If we can control a tar archive file which is getting extracted by root, we can escalate our privileges. Let’s see this in action ….

We start with onuma user.

Linpeas enum script detected a unusual timer.

Hi, here we will see some things which we can do with LFI. And combining this info how we can get RCE.

1. Turning LFI into RCE by sending emails via SMTP

Note: This scenario is in HTB Beep Machine. SMTP server is also running on the machine at port 25.

We start with a basic LFI

a. Identifying user with which current process is running-

Basically, /proc/self/ represents the process that’s reading /proc/self/. So if we try to open /proc/self/ from a C program then it represents that program. If you we to do it from the shell then it is that shell…


if we try to read the contents of “/proc/self/status” then it will output…

Hi readers this is just another windows privesc article. Here we will be seeing how misconfigured services, registry and exposed SAM/SYSTEM files can be exploited for escalating privileges….

Some windows learning prerequisites:

Types of groups in Windows:

  1. Regular Groups e.g Administrators, Users
  2. Pseudo Groups- Groups are created for short period of time. e.g Authenticated Users, NT AUTHORITY\INTERACTIVE

Types of user accounts in Windows:

  1. User Accounts- Used by users to login. e.g Administrator(default)
  2. Service Accounts- Used by different software services to run. Cannot be used to login. e.g LocalService, NetworkService, LocalSystem etc.

Access Control lists (ACLs) contains info regarding permissions for…

Hi, readers here we will be seeing how can we can create our own personal VPN server on oracle cloud(However, these same steps will work for every cloud provider and also for your local machine). Specifically we will be creating wireguard VPN server using algo VPN, which is a open source project created for this specific purpose of easily setting up personal VPN server on cloud(https://github.com/trailofbits/algo). Lets start….

1. Creating a VM compute instance

a. Login to your oracle cloud account and Click Create VM instance option.

b. In the next screen you will be prompted with various configuration options for your instance. First we can…

Hi readers here we will see how we can tunnel tcp traffic inside ssh session. There are two types of tunneling/forwarding local and remote. In local we expose services running on system accesible to remote server(ssh server) to our local network and in remote we expose services running in local network to a device accesible by remote server(ssh server). I have found a excellent diagram explaining this on stackexchange discussions (https://unix.stackexchange.com/questions/115897/whats-ssh-port-forwarding-and-whats-the-difference-between-ssh-local-and-remot) take a look and you will get more clear picture what is going on here.

NOTE: Please keep in mind for case 2 of both -R and -L options…

Hi readers, here we will see how we can get reverse meterpreter shell from a internal machine(which is not connected to internet). For more understanding this article can be followed after reading previous article(https://pswalia2u.medium.com/pivoting-metasploit-proxychains-85d18ce5bf2d)


Already compromised system(Pivot) with meterpreter session with already autoroute configured for next machine(

Hi, here we will see how we can perform Man in the middle(MITM) attack on compromised remote windows machine.

Prerequisites: Meterpreter session

sessions -l


  1. Installing VPN server:

I have already installed it. You can install it by running the command given below.

This is just another pivoting tutorial(Nothing special). We will try to find other hosts in the internal network of a organization and will do basic enumeration on discovered hosts.


Already compromised host with meterpreter session.

  1. Let’s check available meterpreter sessions:
sessions -l

2. Using autoroute module to create a pivot for the other network i.e. . After running this all the metasploit modules will be able to access internal network

(Here in this lab scenario, we already know this subnet exists)

msf6 post(multi/manage/autoroute) > set session 1
session => 1
msf6 post(multi/manage/autoroute) > set subnet
subnet =>
msf6 post(multi/manage/autoroute)…

Serialization is nothing but a way of representing objects as a long string. Methodology here is similar to encoding. We are converting objects into more usable, easy to handle format to be handled by our application or for our network stack.

<?phpclass User
public $username;
public $isDumb;
public function printData()
echo $this->username . ' is dumb.';
echo $this->username . ' is not dumb.';
$obj=new User();#instantiating class
$obj->isDumb=False; #change this boolean variable
echo "\n";
echo serialize($obj);

Let’s see what is going on here:

We have created…

IT security is full of buzz words. One of them which I got introduced with is “Egress-Testing”, which is nothing but checking firewall rules for TCP/UDP for outbound connections. Firewalls are generally configured by network admins to block outgoing traffic from servers(Port based blocking), which according to them prevents data exfiltration:)(misconceptions are everywhere). But these are servers running some services if they block all the ports so how do they serve their clients. This is where Egress-Testing comes into play. We will be seeing the barebone test i.e without any preinstalled tools/softwares.

  1. Windows

Server IP Address:

Our IP:



Geekđź‘ľ. Tries to understand how computers work. Would love to hear your suggestions and feedbacks. https://www.linkedin.com/in/pswalia2u/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store