HTB: Logging
Leaked SMB credential with predictable year rotation → gMSA hash extraction → WinRM → DLL hijack → AD CS rogue cert → DNS poisoning → fake WSUS server → SYSTEM.
What I did: Architected and deployed scalable enterprise IT infrastructures.
What I do now: Secure critical networks, lead and develop Mindflow.care as founder.
What I love to do: Security research, custom tools, CTFs, lab from HTB/THM and anime.
// Writing
Leaked SMB credential with predictable year rotation → gMSA hash extraction → WinRM → DLL hijack → AD CS rogue cert → DNS poisoning → fake WSUS server → SYSTEM.
Kobold is a medium Linux box that chains a misconfigured MCP developer tool into full root. An unauthenticated RCE in the MCPJam Inspector API (CVE-2026-23744) drops a shell as ben via unsanitized command injection through child_process.spawn(). Privilege escalation abuses a dormant Docker group membership activatable via newgrp docker, from there it's a one-liner container escape mounting the host filesystem for root.
// Credentials
// Contact
Open to collaborations and security research.
// contact.channels[]