My Projects

HTB Admin

PUBLIC RELEASE COMING SOON

A Python-based command-line tool for HackTheBox administration and automation

A Python-based command-line tool for HackTheBox administration and automation, designed for competitive users and penetration testers. Features include:

  • Machine Management: Start, stop, reset machines with a single command
  • Automatic Hosts Management: Auto-update /etc/hosts with started machine IPs
  • Virtual Host Support: Easily add vhosts as you discover them
  • Competitive Mode: Wait-for-release starting for box releases with auto-detection
  • User Information: Display user profiles and stats
  • Secure: API tokens stored securely in system keyring

Built with Python, Typer, Rich, and Pydantic for a modern CLI experience with beautiful terminal output.

Python CLI Security HackTheBox Automation
GitLab

HTB Logo Fetcher

A command-line tool to fetch logo URLs for HackTheBox machines

A simple and efficient command-line tool that fetches logo URLs for HackTheBox machines. Perfect for automation scripts and integrations.

Key features:

  • Simple CLI: Fetch machine logos with a single command
  • Smart URL handling: Automatically handles relative and absolute URLs
  • Web scraping: Uses BeautifulSoup to parse HTB’s machine listing page
  • Lightweight: Minimal dependencies (requests, beautifulsoup4)
  • Easy installation: Install via uv or pip from GitLab

Built with Python using requests and BeautifulSoup for efficient web scraping and HTML parsing.

Example usage:

htb-logo Lame
# Output: https://www.hackthebox.com/storage/avatars/...
Python CLI Web Scraping HackTheBox
GitLab

CVE-2025-32463 Exploit

A proof-of-concept exploit for a critical privilege escalation vulnerability in sudo's chroot feature

A proof-of-concept exploit demonstrating CVE-2025-32463, a critical local privilege escalation vulnerability in sudo’s chroot feature. This educational project showcases the security flaw and proper exploitation techniques for authorized security testing and research purposes.

Key features:

  • Critical Vulnerability: CVSS 9.3 severity privilege escalation flaw
  • Chroot Race Condition: Exploits NSS library loading in sudo’s -R chroot option
  • No Sudo Permissions Required: Any local user can escalate to root without sudo rules
  • Dockerized Testing: Includes isolated environment for safe vulnerability testing
  • Educational Purpose: Demonstrates security research and proof-of-concept development
  • Simple Usage: Build Docker container and execute the POC script

The vulnerability exploits a race condition in how sudo handles Name Service Switch (NSS) libraries during chroot operations. When sudo performs a chroot, it loads NSS libraries before dropping privileges, allowing an attacker to inject a malicious library that executes with root privileges.

Affected Versions: sudo 1.9.14 through 1.9.17

Mitigation: Upgrade to sudo 1.9.17p1 or later, monitor for suspicious sudo -R usage, and implement additional access controls for local users.

Security CVE Exploit Sudo Privilege Escalation Linux
GitLab

Personal Portfolio Website

A modern, performant portfolio website built with Astro and Tailwind CSS

A sleek and performant portfolio website showcasing my projects, blog posts, and professional experience. Built with Astro for blazing-fast static site generation and styled with Tailwind CSS.

Key features:

  • Lightning-fast performance: Static site generation with Astro for optimal loading speeds
  • Content Collections: Organized blog posts and projects using Astro’s content collections
  • Responsive design: Mobile-first design that works beautifully on all devices
  • Search functionality: Client-side search for blog posts and content
  • Modern styling: Gradient effects and smooth transitions using Tailwind CSS
  • SEO optimized: Meta tags and structured data for better search visibility

This project demonstrates modern web development practices with a focus on performance, maintainability, and user experience.

Astro Tailwind CSS TypeScript Markdown
View Live →

CVE-2022-25765 Exploit

A proof-of-concept exploit for a critical command injection vulnerability in PDFKit

A proof-of-concept exploit demonstrating CVE-2022-25765, a critical command injection vulnerability in PDFKit versions prior to 0.8.7.2. This educational project showcases the security flaw and proper exploitation techniques for security research purposes.

Key features:

  • Critical Vulnerability: CVSS 9.8 severity command injection flaw
  • URL Sanitization Bypass: Exploits inadequate shell metacharacter escaping
  • Reverse Shell Payload: Establishes unauthorized system access through injected commands
  • Educational Purpose: Demonstrates vulnerability assessment and proof-of-concept development
  • Simple Usage: Requires target URL, attacker IP, and listener port

The vulnerability exists in PDFKit’s URL sanitization logic, where shell metacharacters like backticks can evade checks and execute arbitrary commands when URLs are passed to wkhtmltopdf.

Affected Versions: PDFKit 0.0.0 through 0.8.6

Mitigation: Upgrade to PDFKit 0.8.7.2 or later, implement strict input validation, and use containerization with minimal privileges.

Security CVE Exploit PDFKit Ruby Python
GitLab