Kerberoasting remains the highest-ROI Active Directory attack: any authenticated domain user can request a service ticket for any account with a Service Principal Name (SPN), and crack that ticket offline. No special privileges. No exploits. Just Kerberos working as designed. ...

You have a low-privilege shell. Now what? This cheat sheet is the ordered, opinionated checklist that solves the privesc step on most CTFs and audits. 0. Stabilize the Shell python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm-256color stty raw -echo; fg # back in your terminal: stty rows X cols Y A broken shell wastes hours. ...

Platform TryHackMe Difficulty Easy OS Linux Points 10 Release 2019-08-29 Tags Web enum, command injection, sudo abuse Pickle Rick is the room every new TryHackMe user solves first. It’s a perfect introduction to the full pentest loop on a single host — enumeration, exploitation, and post-exploitation — with a forgiving difficulty curve. ...

Cross-site scripting is twenty-five years old and still topping bug bounty payouts. Modern frameworks make trivial reflected XSS rare — but the bug class evolved, not disappeared. Here’s the 2026 view. The Three Flavors Type Where the payload lives Trigger Reflected URL or form, echoed in response Victim clicks crafted link Stored Database, served back to other users Victim visits an infected page DOM-based Sink in client-side JS reads a source Anything that influences the source Stored XSS is highest impact (often worm-able). DOM XSS dominates modern SPAs because so much state lives in the browser. ...

SQL injection is twenty-five years old and still in the OWASP Top 10. This guide covers detection, exploitation, automation with sqlmap, and modern defenses — with examples that work on real, modern stacks. Detection: The First Tick The classic single-quote test still works against bad code: ...

YARA is the pattern-matching language of malware analysis. Writing rules is easy; writing rules that survive the next sample variant is hard. This guide focuses on the second. The Rule Structure rule Example_Detection { meta: description = "Detects Example loader v3" author = "CyberSecurity Elite" date = "2026-04-14" hash = "f3b1...c7e9" reference = "https://example.com/report" tlp = "white" strings: $s1 = "C2_BEACON_HEADER" ascii wide $s2 = { 48 8b ?? ?? 48 89 ?? E8 [4] 85 C0 } $s3 = /api\/v[0-9]\/(checkin|exec)/ ascii nocase condition: uint16(0) == 0x5A4D and 2 of them } Three string types — text, hex with wildcards/jumps, and regex. The condition is what makes the rule precise. ...

Burp Suite Professional is the web pentest workhorse. Once you’ve moved past clicking “Intercept On”, the difference between an average tester and a great one is Burp fluency — how quickly you can pivot between Repeater, Intruder, and Collaborator without losing context. ...

Nmap is the single most important tool in any network security professional’s toolkit. This tutorial covers everything from basic discovery to the Nmap Scripting Engine (NSE) and firewall evasion. Why Nmap Still Matters in 2026 Despite an explosion of newer scanners (Masscan, Naabu, Rustscan), Nmap remains canonical because of three things: accurate service detection, the NSE library, and decades of edge-case handling. Most production “fast scanners” pipe their output back into Nmap for verification. ...

Memory forensics catches what disk forensics misses — running malware, in-RAM credentials, injected processes, and rootkit hooks. Volatility 3 modernized the framework with Python 3, symbol-driven analysis, and a cleaner plugin model. Here’s how to actually use it. Acquiring Memory Windows: WinPmem, FTK Imager, or DumpIt. Linux: LiME or AVML. Always: ...

Ghidra is the open-source disassembler that broke IDA Pro’s monopoly. The decompiler is genuinely competitive, scripting is friendly (Python and Java), and it costs nothing. This tutorial walks through a realistic malware triage workflow. Setting Up a Safe Lab Before opening anything malicious: ...