In this write‑up, I’m going to share how I was able to create my own administrative account on a production platform belonging to a company recognized in the Fortune 50 Best Companies to Work For® List (2025). With no prior permissions, this flaw allowed me to delete any user, remove entire organizations, and gain unrestricted access to highly sensitive financial‑related records. I was also able to access and download internal files, including confidential PDFs and company submission documents, clearly demonstrating a critical security failure that required immediate remediation.

Hello everyone, welcome to my Ultimate HTB CPTS Guide. Don’t worry, this won’t be just another CPTS blog. I wanted to write something different, because the HTB CPTS environment was recently updated and I couldn’t really find any fresh exam experiences, tips, or tricks online.

Hello everyone! Welcome to the writeup for a challenge called 'Silly Cloud' from TUCTF 24. I found this challenge both fun and challenging! It revolved around interacting with the internet-facing REST API of Kubernetes (K8s).

Hello, everyone! In this blog, I want to showcase a dangerous function that, if used improperly, can cause serious harm, whether in a web app or elsewhere. In this article, I’ll focus on the abuse of eval() in Discord bots. While it's rare to find it, if you ever come across it or discover that a bot is using it, it's incredibly dangerous.