Welcome to my blog! My name is Lester. I am teaching myself web security for fun! Be sure to check my writeups - I mostly write about challenges from HackTheBox and sometimes from CTFs.


OWASP Top 10 Track

Difficulty Challenge and writeup Status Category
Easy looking glass Done Command Injection
Easy sanitize Done SQL Injection
Easy baby auth Done Broken Access Control
Easy baby nginxatsu Done Broken Access Control (exposed storage)
Sensitive Data Exposure
Easy baby WAFfiles order    
Easy baby todo or not todo    
Easy baby BoneChewerCon    
Easy Full Stack Conf    
Easy baby website rick    
Easy baby breaking grad    

Active Web Challenges

Difficulty Challenge Status Category
Very Easy Gunship Done  
Easy Slippy Done  
Easy Templated Done  
Easy Phonebook    
Easy Weather App    
Easy LoveTok    
Easy Toxic    
Easy petpet rcbee    
Easy baby CachedView    
Easy AbusedHumanDB    
Easy Diogene’s Rage    
Medium interdimensional internet    
Medium Under Construction Done  
Medium baby ninja ninja    
Medium breaking grad    
Medium Mr. Burns    
Medium nginxatsu    
Medium WAFfle-y Order    
Medium TwoDots Horror    
Medium SteamCoin    
Hard ImageTok    
Hard BoneChewerCon    
Hard AnalyticalEngine    

Bug Bounty profiles

Coming soon.

Vulnerability Research

Coming soon.

Currently Reading

  • The C Programming Language by B. Kernighan and D. Ritchie
  • Practical Binary Analysis by D. Andriesse.
  • Black Hat Python by J. Seitz and T. Arnold.
  • Computer Systems - A Programmer’s Perspective 3E by Bryant and O’Hallaron.

Recent Posts

CVE-2021-44228 log4j2 exploit PoC

This week has been busy in the world of cybersecurity because of a vulnerability found in log4j2, a popular Java logging library, nicknamed “Log4Shell”.

zh3r0 CTF - sParta Web Challenge

TL;DR: The challenge had an archive file which contained the source code for a NodeJS application and a Dockerfile. Running docker build invokes npm commands...