Penetration test reports, CTF write-ups, and security research by William Mackins
This repository contains detailed penetration test reports and security research write-ups. Each report documents the full attack chain — from initial reconnaissance through to post-exploitation — along with risk-rated findings, evidence, and remediation guidance.
Reports follow a professional format aligned with industry standards (PTES) and include both a Markdown version for easy reading on GitHub and a formatted PDF for distribution.
| # | Target | Platform | Severity | Techniques | Report |
|---|---|---|---|---|---|
| 01 | MonitorsFour | HackTheBox | 🔴 Critical | IDOR · RCE · Container Escape | .md · .pdf |
Platform: HackTheBox | Type: Black-Box Penetration Test | Rating: 🔴 Critical
A three-stage attack chain achieving full Windows host compromise from an unauthenticated starting position.
[Unauthenticated]
│
▼
IDOR — /user?token=0
Mass credential disclosure (MD5 hashes)
│
▼
CVE-2025-24367 — Cacti 1.2.28 RCE
Authenticated → www-data shell (Docker container)
│
▼
CVE-2025-9074 — Docker Desktop Unauthenticated API
Container escape → C:\ mount → root flag
| ID | Finding | Severity | CVSS |
|---|---|---|---|
| F-01 | IDOR in /user API Endpoint — Credential Disclosure |
🟠 High | 8.6 |
| F-02 | Cacti 1.2.28 Remote Code Execution (CVE-2025-24367) | 🔴 Critical | 9.8 |
| F-03 | Docker Desktop Unauthenticated API Access (CVE-2025-9074) | 🔴 Critical | 9.3 |
- Insecure Direct Object Reference (IDOR) / boundary-condition bypass
- Server-side command injection via Cacti Graph Template (CVE-2025-24367)
- Docker Engine API abuse for privileged container creation and host filesystem mount (CVE-2025-9074)
- MD5 hash cracking via rainbow table lookup
| Tool | Use |
|---|---|
| Nmap | Port & service scanning |
| FFUF | Virtual-host & directory fuzzing |
| CrackStation | Hash cracking |
| CVE-2025-24367 PoC | Cacti RCE exploit |
| curl / Netcat | Docker API interaction & reverse shells |
All assessments follow the Penetration Testing Execution Standard (PTES):
- Reconnaissance — passive & active information gathering
- Enumeration — service fingerprinting, subdomain & endpoint discovery
- Exploitation — vulnerability exploitation using PoCs and manual techniques
- Post-Exploitation — privilege escalation, lateral movement, persistence
- Reporting — risk-rated findings with remediation guidance
All targets documented in this repository are either lab environments (HackTheBox, TryHackMe, etc.) or systems for which explicit written authorization was obtained prior to testing. This content is published for educational purposes only. Do not attempt to reproduce these techniques against systems you do not own or have permission to test.
William Mackins
