Writeups, research, and technical notes from a Senior Security Consultant and competitive CTF player based in Singapore.
Git commit history is a graveyard of secrets that developers accidentally committed and then deleted. “Deleted” in Git doesn’t mean gone — it means hidden. This…
Network segmentation is a common obstacle during pentests. Once you have a foothold in a segment, tunneling lets you reach further internal resources. This chea…
WebView is a Chromium-based browser embedded in Android apps. When misconfigured, it allows JavaScript to call native Android methods, read local files, or acce…
Windows privilege escalation covers a wide range of techniques from unquoted service paths to token impersonation. This cheatsheet covers the most reliable tech…
Impacket is a collection of Python classes for working with network protocols, focused on Windows and Active Directory. Every tool in the suite is indispensable…
Getting a shell is step one. Getting root is the goal. This cheatsheet organizes every Linux privilege escalation technique with the exact commands you need dur…
Android’s intent system is a powerful inter-component communication mechanism — and a rich attack surface. This post covers the full range of intent-based vulne…
SSL pinning on iOS works similarly to Android but uses different APIs. Most apps use NSURLSession or a third-party library like Alamofire. This guide covers byp…
Insecure data storage is one of the most consistent findings in Android app assessments. Sensitive data ends up in plaintext SharedPreferences, world-readable S…
A complete reverse shell reference organized by language and platform. Always set up your listener before triggering the shell.