilege boundary. Enumeration As usual, start...Fri, 22 Nov 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-instant/https://adversarial.work/blog/writeup-instant/**No Spoilers Hints** - The mobile app is part of the attack surface. - Inspect the APK, not just the website. Enumeration As usual, we start off with an nma...Wed, 16 Oct 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-grandpa/https://adversarial.work/blog/writeup-grandpa/**No Spoilers Hints** - Old IIS-era web servers deserve immediate scrutiny. - Classic web-server CVEs fit this box. Enumeration As usual, we start off with a...Sat, 14 Sep 2024 00:00:00 GMTHTBwriteupWindowsEddison Kinghttps://adversarial.work/blog/writeup-paper/https://adversarial.work/blog/writeup-paper/**No Spoilers Hints** - WordPress is only the start here. - Linux service abuse appears later in the chain. Enumeration Let's start off with an nmap scan as...Thu, 12 Sep 2024 00:00:00 GMTHTBwriteupLinuxSudo v1.8.29rocket.chatEddison Kinghttps://adversarial.work/blog/writeup-sau/https://adversarial.work/blog/writeup-sau/**No Spoilers Hints** - Proxying requests to localhost opens the real target. - A sudo pager can become a shell. Enumeration As usual, we start off with an n...Mon, 09 Sep 2024 00:00:00 GMTHTBwriteupLinuxSSRFCommand InjectionEddison Kinghttps://adversarial.work/blog/writeup-buff/https://adversarial.work/blog/writeup-buff/**No Spoilers Hints** - A flaky local service can break the whole chain. - Restarting can bring the missing piece back. Hints 1. There is something in this b...Sat, 07 Sep 2024 00:00:00 GMTHTBwriteupWindowsEddison Kinghttps://adversarial.work/blog/writeup-traverxec/https://adversarial.work/blog/writeup-traverxec/**No Spoilers Hints** - A vintage web server exposes home-directory content. - Configuration files and user-owned archives matter. Enumeration As usual, we s...Thu, 05 Sep 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-traceback/https://adversarial.work/blog/writeup-traceback/**No Spoilers Hints** - Hidden comments point to the real entry point. - Watch for login-time scripts and writable MOTD files. Enumeration As usual, we start...Tue, 03 Sep 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-precious/https://adversarial.work/blog/writeup-precious/**No Spoilers Hints** - Rendered documents are the weak link. - Watch where URLs become PDFs. Enumeration As usual, we start with an nmap scan to get a listi...Mon, 02 Sep 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-knife/https://adversarial.work/blog/writeup-knife/**No Spoilers Hints** - Version-specific PHP behavior is the key clue. - Check scheduled tasks and sudo allowances after entry. Enumeration As usual, we star...Sun, 01 Sep 2024 00:00:00 GMTHTBwriteupLinuxPHPEddison Kinghttps://adversarial.work/blog/writeup-greenhorn/https://adversarial.work/blog/writeup-greenhorn/**No Spoilers Hints** - Look for reused secrets in the web app. - CMS plugins and local services both matter. Enumeration As usual, we start off with an nmap...Wed, 28 Aug 2024 00:00:00 GMTHTBwriteupLinuxWebEddison Kinghttps://adversarial.work/blog/writeup-monitorsthree/https://adversarial.work/blog/writeup-monitorsthree/**No Spoilers Hints** - The monitoring stack leaks useful application context. - Internal backup tooling becomes relevant later. Enumeration As usual, we sta...Sun, 25 Aug 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-cap/https://adversarial.work/blog/writeup-cap/**No Spoilers Hints** - Packet captures can leak the first breadcrumb. - Capability scans matter more than SUID here. Hints Enumeration As usual, we start wi...Wed, 21 Aug 2024 00:00:00 GMTHTBwriteupLinuxCapabilitycap_setuidpcapEddison Kinghttps://adversarial.work/blog/writeup-nibbles/https://adversarial.work/blog/writeup-nibbles/**No Spoilers Hints** - Old blog software and plugin paths are important. - Local privilege checks finish the job. Hints - Ensure that you are enumerating th...Tue, 20 Aug 2024 00:00:00 GMTHTBwriteupLinuxEddison Kinghttps://adversarial.work/blog/writeup-devel/https://adversarial.work/blog/writeup-devel/**No Spoilers Hints** - FTP and web content share the same writable surface. - Think legacy Windows web-service flaws after that. Enumeration nmap to start o...Sun, 18 Aug 2024 00:00:00 GMTHTBwriteupWindowsEddison Kinghttps://adversarial.work/blog/writeup-bashed/https://adversarial.work/blog/writeup-bashed/**No Spoilers Hints** - Hunt the developer-only path hidden from normal browsing. - A scheduled script changes hands in a writable directory. Enumeration We...Sun, 28 Jul 2024 00:00:00 GMTHTBwriteupLinuxBashWebEddison Kinghttps://adversarial.work/blog/writeup-legacy/https://adversarial.work/blog/writeup-legacy/**No Spoilers Hints** - Old Windows networking is the whole story. - A classic SMB-era flaw fits the banner. Enumeration We start with an nmap as usual: We s...Sun, 28 Jul 2024 00:00:00 GMTHTBwriteupSMBMS08-067CVE-2008-4250Eddison Kinghttps://adversarial.work/blog/writeup-optimum/https://adversarial.work/blog/writeup-optimum/**No Spoilers Hints** - Simple file-serving software is the real target. - Banner versioning points to a classic Windows flaw. Enumeration We start with an n...Sun, 28 Jul 2024 00:00:00 GMTHTBwriteupLinuxWebEddison Kinghttps://adversarial.work/blog/writeup-blue/https://adversarial.work/blog/writeup-blue/**No Spoilers Hints** - SMB versioning tells you almost everything here. - Patch-level Windows flaws beat brute-force enumeration. Background Just from the n...Fri, 26 Jul 2024 00:00:00 GMTHTBwriteupWindowsEternalBlueEddison Kinghttps://adversarial.work/blog/writeup-netmon/https://adversarial.work/blog/writeup-netmon/**No Spoilers Hints** - Monitoring software often stores sensitive configuration. - FTP and web management should both be checked. Enumeration We start of wi...Fri, 26 Jul 2024 00:00:00 GMTHTBwriteupPRTG Network MonitorFTPEddison Kinghttps://adversarial.work/blog/writeup-iclean/https://adversarial.work/blog/writeup-iclean/**No Spoilers Hints** - Template rendering and serialization both deserve scrutiny. - Configuration files may reveal the useful pivot. Enumeration Firstly, w...Mon, 22 Jul 2024 00:00:00 GMTHTBwriteupXSSMySQLSSTIJinja2PythonEddison Kinghttps://adversarial.work/blog/writeup-runner/https://adversarial.work/blog/writeup-runner/**No Spoilers Hints** - CI/CD infrastructure is the real attack surface. - Backup and container features both matter. Enumeration As usual, we start off with...Fri, 19 Jul 2024 00:00:00 GMTHTBwriteupTeamCityDockerPortainerEddison Kinghttps://adversarial.work/blog/writeup-cascade/https://adversarial.work/blog/writeup-cascade/**No Spoilers Hints** - Null sessions still matter on this domain controller. - Shares and directory services hide the first clues. Breaking In Starting off...Fri, 05 Jul 2024 00:00:00 GMTHTBwriteupActive DirectoryEddison Kinghttps://adversarial.work/blog/ai-and-the-primates-that-forgot-how-to-make-fire/https://adversarial.work/blog/ai-and-the-primates-that-forgot-how-to-make-fire/AI and the primates that forgot how to make fire There's no denying that AI is an incredibly disruptive technology. Disruptive. Or whatever fancy words marke...Sun, 05 Nov 2023 03:33:00 GMTairantEddison King