Skip to main content

How I Created My Own Admin Account on a Production System

· 9 min read
Raunak Neupane
Security Researcher • Penetration Tester • Bug Hunter

In this write‑up, I’m going to share how I was able to create my own administrative account on a production platform belonging to a company recognized in the Fortune 50 Best Companies to Work For® List (2025). With no prior permissions, this flaw allowed me to delete any user, remove entire organizations, and gain unrestricted access to highly sensitive financial‑related records. I was also able to access and download internal files, including confidential PDFs and company submission documents, clearly demonstrating a critical security failure that required immediate remediation.

Ultimate HTB CPTS Guide

· 17 min read
Raunak Neupane
Security Researcher • Penetration Tester • Bug Hunter

Hello everyone, welcome to my Ultimate HTB CPTS Guide. Don’t worry, this won’t be just another CPTS blog. I wanted to write something different, because the HTB CPTS environment was recently updated and I couldn’t really find any fresh exam experiences, tips, or tricks online.

Silly Cloud From TUCTF 24

· 7 min read
Raunak Neupane
Security Researcher • Penetration Tester • Bug Hunter

Hello everyone! Welcome to the writeup for a challenge called 'Silly Cloud' from TUCTF 24. I found this challenge both fun and challenging! It revolved around interacting with the internet-facing REST API of Kubernetes (K8s).

Why You Shouldn't Use eval() in Discord Bots (or in Any App)

· 10 min read
Raunak Neupane
Security Researcher • Penetration Tester • Bug Hunter

Hello, everyone! In this blog, I want to showcase a dangerous function that, if used improperly, can cause serious harm, whether in a web app or elsewhere. In this article, I’ll focus on the abuse of eval() in Discord bots. While it's rare to find it, if you ever come across it or discover that a bot is using it, it's incredibly dangerous.