BLOG

Planting a Fake Config to Steal the Admin Cookie: Intigriti March 2026 XSS Challenge
Planting a Fake Config to Steal the Admin Cookie: Intigriti March 2026 XSS Challenge

March 21, 2026 (5d ago)

How I chained DOM Clobbering, a forgotten same-origin JSONP endpoint, and a dynamic script loader to bypass DOMPurify and a strict CSP and walk away with the admin cookie.

Read post
Chaining 3 Bugs to Steal the Admin's Cookie — Intigriti February 2026 XSS Challenge
Chaining 3 Bugs to Steal the Admin's Cookie — Intigriti February 2026 XSS Challenge

February 20, 2026 (1mo ago)

A walkthrough of how I found and exploited a stored XSS in InkDrop by chaining a broken markdown renderer, a dangerous script re-execution pattern, and a JSONP callback injection to bypass CSP.

Read post
Windows 11 Lock Screen Bypass using WinRE - NT Authority/SYSTEM
Windows 11 Lock Screen Bypass using WinRE - NT Authority/SYSTEM

October 9, 2025 (5mo ago)

A step-by-step walkthrough of bypassing the Windows 11 lock screen via WinRE binary substitution to obtain an NT AUTHORITY\SYSTEM shell.

Read post
Cobalt Strike Attack & Defend II
Cobalt Strike Attack & Defend II

June 6, 2024 (1y ago)

A digital-forensics-focused follow-up to the Cobalt Strike attack series, covering static analysis, deofuscation, and network/process/memory investigation with screenshots.

Read post
Cobalt Strike Attack & Defend
Cobalt Strike Attack & Defend

January 8, 2024 (2y ago)

An attack & defense walkthrough of Cobalt Strike, with screenshots and references, focusing on teamserver setup and stageless payload creation.

Read post
LinkedIn