HTB writeups, CTF writeups, and articles on SOC, pentest, and Active Directory.https://blog.krf-studio.com/en-ushttps://blog.krf-studio.com/writeups/airtouch/https://blog.krf-studio.com/writeups/airtouch/An SNMP system description leaks an SSH password. Network segmentation reveals three VLANs accessed via Wi-Fi. WPA2-PSK cracking provides a foothold in the Tablets VLAN, followed by web exploitation and certificate theft. A rogue access point attack against WPA2-Enterprise captures an MSCHAPv2 hash, which is cracked to gain access to the Corporate VLAN and root.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/cap/https://blog.krf-studio.com/writeups/cap/An IDOR vulnerability on a network capture endpoint reveals plaintext FTP credentials in a PCAP file. Credential reuse provides SSH access, and a vulnerable pkexec SUID binary (CVE-2021-4034) allows root escalation.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/connected/https://blog.krf-studio.com/writeups/connected/An unauthenticated SQL injection in FreePBX 16.x (CVE-2025-57819) allows credential extraction and hash replacement, leading to admin access. POST_RELOAD shell injection provides RCE as asterisk. A world-writable incron trigger file and writable module directory enable sudoers hijack for root.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/devhub/https://blog.krf-studio.com/writeups/devhub/An unauthenticated RCE in MCPJam Inspector (CVE-2026-23744) provides initial access. A JupyterLab token exposed in process arguments enables lateral movement via a raw WebSocket client. Reading the source code of an internal MCP server reveals a hidden tool that dumps root's SSH private key.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/fluffy/https://blog.krf-studio.com/writeups/fluffy/Starting with low-privileged domain credentials, the attack chain exploits CVE-2025-24071 to leak an NTLM hash, cracks it, abuses GenericAll ACLs, uses Shadow Credentials to take over service accounts, and finally forges an Administrator certificate via ADCS for Domain Admin.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/helix/https://blog.krf-studio.com/writeups/helix/Subdomain enumeration reveals an unauthenticated Apache NiFi instance. CVE-2023-34468 (H2 JDBC INIT injection) provides a shell as nifi. An SSH key found in NiFi support bundles grants access as operator. Privilege escalation requires manipulating OPC UA industrial control nodes to trigger a safety controller maintenance window, leading to root.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/jeeves/https://blog.krf-studio.com/writeups/jeeves/Unauthenticated Jenkins Script Console leads to RCE, a KeePass database is cracked to obtain an NTLM hash, and Pass-the-Hash grants SYSTEM access before extracting the root flag from an NTFS Alternate Data Stream.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/logging/https://blog.krf-studio.com/writeups/logging/Starting with a low-privileged user, SMB enumeration reveals hardcoded credentials in a log file. Password pattern inference leads to an updated credential. GenericWrite over a gMSA enables Shadow Credentials and WinRM access. DLL injection via a scheduled task gives lateral movement, and WSUS poisoning combined with ADIDNS spoofing and ADCS certificate abuse yields SYSTEM.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/monitorsfour/https://blog.krf-studio.com/writeups/monitorsfour/An unauthenticated IDOR on an internal API leaks user credentials. Cracking an MD5 hash grants access to a Cacti instance vulnerable to CVE-2025-24367 (authenticated RCE). From a www-data shell inside a Docker container, an exposed Docker Engine API (port 2375) enables container escape and host compromise.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/principal/https://blog.krf-studio.com/writeups/principal/A Java web app using pac4j-jwt/6.0.3 is vulnerable to CVE-2026-29000, allowing JWT authentication bypass via JWE token forgery. API enumeration as admin leaks an SSH deployment key. With user access, a readable SSH CA private key enables forging a root certificate for privilege escalation.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/reactor/https://blog.krf-studio.com/writeups/reactor/A critical RCE vulnerability in Next.js React Server Components (CVE-2025-55182) provides initial access. A misconfigured Node.js debugger bound to localhost enables privilege escalation to root.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/silentium/https://blog.krf-studio.com/writeups/silentium/Vhost fuzzing reveals a Flowise 3.0.5 staging site. CVE-2025-58434 leaks a password reset token, enabling account takeover. CVE-2025-59528 provides authenticated RCE inside a Docker container. Credential reuse from environment variables leads to SSH access, and CVE-2026-41651 (Pack2TheRoot) grants root.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/smarthire/https://blog.krf-studio.com/writeups/smarthire/An MLflow deserialization vulnerability (CVE-2024-37054) provides initial access. Privilege escalation uses a Python module hijacking via site.addsitedir and malicious .pth files to execute code as root.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/snapped/https://blog.krf-studio.com/writeups/snapped/From an unauthenticated Nginx UI backup disclosure (CVE-2026-27944), a bcrypt hash is cracked to gain user access. Privilege escalation is possible via either CVE-2026-41651 (PackageKit TOCTOU) or the intended race condition in snap-confine (CVE-2026-3888).Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/support/https://blog.krf-studio.com/writeups/support/Anonymous SMB access reveals a .NET binary containing hardcoded XOR-encrypted LDAP credentials. After enumerating LDAP, a cleartext password in the info attribute grants WinRM access. BloodHound shows GenericAll on DC$, enabling RBCD abuse to impersonate Administrator and achieve SYSTEM on the Domain Controller.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/trick/https://blog.krf-studio.com/writeups/trick/A multi-stage attack chain combining DNS Zone Transfer, SQL Injection, FILE privilege abuse, LFI, SSH key theft, and a Fail2Ban misconfiguration to obtain root access.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/twomillion/https://blog.krf-studio.com/writeups/twomillion/JavaScript deobfuscation reveals hidden API endpoints, leading to invite code generation. API route enumeration exposes an admin section with broken access control, enabling self-promotion to admin. Command injection in a VPN generation endpoint provides a shell. A leaked .env file gives SSH credentials, and CVE-2023-0386 (OverlayFS) escalates to root.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/articles/ai-memory/https://blog.krf-studio.com/articles/ai-memory/AI agents have four memory types directly inspired by human cognition: working, semantic, procedural, and episodic. Each agent type only needs the memory that matches its tasks. Learn how to design agent memory for better performance.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/articles/claude-tips/https://blog.krf-studio.com/articles/claude-tips/Official Anthropic Academy certifications reveal the four core properties of Claude, the 4D framework (Delegation, Description, Discernment, Diligence), and advanced features like Projects, Skills, and Claude Code that transform AI from a text generator into a cognitive partner.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/articles/cti-axios-bitwarden/https://blog.krf-studio.com/articles/cti-axios-bitwarden/Two separate npm supply chain compromises – Axios (March 2026) and Bitwarden CLI (April 2026) – reveal distinct operational models on the same attack surface. Axios shows a clean delivery chain with documented propagation; Bitwarden CLI centers on CI pipeline abuse and secret harvesting. The tactical correlation is strong, but infrastructural correlation is unproven.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/articles/ghost-in-the-phone/https://blog.krf-studio.com/articles/ghost-in-the-phone/A complete guide to transforming a Google Pixel into a digital fortress using GrapheneOS. Covers hardware selection, network-shielded installation, VPN kill switch, system hardening, privacy-focused software stack, user profile compartmentalization, and behavioral OpSec.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/articles/secure-n8n/https://blog.krf-studio.com/articles/secure-n8n/CVE-2026-21858 (Ni8mare) allows unauthenticated attackers to take over self-hosted n8n instances. Patching is essential, but defense-in-depth requires isolating public entry points. This article details a dual-application Cloudflare Zero Trust strategy that protects the admin interface while keeping webhooks, forms, and OAuth callbacks functional.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/articles/tailscale-pihole/https://blog.krf-studio.com/articles/tailscale-pihole/Combine Pi-hole (network-level ad blocking) with Tailscale (zero‑trust VPN) on a Raspberry Pi to block ads and trackers on every device, anywhere in the world. Step-by-step installation, configuration, and testing.Tue, 09 Jun 2026 00:00:00 GMThttps://blog.krf-studio.com/writeups/forest/https://blog.krf-studio.com/writeups/forest/AS-REP Roasting sur un compte sans pré-auth Kerberos, puis abus des permissions Exchange WriteDACL pour obtenir DCSync et dumper les hashes NTDS.Wed, 02 Apr 2025 00:00:00 GMThttps://blog.krf-studio.com/articles/adcs-esc1-to-esc8/https://blog.krf-studio.com/articles/adcs-esc1-to-esc8/Tour d'horizon complet des 8 vecteurs d'attaque ADCS : conditions requises, exploitation, et détection.Thu, 20 Mar 2025 00:00:00 GMT