// Writeups & Research

Technical writeups from CTF competitions, security research, and hands-on projects. Documenting the path from intelligence analyst to cybersecurity professional.

show
$ showing all writeups
MAY 2026 ctf

PhantomNet (CachePhantom): A MetaCTF Web Walkthrough

A MetaCTF Flash CTF web challenge that chains stored XSS, nginx cache poisoning via path confusion, and CSS attribute-selector exfiltration. None of the three primitives are exotic on their own, but chaining them was a fun problem and a great...

metactf web xss css-exfil cache-poisoning path-confusion
Read more →
MAY 2026 research

AeroLab v2: Building a Purple Team Home Lab from Scratch

Two nodes, five network segments, and a full detection stack. AeroLab v2 is the complete rebuild, designed from the ground up for running real attacks and seeing what the SIEM actually catches.

proxmox elastic-siem active-directory velociraptor caldera
Read more →
APRIL 2026 reflection

Demystifying GIAC Exam Prep: Where to Start

How I scored 95%+ on three GIAC exams and made the Advisory Board, and the exact system I used to build an index that works under test conditions.

GIAC GSEC GCIH GFACT SANS exam-prep indexing study-guide open-book certifications
Read more →
MARCH 2026 htb

Meow

Single open port, telnet on 23/tcp, no password on root. Recognizing an exposed unauthenticated service and acting on it.

telnet misconfiguration default-credentials linux starting-point enumeration unauthenticated-access
Read more →
MARCH 2026 research

Homelab AI Implementation Playbook

Lessons from the Cloud Security Alliance TAISE certification course, translated into practical guidance for homelab AI deployments.

ai-security homelab zero-trust mlops responsible-ai TAISE cloud-security-alliance RAG prompt-injection data-poisoning LLM-security OWASP-AI ai-governance model-security least-privilege
Read more →
MARCH 2026 research

Port Targeting Analysis

Three ports accounted for 88% of all inbound traffic across 28 days. HTTPS, VNC, and an alternate HTTPS port dominated, with a concentrated SNMP burst hitting 1.3 million events in just 48 hours before going completely silent.

honeypot threat-intelligence T-Pot GCP ports scanning HTTPS VNC SNMP SMB SSH port-analysis MikroTik Asterisk CISA-BOD-23-02 28-days-exposed
Read more →
MARCH 2026 research

Future Attack Trends

Three patterns from this deployment align with broader reporting from early 2026: a 2019-patched Fortinet flaw still leading by volume, IoT botnet scanning running every single day, and a critical RCE active within two months of disclosure.

honeypot threat-intelligence T-Pot GCP trends CVE Fortinet IoT-botnet RondoDox Verizon-DBIR exploitation-trends Vite PHP-CGI CVE-2024-4577 28-days-exposed
Read more →
MARCH 2026 research

Threat Actor Assessment

Three CVEs, three distinct operational patterns. Burst scanning, steady botnet activity, and post-disclosure opportunistic scanning each point to different infrastructure behind the top threats in this dataset.

honeypot threat-intelligence T-Pot GCP threat-actors attribution behavioral-analysis TTPs Iran-nexus China-nexus ELEVEN11 UNC5454 operational-patterns 28-days-exposed
Read more →
MARCH 2026 research

Credential Attack Patterns

28 days of Cowrie credential logs show root as the top username and two IoT device defaults accounting for roughly 30% of global SSH brute-force attempts embedded in scanning tooling worldwide.

honeypot threat-intelligence T-Pot GCP credentials SSH Cowrie brute-force default-credentials password-spraying IoT Telnet coinminer Polycom 28-days-exposed
Read more →
MARCH 2026 research

Cloud Infrastructure Abuse

Three major cloud providers contributed 17.4 million events across 28 days, accounting for 18.1% of all inbound attack traffic. DigitalOcean alone was responsible for 14.3%.

honeypot threat-intelligence T-Pot GCP cloud attribution DigitalOcean Amazon-AWS cloud-abuse VPS attack-infrastructure ASN-analysis abuse-reporting 28-days-exposed
Read more →
MARCH 2026 research

Geographic Attribution

Where attack traffic originated during a 28-day T-Pot honeypot deployment, and why cloud provider and VPN exit node usage limits attribution confidence.

honeypot threat-intelligence T-Pot GCP geographic-attribution ASN-analysis DigitalOcean MaxMind cloud-attribution Netherlands Brazil Ukraine botnet 28-days-exposed
Read more →
MARCH 2026 research

Suricata Signature Analysis

A breakdown of the top Suricata signatures fired across 28 days, from 3.4 million VNC alerts to FortiOS exploitation attempts and DoublePulsar backdoor communication.

honeypot threat-intelligence T-Pot GCP Suricata IDS IDS-rules Emerging-Threats VNC python-requests Nmap Dshield signature-analysis 28-days-exposed
Read more →
MARCH 2026 research

Campaign Report: SIP Scanning with sipsak

6,213 SIP scan events across just 3 days in February 2026, with 73.5% occurring on a single day.

honeypot threat-intelligence T-Pot GCP SIP VoIP scanning sipsak toll-fraud port-5060 campaign-analysis 28-days-exposed
Read more →
MARCH 2026 research

Campaign Report: RDP Scanning and Authentication Bypass Attempts

321,116 RDP-related events in February 2026, with over 60% occurring in a single day on 2026/02/17.

honeypot threat-intelligence T-Pot GCP RDP scanning Remote-Desktop authentication-bypass port-3389 brute-force ransomware Windows campaign-analysis mass-scanning 28-days-exposed
Read more →
MARCH 2026 research

Campaign Report: DoublePulsar Backdoor Communication

13,522 events flagging DoublePulsar backdoor communication across February 2026, nearly a decade after the NSA implant was leaked.

honeypot threat-intelligence T-Pot GCP DoublePulsar EternalBlue SMB legacy CVE-2017-0144 MS17-010 NSA-tools Shadow-Brokers WannaCry NotPetya Windows implant campaign-analysis 28-days-exposed
Read more →
MARCH 2026 research

Campaign Report: React Server Components RCE Scanning (CVE-2025-55182)

28 days of declining RCE scanning targeting CVE-2025-55182, a critical flaw in React Server Components disclosed two months before this deployment.

honeypot threat-intelligence CVE T-Pot GCP React RCE web CVE-2025-55182 React2Shell deserialization Next.js CISA-KEV China-nexus Cobalt-Strike campaign-analysis post-disclosure-scanning 28-days-exposed
Read more →
MARCH 2026 research

Campaign Report: ELEVEN11 Botnet and TVT DVR Probing

28 days of flat, uninterrupted scanning tied to the ELEVEN11 botnet targeting TVT NVMS-9000 DVRs via CVE-2024-14007.

honeypot threat-intelligence CVE T-Pot GCP botnet IoT Mirai CVE-2024-14007 TVT-NVMS ELEVEN11 DVR NVR authentication-bypass DDoS campaign-analysis GreyNoise 28-days-exposed
Read more →
MARCH 2026 research

Campaign Report: Fortinet FortiOS SSL VPN Scanning

Analysis of 29,938 scanning events targeting CVE-2018-13379 across a 28-day T-Pot honeypot deployment on Google Cloud Platform.

honeypot threat-intelligence T-Pot FortiOS CVE-2018-13379 GCP Fortinet SSL-VPN path-traversal CISA-KEV campaign-analysis burst-scanning credential-theft Metasploit 28-days-exposed
Read more →
MARCH 2026 research

Most Recently Disclosed CVE Observed

Analysis of CVE-2026-24061, the most recently disclosed CVE observed in the February 2026 T-Pot honeypot deployment, including observed activity, scoring data, and defender guidance.

honeypot threat-intelligence T-Pot GCP CVE telnet CVE-2026-24061 GNU-InetUtils authentication-bypass CISA-KEV rapid-exploitation telnetd 28-days-exposed
Read more →
MARCH 2026 research

Legacy Vulnerability Exploitation

Pre-2017 CVEs that still generated inbound scanning activity during a 28-day honeypot deployment, and what the patterns suggest about long-unpatched systems.

honeypot threat-intelligence CVE T-Pot GCP legacy-CVEs CVE-2014-6271 CVE-2013-2251 CVE-2013-4810 CVE-2014-3704 CVE-2016-20016 CVE-2016-20017 Shellshock Drupalgeddon Apache-Struts D-Link CCTV-DVR 28-days-exposed patch-management
Read more →
MARCH 2026 research

Top CVEs by Event Volume

Analysis of the three highest-volume CVEs observed across a 28-day T-Pot honeypot deployment on Google Cloud Platform, February 2026.

honeypot threat-intelligence CVE T-Pot GCP Fortinet IoT CVE-2018-13379 CVE-2024-14007 CVE-2025-55182 FortiOS TVT-NVMS React-RCE Suricata CISA-KEV botnet Mirai ELEVEN11 exploit-detection IDS cloud-security 28-days-exposed
Read more →
FEBRUARY 2026 picoctf

droids1

Category: Reverse Engineering Difficulty: Hard

picoctf reverse-engineering android apk apktool mobile-security
Read more →
FEBRUARY 2026 picoctf

PowerAnalysis: Warmup

Category: Cryptography Points: 400 Difficulty: Hard

picoctf cryptography side-channel power-analysis correlation-attack
Read more →
DECEMBER 2025 reflection

Target x WiCyS Cyber Defense Challenge - Lessons from 2nd Place

Reflections on placing 2nd in the national cyber defense competition. What I learned working through both offensive and defensive scenarios, how it shaped my career transition, and the lessons I'm taking forward.

blue-team incident-response red-team career-transition WiCyS Target cyber-defense competition DNS-exfiltration Wireshark forensics reverse-engineering offensive-security LDAP SMB network-forensics
Read more →
SEPTEMBER 2025 ctf

O5: Tunnel Vision - DNS Exfiltration Protocol Reverse Engineering

Reverse engineering a DNS exfiltration binary when every other escape route has been cut off. Complete protocol reconstruction from ARM64 assembly using Ghidra static analysis.

reverse-engineering ghidra dns cryptography blue-team DNS-exfiltration ARM64 static-analysis binary-analysis protocol-analysis WiCyS Target DoH malware-analysis CTF
Read more →
AUGUST 2025 research

AeroX: Building and Deploying My First ERC-20 Token

Exploring blockchain security by building and deploying an ERC-20 token on the Sepolia testnet. Understanding smart contract vulnerabilities, transaction security, and the fundamentals of decentralized systems.

blockchain solidity smart-contracts web3 ethereum ERC-20 web3-security hardhat defi-security smart-contract-security reentrancy crypto-forensics
Read more →
AUGUST 2025 kc7

KC7: Encryptodera - Multi-Stage Insider Threat & Ransomware Investigation

Technical analysis of three connected security incidents: insider data theft, ransomware deployment via compromised account, and cryptocurrency exfiltration over FTP spanning 40+ days.

KQL insider-threat ransomware DFIR credential-dumping MITRE-ATT&CK kc7 mimikatz GPO-abuse lateral-movement FTP-exfiltration log-analysis Azure-Data-Explorer data-exfiltration PowerShell ScreenConnect domain-controller incident-response cryptocurrency
Read more →
JULY 2025 kc7

KC7: Convoy Street Interactive - APT41 Threat Hunt

Threat hunting investigation tracking APT41 (Brass Typhoon) from initial reconnaissance through data exfiltration in a gaming company breach. Participated in KC7's Threat Hunting in Action workshop.

KQL threat-hunting DFIR CTF APT41 MITRE-ATT&CK kc7 Brass-Typhoon China-nexus lateral-movement RDP credential-dumping C2 spearphishing log-analysis Azure-Data-Explorer Diamond-Model nation-state
Read more →
JULY 2025 research

AeroLab v1.0: Building a Personal Cybersecurity Homelab

Building a hands-on cybersecurity lab focused on blue team operations, threat detection, and enterprise environment simulation using clustered Proxmox nodes.

proxmox wazuh siem active-directory suricata network-security homelab blue-team detection-engineering purple-team mitre-caldera threat-detection windows-server virtualization
Read more →
MAY 2025 kc7

KC7: Krusty Krab - Threat Intelligence Investigation

My first cybersecurity investigation report analyzing a multi-stage phishing campaign, credential harvesting, malware deployment, and data exfiltration using KustoQL (KQL) database queries.

KQL phishing DFIR CTF threat-intelligence MITRE-ATT&CK kc7 credential-harvesting C2 data-exfiltration spearphishing malware log-analysis Azure-Data-Explorer rclone PowerShell incident-response
Read more →
$ no results — try a different search