A second-brain for everything I learn during HackTheBox machines, TryHackMe rooms, PortSwigger Web Security Academy labs, and CTFs — focused on Web Application Penetration Testing and Active Directory / Red Team tradecraft.
Each note here is:
- Practical — every command shown was run in a real lab, not copy-pasted from a wiki
- Concise — kept to the essentials I actually reach for during engagements
- Tested — only what I have validated in my own environment makes it in
This is my own working reference — if it's here, I have actually used it.
| Folder | What's inside |
|---|---|
web-security/ |
OWASP Top 10 walkthroughs — SQLi, XSS, SSRF, IDOR, SSTI, auth flaws |
active-directory/ |
AD attacks — Kerberoasting, AS-REP, ACL abuse, DCSync, lateral movement |
tools/ |
Tool-specific notes — Burp Suite, Nmap, BloodHound, Impacket, Metasploit |
methodology/ |
OWASP Testing Guide, PTES, Cyber Kill Chain, MITRE ATT&CK mapping |
writeups/ |
HTB / TryHackMe / CTF writeups (after machines retire) |
cheatsheets/ |
Quick-reference one-pagers for engagements |
Published and ready to read:
- PTES Web Pentest Cheatsheet — task-oriented playbook structured around the seven PTES phases (52 tasks, ~140 tools, ~95 websites)
- Reverse Shells One-Liner Reference — copy-paste shells for every common interpreter/listener combo
Everything else is tracked, in progress, and linked from each folder's own index:
web-security/— SQLi, XSS, SSRF, IDOR, file upload, and moreactive-directory/— enumeration, Kerberoasting, ACL abuse, lateral movementcheatsheets/— Linux/Windows privesc, netcat, tmux, SSH tunnelingtools/— Burp Suite, Nmap, BloodHound, Impacket, Metasploit
⚠️ I add a new note after every machine I solve — watch the repo to follow along.
- Recon —
nmap -sC -sV -p- target·ffuf· subdomain enumeration · technology fingerprinting - Mapping — Burp Suite passive crawl ·
gobuster dir· spider authenticated areas - OWASP Top 10 sweep — manual checks against each category
- Authenticated testing — IDOR, BAC, business-logic flaws
- Documentation — capture every step in Markdown for the report
- External recon —
nmap· service enumeration on 53/88/389/445/636 - Initial foothold — null session enumeration · password spraying · phishing simulation
- Domain enumeration — BloodHound + SharpHound ·
ldapsearch·rpcclient - Privilege escalation — Kerberoasting · AS-REP Roasting · ACL abuse · DACL chains
- Lateral movement — Pass-the-Hash · Pass-the-Ticket · psexec/wmiexec
- Domain dominance — DCSync · Golden/Silver Tickets · NTDS.dit dump
- Cleanup & report — log artifacts, write the engagement narrative
- Mastering Active Directory attack chains end-to-end (PEH / CRTP path)
- PortSwigger Web Security Academy — Advanced topics
- OSCP-style enumeration discipline
- Custom Python tooling for recon automation
- Pentest report writing (engagement narrative + technical findings)
If you spot something wrong, outdated, or unclear:
- Found a typo or unclear sentence? → open a PR
- Have a sharper way to explain a concept? → open a PR
- Want to add your own writeup? → open a PR with the file in
writeups/
PRs of any size welcome.
- HackTricks — https://book.hacktricks.xyz/
- PayloadsAllTheThings — https://github.com/swisskyrepo/PayloadsAllTheThings
- PortSwigger Web Security Academy — https://portswigger.net/web-security
- The Hacker Recipes — https://www.thehacker.recipes/
- Pentestmonkey — http://pentestmonkey.net/
- GTFOBins / LOLBAS — for living-off-the-land binaries
Notes are released under Creative Commons BY-SA 4.0 — free to share and adapt with attribution.
Code snippets are MIT.
Maintained by @nodirsafarov — Junior Penetration Tester from Tashkent, Uzbekistan.