Security Analyst | Penetration Tester
Welcome to my cybersecurity documentation hub. Here I document my journey through hands-on security training platforms, CTF challenges, and practical labs. This portfolio represents real skills acquired through offensive security practice—from Linux fundamentals to privilege escalation techniques.
Every writeup and note represents practical, lab-validated learning from pwn.college, Hack The Box, and TryHackMe across offensive and defensive workflows.
Platform Writeups
Hands-on concepts and methodology documentation from cybersecurity training platforms. Expand each section to view detailed writeups.
Understand Linux file permissions and how to modify them for security hardening and exploitation.
ls -la to view file permissions in detailchmod to change permissions using octal and symbolic notationls -la # View detailed permissions chmod 755 filename # rwxr-xr-x (owner: full, others: read/execute) chmod +x script.sh # Add execute permission chmod 600 secret.txt # rw------- (owner only) chmod u+x,g-w file # Symbolic notation
| Octal | Permission | Meaning |
|---|---|---|
| 7 | rwx | Read, Write, Execute |
| 6 | rw- | Read, Write |
| 5 | r-x | Read, Execute |
| 4 | r-- | Read only |
| 0 | --- | No permissions |
chmod changes file permissionsMisconfigured permissions can expose sensitive files. Always use minimum required permissions. Never use chmod 777 in production—it allows anyone to read, write, and execute.
Learn how environment variables work and affect program execution for both system administration and exploitation.
envexportenv # View all environment variables echo $PATH # View specific variable export MYVAR="value" # Set and export variable printenv # Alternative to env unset MYVAR # Remove variable
| Variable | Purpose | Security Impact |
|---|---|---|
| PATH | Command search path | PATH hijacking attacks |
| LD_PRELOAD | Libraries to preload | Code injection |
| HOME | User home directory | Config file locations |
| SHELL | Default shell | Execution context |
export makes variable available to subprocessesNever store secrets in environment variables visible to other processes. PATH manipulation can be used for privilege escalation if privileged scripts call commands without full paths.
Learn basic shell scripting for automation of security tasks and enumeration.
#!/bin/bashchmod +x#!/bin/bash # Shebang specifies interpreter echo "Hello, World!" # Variables VAR="value" echo $VAR # Command substitution RESULT=$(whoami) echo "Current user: $RESULT" # Make executable and run chmod +x script.sh ./script.sh
$(command) or backticksAlways validate input in scripts. Never run untrusted scripts with elevated privileges. Be cautious of command injection through unvalidated user input.
Learn to manage processes in Linux for system administration and security analysis.
&fg to bring to foregroundbg to continue stopped processessucommand & # Run in background fg # Bring to foreground bg # Continue in background jobs # List current jobs Ctrl+Z # Suspend current process ps aux # List all processes ps auxf # Process tree su username # Switch user kill PID # Terminate process kill -9 PID # Force kill
| Column | Meaning |
|---|---|
| PID | Process ID |
| PPID | Parent process ID |
| USER | Process owner |
| %CPU | CPU usage |
| COMMAND | What's running |
& runs command in backgroundCtrl+Z suspends current processfg brings background job to foregroundjobs lists current shell jobssu switches user contextBackground processes can persist after logout. Identify services running as root. Find processes with network connections. Detect hidden or suspicious processes during investigation.
Understand how PATH affects command execution and how it can be exploited for privilege escalation.
echo $PATH # View current PATH export PATH=/my/dir:$PATH # Prepend directory which command # Find command location # Dangerous: current directory in PATH export PATH=".:$PATH" # DON'T do this!
PATH manipulation is a classic privilege escalation technique. If a privileged script calls commands without full paths (e.g., cat instead of /bin/cat), an attacker can hijack execution by placing malicious binaries in an earlier PATH directory.
Learn to chain commands using pipes and control input/output redirection.
| to send output of one command to anothercat file | head # Pipe to head ls | grep pattern # Filter output cmd1 | cmd2 | cmd3 # Chain multiple commands cat file | tr 'a' 'b' # Translate characters # Redirection command > file # Redirect output to file (overwrite) command >> file # Append to file command < file # Read input from file 2>&1 # Redirect stderr to stdout
| sends stdout of left command to stdin of right commandhead shows first lines/bytestr translates charactersBe careful piping sensitive data—intermediate commands may log or expose information. Use pipes for chaining security tools efficiently during enumeration.
Understand encoding, data representation, and byte-level manipulation for binary analysis.
# Base64 echo -n "hello" | base64 # Encode echo "aGVsbG8=" | base64 -d # Decode # Hex echo -n "hello" | xxd -p # Encode echo "68656c6c6f" | xxd -r -p # Decode
# Python raw bytes
bytes.fromhex("68656c6c6f")
import sys
sys.stdout.buffer.write(data)
import base64
base64.b64decode("aGVsbG8=")
Encoding is NOT encryption. Always read the code—understand transformations. Programs compare bytes, not characters. Obfuscation provides no real security.
Understand HTTP communication, manual request crafting, and how clients interact with web servers.
netcatcurl for quick HTTP interactionsrequests library# Netcat raw HTTP nc example.com 80 GET / HTTP/1.1 Host: example.com # Curl requests curl http://example.com curl -H "Host: app.example.com" http://target-ip curl -v http://example.com # Verbose output # Python requests import requests r = requests.get("http://example.com", headers={"Host": "app.example.com"}) print(r.text)
| Part | Example | Purpose |
|---|---|---|
| Method | GET | Action to perform |
| Path | /resource | Resource requested |
| Version | HTTP/1.1 | Protocol version |
| Host | example.com | Target virtual host |
Understanding raw HTTP is essential for web exploitation. The Host header can be manipulated to access hidden virtual hosts. Response headers often leak sensitive information not visible in page body.
After gaining access, enumeration reveals escalation paths and valuable data. This is the foundation of post-exploitation.
uname -a # Kernel version cat /etc/os-release # OS details hostname # System name cat /proc/version # Kernel info
whoami # Current user id # UID, GID, groups sudo -l # Sudo permissions cat /etc/passwd # All users cat /etc/shadow # Password hashes (if readable) history # Command history
ip a # Interfaces netstat -tuln # Listening ports ss -tuln # Alternative cat /etc/hosts # Host mappings arp -a # ARP cache
# SUID binaries (potential escalation) find / -perm -4000 2>/dev/null # Writable directories find / -writable -type d 2>/dev/null # Recent files find / -mtime -1 2>/dev/null # Configuration files find / -name "*.conf" 2>/dev/null
# SSH keys ls -la ~/.ssh/ cat ~/.ssh/id_rsa # Bash history cat ~/.bash_history # Config files with passwords grep -r "password" /etc/ 2>/dev/null
SUID binaries may allow privilege escalation. Readable config files may contain credentials. Cron jobs may run vulnerable scripts. Kernel version indicates potential exploits.
User accounts and privileges are primary targets. Understanding user management helps identify misconfigurations and escalation paths.
# User information whoami # Current user id # User ID, groups groups # Group memberships cat /etc/passwd # All users cat /etc/shadow # Password hashes (root only) cat /etc/group # All groups # Switch users su - username # Switch user (need password) sudo -l # List sudo privileges sudo command # Run as root sudo -u user command # Run as specific user
| File | Contents |
|---|---|
| /etc/passwd | User accounts (readable by all) |
| /etc/shadow | Password hashes (root only) |
| /etc/group | Group definitions |
| /etc/sudoers | Sudo permissions |
username:x:UID:GID:comment:home:shell root:x:0:0:root:/root:/bin/bash
# Users with shell access grep -v "nologin\|false" /etc/passwd # Users in sudo group getent group sudo # Check sudo permissions sudo -l
Weak sudo configurations, users in privileged groups, accounts with no password, service accounts with shell access.
ip a # All interfaces with IPs ip link # Link layer info ifconfig # Legacy command netstat -rn # Routing table cat /etc/resolv.conf # DNS servers
Practiced directory enumeration to discover non-obvious web routes, then shifted to SOC response to investigate and mitigate a web discovery attack pattern.
dirb http://target-site with common wordlist-based endpoint discovery200, 301, 404) during brute forcingCore computing concepts: hardware architecture, boot process, virtualization, cloud computing, client-server models, and OS security principles.
Expanded foundation across networking, DNS, HTTP communication, web architecture, and client-side web security concepts.
A, MX, TXT, CNAMEping and ICMP metrics (latency, packet loss)GET, POST, PUT, DELETE200, 301, 403, 404, 500Host, User-Agent, Authorization, Cookie# 1. User Context whoami id sudo -l # 2. System Info uname -a cat /etc/os-release # 3. SUID Binaries find / -perm -4000 2>/dev/null # Check GTFOBins for exploitation # 4. Writable Files find / -writable -type f 2>/dev/null # 5. Cron Jobs cat /etc/crontab ls -la /etc/cron.* # 6. PATH Hijacking echo $PATH # Check if writable directories are in PATH # 7. Credentials cat ~/.bash_history grep -r "password" /etc/ 2>/dev/null
LinPEAS # Automated enumeration GTFOBins # Binary exploitation reference sudo -l # Check sudo rights find -perm # Find special permissions
Operations Dossier
Professional, expandable security notes covering architecture, methodology, offensive workflow, and defensive translation — all readable directly on this site.
This block captures system-control fundamentals used in both penetration testing and defensive hardening.
whoami id sudo -l ls -la chmod 640 notes.txt chown user:group notes.txt ps aux
Reconnaissance is treated as a structured intelligence phase for attack-surface definition and defensive visibility.
nmap 10.10.10.10 nmap -sV 10.10.10.10 nslookup example.com whatweb target gobuster dir -u http://target -w wordlist.txt
Packet analysis is used for troubleshooting, incident confirmation, and protocol-level anomaly detection.
tcpdump -i eth0 wireshark # common display filters icmp dns http
Focus is on practical security interpretation of confidentiality, integrity, and authentication controls.
echo "hello" | base64 echo "aGVsbG8=" | base64 -d echo "hello" | xxd john --show hash.txt
High-level risk analysis of credential-exposure patterns and modern phishing-triggered authentication abuse.
sudo responder -I eth0 # analyze suspicious authentication behavior # validate outbound SMB controls
This section maps offensive workflow stages to concrete defensive controls and detection opportunities.
# workflow discipline recon -> enumerate -> validate -> report # defensive translation patch -> harden auth -> monitor -> contain
Technical Competencies
Professional capability areas developed through lab practice and repeatable methodology.
Linux powers most servers, security tools, and target systems. Mastery of the command line is essential for any security role.
pwd # Current directory ls -la # List with permissions cd /path # Change directory cat file.txt # View file head -n 20 file # First 20 lines tail -f /var/log/syslog # Follow log in real-time grep "pattern" file # Search in file find / -name "*.conf" # Find files id # Current user/groups
/etc - Configuration files (may contain credentials)
/var/log - System logs
/home - User directories
/tmp - Temporary files (often world-writable, common attack vector)
/root - Root user home
After gaining access, enumeration reveals escalation paths and valuable data. This is the foundation of post-exploitation.
uname -a # Kernel version cat /etc/os-release # OS details whoami # Current user id # UID, GID, groups sudo -l # Sudo permissions cat /etc/passwd # All users
find / -perm -4000 2>/dev/null # SUID binaries find / -writable -type d 2>/dev/null # Writable dirs grep -r "password" /etc/ 2>/dev/null # Credentials
# 1. User Context whoami && id && sudo -l # 2. SUID Binaries find / -perm -4000 2>/dev/null # 3. Cron Jobs cat /etc/crontab ls -la /etc/cron.* # 4. PATH Hijacking echo $PATH
• Misconfigured sudo permissions
• SUID binaries (check GTFOBins)
• Writable scripts in cron
• Credentials in config files
• Kernel exploits
#!/bin/bash
echo "Hello"
VAR=$(command) # Command substitution
chmod +x script.sh
./script.sh
• Scripts need shebang (#!/bin/bash) to specify interpreter
• Command substitution: $(command) or backticks
• Variables: no $ when assigning, $ when reading
• Always validate input, never run untrusted scripts as root
Understanding running processes helps identify suspicious activity, find vulnerable services, and manage system resources during testing.
ps aux # All processes ps auxf # Process tree command & # Run in background jobs # List background jobs fg %1 # Bring to foreground kill PID # Graceful termination kill -9 PID # Force kill lsof -i :80 # What's using port 80
Virtualization enables isolated testing environments, malware analysis, and resource optimization. Critical for security labs, CTFs, and enterprise infrastructure.
VM: Software-based computer with its own OS running inside a host
Host: Physical machine running the hypervisor
Guest: Virtual machine running on the host
Snapshot: Point-in-time state capture for rollback
# Type 1 (Bare-metal) - Runs directly on hardware - VMware ESXi, Hyper-V, KVM - Better performance, enterprise use # Type 2 (Hosted) - Runs on top of host OS - VirtualBox, VMware Workstation - Easier setup, desktop use
• Malware Analysis: Isolate suspicious files from host
• Penetration Testing: Attack lab networks safely
• Snapshot Testing: Test exploits, restore clean state
• Network Isolation: Segmented lab environments
• Multi-OS Testing: Run Windows, Linux, Kali simultaneously
Most modern infrastructure runs in the cloud. Understanding cloud architecture is essential for security assessments, incident response, and secure deployments.
IaaS: Infrastructure as a Service (VMs, storage, networks)
PaaS: Platform as a Service (managed runtime, databases)
SaaS: Software as a Service (end-user applications)
# Common cloud resources - Virtual Machines (EC2, Azure VMs) - Storage (S3, Blob Storage) - Databases (RDS, CosmosDB) - Networks (VPC, Virtual Networks) - Identity (IAM, Azure AD) # Remote access ssh -i key.pem user@instance-ip
• IAM Policies: Principle of least privilege
• Security Groups: Cloud-based firewalls
• Encryption: Data at rest and in transit
• Logging: CloudTrail, Azure Monitor for audit
• Misconfigurations: #1 cloud vulnerability
Operating systems are the foundation of all computing. Understanding OS security is critical for hardening systems, detecting threats, and performing security assessments.
Kernel Space: Unrestricted hardware access, runs OS core
User Space: Restricted permissions, runs applications
Security Goal: Prevent user space from accessing kernel directly
Exploitation: Kernel exploits grant full system control
# Authentication - Passwords, SSH keys, MFA - /etc/passwd, /etc/shadow (Linux) - SAM database (Windows) # Authorization - File permissions (rwx) - User/group policies - sudo, UAC # Network Security - Firewalls (iptables, Windows Firewall) - Network segmentation
• Updates: Patch vulnerabilities promptly
• Least Privilege: Minimal user permissions
• Firewall: Block unnecessary ports
• Logging: Monitor for suspicious activity
• Endpoint Protection: Antivirus, EDR solutions
• Disable Unused Services: Reduce attack surface
Cryptography protects data confidentiality, supports integrity checks, and underpins secure communication protocols used across modern systems.
# Symmetric encryption - One shared key for encryption and decryption - Fast and efficient for large data volumes - Main challenge: secure key distribution # Asymmetric encryption - Public key encrypts, private key decrypts - Supports safer key exchange - Slower, often combined with symmetric encryption
Encryption: Protects secrecy
Encoding: Transforms format for transport or compatibility
Hashing: Supports integrity validation and password verification workflows
• TLS combines asymmetric and symmetric cryptography
• Weak key handling breaks otherwise strong encryption
• Encoding should never be confused with encryption
• Integrity controls are critical alongside confidentiality
Packet analysis is essential for network troubleshooting, intrusion detection, forensic investigation, and understanding how applications communicate at the protocol level.
# Packet Capture Recording raw network traffic into pcap files for later analysis and forensic investigation # Protocol Layers Ethernet → IP → TCP/UDP → Application Each layer reveals different information # Deep Packet Inspection Examining packet payloads for patterns, credentials, or malicious content
ip.addr == 192.168.1.1 # Filter by IP tcp.port == 80 # Filter by port http.request.method == GET # HTTP GET requests dns # DNS traffic only tcp.flags.syn == 1 # SYN packets (connections)
• Follow Stream: Reconstruct full TCP conversations
• Statistics: Protocol hierarchy, endpoints, conversations
• Export Objects: Extract files transferred over HTTP/FTP
• Coloring Rules: Visual identification of traffic types
• Detecting unauthorized connections and data exfiltration
• Identifying malware command-and-control traffic
• Investigating security incidents post-breach
• Validating encryption and secure protocol usage
Reconnaissance is the first phase of penetration testing—gathering information about targets before exploitation. Better recon means a clearer understanding of the attack surface.
# Passive Reconnaissance Gathering info WITHOUT touching the target - WHOIS lookups, DNS records - Google dorking, social media - Public documentation review # Active Reconnaissance Directly probing the target system - Port scanning, service enumeration - Web fingerprinting, directory discovery
# Port Scanning nmap -sV -sC target # Service detection # Web Fingerprinting whatweb target # Detect technologies # Directory Discovery gobuster dir -u target -w wordlist # Banner Grabbing nc target 22 # Read service banners
• Open Ports: Which services are exposed
• Service Versions: Software and version numbers
• Technologies: CMS, frameworks, server software
• Hidden Content: Admin panels, backup files, APIs
• Infrastructure: Subdomains, IP ranges, hosting
• Always have written authorization before scanning
• Understand legal boundaries in your jurisdiction
• Passive recon is generally safer from legal perspective
• Active scanning can trigger IDS/IPS and log entries
Environment variables control program behavior. Manipulating them can bypass security controls or exploit vulnerable configurations.
env # View all variables echo $PATH # View specific variable export VAR="value" # Set and export export PATH="/my/dir:$PATH" # Prepend to PATH
PATH hijacking: Place malicious binary in earlier PATH directory
LD_PRELOAD: Inject shared library into process
Defense: Use full paths in scripts: /usr/bin/cat not cat
Web applications are primary attack targets. Understanding HTTP, enumeration, and both offensive and defensive workflows is essential.
# Raw HTTP with netcat nc target.com 80 GET / HTTP/1.1 Host: target.com # Curl requests curl -v http://target.com curl -H "Host: admin.target.com" http://ip # Directory enumeration dirb http://target.com
• Directory brute forcing to find hidden endpoints
• HTTP status code analysis (200, 301, 404)
• Host header manipulation for virtual host discovery
• Business logic vulnerability identification
• Service and exposed-port awareness using safe network reconnaissance
• Technology fingerprinting through Server and X-Powered-By headers
• Route and content discovery with wordlist-based enumeration concepts
• Authentication attack awareness and the need for MFA, rate limiting, and monitoring
• SIEM alert triage and investigation
• SOC incident response workflow
• IP blocking and rate limiting
• WAF rule tuning to block enumeration patterns
• DNS records and query analysis (A, MX, TXT, CNAME)
• Network diagnostics with ICMP and latency interpretation
• OSI layers and network topology understanding
• HTTP headers, cookies, and request/response behavior
• Intro risk models: sensitive data exposure, HTML injection, and XSS
Get In Touch
Open to collaboration, learning opportunities, and cybersecurity discussions.