<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>appl3b0y</title>
    <link>https://appl3b0y.com/</link>
    <description>Recent content on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Wed, 01 Jul 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>How I Passed the OSCP&#43; on My First Try (But With Plenty of Sweat)</title>
      <link>https://appl3b0y.com/blog/how-i-got-my-oscp/</link>
      <pubDate>Wed, 01 Jul 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/blog/how-i-got-my-oscp/</guid>
      <description>My first blog post: the full story of how I passed the OSCP+ on the first try. The study path, the notes obsession, exam day, and the strategies that actually worked.</description>
    </item>
    <item>
      <title>Escape</title>
      <link>https://appl3b0y.com/writeups/escape/</link>
      <pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/escape/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Escape&lt;/strong&gt; is a medium-difficulty Windows machine built around a realistic &lt;strong&gt;Active Directory&lt;/strong&gt; attack path. There is no flashy web exploit here: the whole box is about chaining together small pieces of information leaked across an AD environment.&lt;/p&gt;&#xA;&lt;p&gt;The chain looks like this: a document sitting on an anonymous SMB share hands us a low-privilege MSSQL account. From MSSQL we coerce the service account into authenticating back to us and capture its hash. That single credential, sprayed across the domain, gives us a shell. On the host we find a domain user&amp;rsquo;s password hiding in an SQL error log, and finally we abuse a misconfigured &lt;strong&gt;Active Directory Certificate Services (AD CS)&lt;/strong&gt; template (&lt;strong&gt;ESC1&lt;/strong&gt;) to mint a certificate for the Domain Administrator.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Bashed</title>
      <link>https://appl3b0y.com/writeups/bashed/</link>
      <pubDate>Wed, 04 Feb 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/bashed/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;Welcome to this technical breakdown of &lt;strong&gt;Bashed&lt;/strong&gt;, an introductory Linux machine. In this session, I will demonstrate how &lt;strong&gt;meticulous enumeration&lt;/strong&gt; is the key to a successful compromise.&lt;/p&gt;&#xA;&lt;p&gt;The core of this challenge is a common development error: leaving a &lt;strong&gt;publicly accessible web shell&lt;/strong&gt; on the server. In real-world scenarios, these administrative tools are direct gateways for an attacker to gain control over an internal network.&lt;/p&gt;&#xA;&lt;h2 id=&#34;enumeration&#34;&gt;Enumeration&lt;/h2&gt;&#xA;&lt;p&gt;I began by mapping the target IP to &lt;code&gt;bashed.htb&lt;/code&gt; in my local &lt;code&gt;/etc/hosts&lt;/code&gt; file. This is a standard step that makes it easier to interact with the target and helps in finding potential Virtual Hosts.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
