Skip to content

Writeups

Arbaaz Jamadar
Written by
Arbaaz Jamadar
Cloud Security & Application Security Engineer · OSCP · AWS Security Specialty · Master’s in Cybersecurity, University of Maryland
Summary

40+ technical writeups with a heavy focus on cloud security research, original CVE documentation, and real-world cloud misconfiguration exploitation across AWS, Azure, and Kubernetes.

AWS & Cloud Misconfiguration Research - deep-dive walkthroughs of the flAWS and flAWS2 challenge series: S3 bucket enumeration and unauthenticated data access, IAM privilege escalation chains, public EC2 snapshot exploitation to extract credentials, Lambda environment variable leakage, and cross-account role abuse. IMDSv2 SSRF exploitation via Spring Boot Actuator, demonstrating how internal metadata service access bypasses perimeter controls and exposes IAM role credentials. Each walkthrough maps the vulnerability to its AWS Well-Architected Framework control failure and documents the remediation.

CVE Research & Vulnerability Analysis - original analysis of 10+ documented CVEs spanning cloud-native and enterprise platforms: CVE-2025-9074 (Docker Desktop REST API unauthenticated container escape on Windows and macOS), CVE-2023-43208 and CVE-2023-37679 (Mirth Connect pre-auth RCE chain), CVE-2022-3294 (Kubernetes nodes/proxy privilege escalation enabling lateral movement across the cluster), CVE-2025-6018 and CVE-2025-6019 (Pterodactyl PHP PearCMD RCE with race-condition privilege escalation), and CVE-2025-59528, CVE-2025-58434, CVE-2025-64111 (nginx auth bypass and container privilege abuse chain). Each writeup includes root cause analysis, proof-of-concept reproduction steps, and defence recommendations.

Wiz Cloud Security Championship - Top 18 Worldwide (600+ Participants) - 9 cloud security challenge writeups from a podium-level finish: container escape via PostgreSQL superuser RCE and Linux core_pattern manipulation, Kubernetes lateral movement through service account token abuse and CVE-2022-3294 nodes/proxy exploitation, Terraform state file race condition granting unintended privileged access, Azure Graph API OAuth client-credential abuse with Entra ID dynamic group privilege escalation, S3 bucket loose-policy bypass for SNS-topic-based data exfiltration, SSRF via Spring Boot Actuator exposing IMDSv2 credentials behind a reverse proxy, and AI-assisted supply chain vulnerability research exploiting vibe-coded application weaknesses.

HackTheBox Machines - 14 writeups covering Active Directory attacks (RODC KeyList abuse, gMSA exploitation, NTLM relay, constrained delegation, SPN jacking), web vulnerabilities (SSRF, SQLi, mass assignment, LFI-to-RCE), binary exploitation (buffer overflow, format string, tarslip), and the CVE-documented RCEs listed above.

Exam Preparation - structured guides for OSCP (first attempt, 100/100), AWS SAA-C03, and CompTIA Security+, plus eJPTv2 penetration testing cheat sheets and API security certification notes.

Wiz: The Ultimate Cloud Security Championship
Wiz: The Ultimate Cloud Security Championship
Wiz Cloud Security Championship writeups - 11 challenges from a Top 18 / 600+ finish covering AWS SSRF/IMDSv2, Kubernetes CVE-2022-3294, Azure Graph API abuse, container escape, Terraform race conditions and supply-chain compromise.
HackTheBox Season 10 Writeups
HackTheBox Season 10 Writeups
Seasonal HackTheBox machines.
HackTheBox: AirTouch
HackTheBox: AirTouch
HackTheBox AirTouch writeup: WPA-PSK and WPA2-Enterprise (PEAP) attacks with the Aircrack-ng suite and EAPHammer, evil-twin captures, and VLAN pivoting through wpa_supplicant for full network compromise.
HackTheBox: Browsed
HackTheBox: Browsed
HackTheBox Browsed writeup: SSRF chained with a Bash arithmetic-expansion command-injection primitive for initial access, then privilege escalation through a malicious .pyc that bypasses Python bytecode invalidation.
HackTheBox: Overwatch
HackTheBox: Overwatch
HackTheBox Overwatch writeup: chain MSSQL linked-server pivoting with Responder + ntlmrelayx to coerce and relay NTLM auth, ADIDNS DNS record manipulation, and .NET reverse engineering of a SOAP/WSDL API for command injection.
How I Passed OSCP on My First Attempt with 100/100 Points (3-Month Prep)
How I Passed OSCP on My First Attempt with 100/100 Points (3-Month Prep)
Step-by-step OSCP/OSCP+ preparation guide: 3-month study plan, lab resources (HTB, Proving Grounds, HackSmarter), exam-day methodology, and how I scored 100/100 on the first attempt.
HackSmarter: Welcome (Easy) - Active Directory Domain Compromise Writeup
HackSmarter: Welcome (Easy) - Active Directory Domain Compromise Writeup
HackSmarter Welcome (Easy) writeup: starting from phished credentials, enumerate Active Directory with BloodHound, abuse GenericAll/group memberships to chain password resets, and exploit ADCS ESC1 to impersonate Administrator.
CVE-2025-9074: Docker Desktop Container Escape on Windows and macOS
CVE-2025-9074: Docker Desktop Container Escape on Windows and macOS
Analysis of CVE-2025-9074: an unauthenticated Docker REST API exposure on Docker Desktop for Windows and macOS that lets any container reach the Docker control plane on localhost:2375 and break out to the host.
How I Passed AWS Solutions Architect Associate (SAA-C03) in 3 Weeks
How I Passed AWS Solutions Architect Associate (SAA-C03) in 3 Weeks
AWS Certified Solutions Architect - Associate (SAA-C03) preparation guide: 3-week study plan, Udemy course notes, cheat sheets, free practice exams and the strategy that scored 810/1000 on the first attempt.
Self-Host RustDesk: Free, Open-Source Remote Desktop on AWS with Docker
Self-Host RustDesk: Free, Open-Source Remote Desktop on AWS with Docker
Step-by-step guide to self-hosting RustDesk relay (hbbs) and ID (hbbr) servers on AWS using Docker - cross-platform secure remote desktop without relying on third-party rendezvous infrastructure.
eJPTv2 Exam Cheat Sheet: Methodologies, Commands and Practical Tips
eJPTv2 Exam Cheat Sheet: Methodologies, Commands and Practical Tips
Complete eJPTv2 penetration testing cheat sheet: enumeration commands, exploitation workflows, Metasploit usage, SMB/Windows attacks, brute-force tooling, and exam-day methodology.
flAWS2 Task 4 Walkthrough: Exploiting Public EC2 Snapshots in AWS
flAWS2 Task 4 Walkthrough: Exploiting Public EC2 Snapshots in AWS
flAWS2 Task 4 walkthrough: identify a publicly shared EC2 snapshot, mount it in your own AWS account, and recover credentials that authenticate against the challenge service.
flAWS.cloud Walkthrough: AWS S3, IAM, EC2, and Lambda Exploitation
flAWS.cloud Walkthrough: AWS S3, IAM, EC2, and Lambda Exploitation
Complete flAWS.cloud CTF walkthrough: enumerating misconfigured S3 buckets, abusing IAM policies, attacking EC2 snapshots, and escalating privileges through Lambda.
How I Passed the CompTIA Security+ (SY0-601) Exam
How I Passed the CompTIA Security+ (SY0-601) Exam
CompTIA Security+ (SY0-601) preparation guide: study resources, exam-day strategy, and the schedule I used to pass on my first attempt.
API Security Architect: Notes from a Self-Paced Certification
API Security Architect: Notes from a Self-Paced Certification
Personal study notes from the API Security Architect certification: API types, security domains, OAuth2/OpenID flows, JWT pitfalls, OWASP API Top 10 risks, and API threat modeling.