NEO // Writing

Personal blogs

Security research, red team notes, and engineering writeups.

HTB: Logging

Category: HTB Writeup
Date: May 3, 2026

Leaked SMB credential with predictable year rotation → gMSA hash extraction → WinRM → DLL hijack → AD CS rogue cert → DNS poisoning → fake WSUS server → SYSTEM.

READ ARTICLE

POST

HTB: Kobold

HTB Writeup8 MIN READ

Category: HTB Writeup
Date: Apr 18, 2026

Kobold is a medium Linux box that chains a misconfigured MCP developer tool into full root. An unauthenticated RCE in the MCPJam Inspector API (CVE-2026-23744) drops a shell as ben via unsanitized command injection through child_process.spawn(). Privilege escalation abuses a dormant Docker group membership activatable via newgrp docker, from there it's a one-liner container escape mounting the host filesystem for root.

UNLOCK POST

POST

HTB: DevArea

HTB Writeup4 MIN READ

Category: HTB Writeup
Date: Apr 3, 2026

Medium Linux box. SOAP XOP/MTOM file read leaks Hoverfly creds from a systemd unit file. Middleware RCE gives a shell as dev_ryan. World-writable /usr/bin/bash + sudo syswatch.sh = root.

UNLOCK POST

POST

HTB: Variatype

HTB Writeup7 MIN READ

Category: HTB Writeup
Date: Mar 21, 2026

Git leak to portal creds. fontTools arbitrary file write drops a webshell, FontForge ZIP command injection pivots to user, setuptools path traversal writes root's SSH key. Three CVEs, full chain.

UNLOCK POST

POST

HTB: CCTV

HTB Writeup4 MIN READ

Category: HTB Writeup
Date: Mar 10, 2026

Blind SQLi in ZoneMinder leaks bcrypt hashes. Crack one, SSH in, find motionEye running as root on localhost.

UNLOCK POST