╔══════════════════════════════════════════════════════════════════════════════╗
║  [*] INITIALIZING SECURITY PROFILE...                                        ║
║  [+] IDENTITY   : Jean Carlos // Jeanback1                                 ║
║  [+] ROLE       : Pentester · Security Researcher · CVE Hunter              ║
║  [+] LOCATION   : Dominican Republic // 18.4861° N, 69.9312° W             ║
║  [+] PLATFORM   : HTB · TryHackMe · Bug Bounty                             ║
║  [+] STATUS     : [ HUNTING ] — CVE Research Active                        ║
║  [!] PHILOSOPHY : "Breaking stuff so you can fix it"                        ║
╚══════════════════════════════════════════════════════════════════════════════╝

---

> whoami

Jean Carlos Mercedes Morel — aka Jeanback1. Pentester and Security Researcher with a fire for web application security, network penetration testing, and exploit development. I hunt CVEs and break webapps so you can fix them.

Focus Areas:

• Web Application Security — OWASP Top 10, API security, auth bypasses
• Exploit Development — From PoC to weaponized exploits
• Vulnerability Research — CVE hunting & responsible disclosure
• Red Teaming — Simulating real-world adversaries

---

> cat /proc/expertise

🔴 Offensive Security ■ Web Application Pentesting ■ Network Penetration Testing ■ Exploit Development & PoC ■ CVE Research & Zero-Day Analysis ■ Authentication & Authorization Bypass ■ Business Logic Flaws & IDOR ■ Active Directory Attacks ■ Chained Vulnerability Exploitation

🛠️ Tools & Arsenal ■ Burp Suite | Metasploit | Nmap ■ BloodHound | Impacket | SQLMap ■ Wireshark | Docker | Caido ■ Python | Bash | PowerShell ■ Custom Exploit Development ■ Reverse Engineering Basics ■ WAF Bypass Techniques ■ Post-Exploitation & Pivoting

---

🏆 Hack The Box

Profile Level 48 · Professional · VIP 🜲 · Team #DO

Season 11 — Competitive Ruby Tier · Rank #638 · 350 pts · 12/26 Flags

---

Vulnerability Research & Exploits

CVE	Product	Type	CVSS	Repo
CVE-2025-55182	React Server Components	Prototype Pollution RCE	10.0	Lab
CVE-2025-57819	FreePBX (endpoint module)	Pre-Auth SQLi → RCE	9.8	Exploit
CVE-2022-25765	pdfkit (Ruby gem)	Command Injection	9.8	Exploit
CVE-2019-9053	CMS Made Simple ≤ 2.2.9	Unauthenticated SQLi	9.8	Exploit
CVE-2025-2304	Camaleon CMS < 2.9.1	Mass Assignment PrivEsc	9.8	Exploit
CVE-2023-30253	Dolibarr ERP/CRM 17.0.0	PHP Code Injection RCE	9.8	Exploit
CVE-2021-3560	Polkit (accounts-daemon)	Privilege Escalation	7.8	Exploit
CVE-2023-27163	request-baskets ≤ 1.2.1	SSRF	7.5	Exploit
CVE-2019-0211	Apache HTTP Server 2.4.17–2.4.38	Local PrivEsc (CARPE DIEM)	9.8	Exploit

Other Exploits

Repo	Product	Type
Maltrail v0.53	Maltrail v0.53	Command Injection
HTB TwoMillion	HackTheBox TwoMillion	Command Injection via VPN endpoint

Finding zero-days, weaponizing exploits, and sharing knowledge.

---

🛠️ Arsenal

Languages

Tools & Frameworks

---

📦 Featured Projects

Project	Description
CVE-2025-57819 Exploit	FreePBX Pre-Auth SQLi → RCE — All-in-One exploit with MSF staging, admin creation & custom payload modes
React RSC CVE Lab	Educational lab for CVE-2025-55182 — React Server Components RCE via Flight protocol deserialization
Sistema de Facturación	Full-stack desktop billing system — Python, CustomTkinter, SQLite

---

📫 Contact

• Email: jeancarlosmercedesmorel@gmail.com

---

Happy Hacking 🏴‍☠️