Trent Sherlock a Hack The Box Writeup

February 14, 2026 - 4 mins read

This writeup documents my analysis and investigation of the Trent sherlock on Hackthebox. The challenge involves the analysis of a compromised router. Where the attacker gained unauthorized access to the router’s web administration interface, exploited a known vulnerability to achieve remote code execution (RCE), and ultimately established a reverse shell connection to an external command-and-control server. We are provided with a trent.pcap file that includes communication between the attacker and the compromised router.

Allegretto a HTB Writeup

February 8, 2026 - 5 mins read

This writeup documents my analysis and investigation of the Allegretto sherlock on Hackthebox. This sherlock focuses heavily on filesystem forensics, email artifacts, browser data, and document metadata. Let’s get into it… Which version of QGIS is being used by Shadow? To identify installed applications, the Master file table ($MFT) was parsed using MFTECmd: MFTECmd.exe -f ...\Allegretto\Target\C\$MFT --csv . Searching the output CSV for QGIS revealed the following entry: 589,5,True,334831,1,.\Program Files\QGIS 3.

Suspicious Python Package LetsDefend Writeup

January 26, 2026 - 4 mins read

This writeup documents my analysis and investigation of the Suspicious Python Package challenge on LetsDefend. As you can guess the objective was to investigate a malicious python package. Let’s get into it… The attacker downloaded a malicious package. What is the full URL? First i assumed the package was downloaded using Chrome instead of Pip. So i looked into the chrome History SQLite db file. Which is located at *“C\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\History”*This file holds various information regarding downloads made on chrome.

Wordpress Web Forensics LetsDefend Writeup

January 24, 2026 - 4 mins read

This writeup documents my analysis and investigation of the WordPress Web Forensics challenge on LetsDefend. The objective was to investigate a wordpress server breach using the web server logs and Splunk. After setting up the provided log source let’s dive in.. What is the attacker’s IP address from which the WPScan enumeration originated? “WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites”

Spymax Telegram Rat LetsDefend Writeup

January 23, 2026 - 4 mins read

This write‑up documents how I approached and solved the SpyMax Telegram RAT challenge on LetsDefend. The scenario involves a victim who attempted to download the Telegram app on their Android device. Instead of using the official Google Play Store, the victim accessed a suspicious website advertising a “faster” download. The victim installed a malicious APK disguised as Telegram, resulting in a potential device compromise. The objective of this investigation was to analyze the APK and uncover key details about the attack.