Enter your search text in the box above

Select a result to preview

Home

Hey — I'm Ujwal, also known as Adm1rabl3 3rr0r.

I am a Red teamer, ML security researcher and AD grinder.

This isn't a flags blog. It's a field documentation site — every technique backed by screenshots, tool output, and real proof. Every machine explored through every viable path, not just the first one that worked. Here you will be finding solution to different labs across different platforms like Hackthebox, Thundercipher along with Interesting blogs .

If you've seen write-ups that post a handful of commands and call it a day, this is the opposite of that.

Who’s Behind This

I hold the CRTA (Certified Red Team Analyst) and I’m currently grinding toward CRTSv2, continuously sharpening my skills in Active Directory exploitation, red teaming, and real-world attack simulation.

My focus goes beyond solving labs or reproducing public write-ups — I spend most of my time understanding why vulnerabilities exist, how modern defenses work, and how attackers adapt around them. That approach has helped me build a strong foundation in penetration testing, Windows privilege escalation, AD enumeration, and offensive security operations.

Alongside hands-on security research, I actively participate in CTFs, lab environments, and real-world security assessments to refine both technical depth and methodology.

Certifications & Credentials

CRTA — Certified Red Team Analyst (Cyber Warfare Labs)
Currently pursuing: CRTSv2

The Documentation Standard

Most write-ups on the internet are one of two things: a cleaned-up victory lap with commands written in hindsight, or a vague narrative that doesn't actually teach you anything. Neither is useful when you're stuck on a box at 2am.

Every write-up here is held to a different standard:

What Every Write-up Includes Digital proof at every step — screenshots of tool output, terminal captures, and scan results. Not "I ran BloodHound and found this" — you'll see the BloodHound graph, the exact output, the moment the attack path became clear.

Every viable access path — if a machine has three ways in, all three are documented. The path I took first, the cleaner path I found later, and the one that almost worked but didn't. You'll know what to try when your first approach hits a wall.

The rabbit holes too — dead ends and failed payloads are documented because that's where the actual learning happens. When something doesn't work, I explain why it didn't.

The full kill chain, in order — not just PrivEsc or just the foothold. Entry to SYSTEM, every step connected.

This matters because in a real engagement, you don't get to pick the clean path. You need to know all of them.

What's Here

Currently Published

  • HTB-Season10-Interpreter — Mirth Connect 4.4.0 RCE via XStream deserialization (CVE-2023-43208), SQL credential dump, PBKDF2 cracking, SSTI privesc via hex-encoded payloads. Multiple escalation paths documented.
  • HTB-Season10-Pirate — Full AD chain: Pre-Win2k gMSA abuse → Evil-WinRM foothold → Ligolo-ng pivot → PetitPotam NTLM relay (CVE-2021-36942) → secretsdump → bloodyAD SPN write → PSExec as SYSTEM. Two pivot paths covered.
  • HTB-Season10-PterodactylCVE-2025-49132CVE-2025-6018 & CVE-2025-XXXX [Read the Write-up for the mystery CVE.]
  • HTB-Season10-Kobold — Directory Enumeration → MCPJam exploitation (CVE-2026-23744) → Docker socket abuse
  • HTB-SmartHire — Subdomain Enumeration → Credential Brute-force → Exploiting MLflow (CVE-2024-37054) → Python site.addsitedir() .pth injection and many more.

Focus Areas

Active Directory is where I live. NTLM relay attacks, Kerberos abuse, gMSA and LAPS dumping, delegation misconfigurations, Pre-Win2k account exploitation — the AD attack surface is deep and real-world environments are full of legacy misconfigs that never got cleaned up. I document AD attack paths in full because the graph rarely tells you everything upfront.

CVE exploitation from source — I don't run PoCs blind. Before firing a payload I want to know exactly why the vulnerability exists at the code level. The Interpreter write-up traces the XStream deserialization path through Mirth Connect's source before a single packet is sent. That context is in the write-up too — not just the exploit.

Multi-vector access — For every machine I ask: what are all the ways in? Not just the intended path. If there's an unintended foothold, an alternative privesc route, or a technique that gets there faster, it goes in the notes alongside everything else.

AI red teaming is the next frontier. I've already built the defensive ML tooling. The offensive side — adversarial inputs, model extraction, prompt injection at scale — is where I'm heading. Expect write-ups on this as I go deeper.

The Arsenal

Category Tools
Recon Nmap, BloodHound, NetExec, Gobuster, Feroxbuster
Exploitation Burp Suite Pro, Impacket suite, Evil-WinRM, Metasploit
Active Directory BloodHound, bloodyAD, Rubeus, CrackMapExec, Kerbrute
Pivoting Ligolo-ng, Chisel, SSHuttle
Cracking Hashcat, John the Ripper
Enumeration enum4linux-ng, ldapdomaindump, smbmap
Scripting Python, Bash, PowerShell
OS Kali Linux · Windows (lab)

How to Read These Write-ups

Every write-up follows this structure — you'll know exactly where you are at each stage:

  1. Machine Info — OS, difficulty, XP, rating at a glance
  2. Attack Chain Overview — the full path summarised upfront so you can follow along without getting lost
  3. Initial Enumeration — what I scanned, what I found, what the output actually looked like (with screenshots)
  4. Access Paths — all documented routes in, not just the first one that worked
  5. Foothold → Lateral → PrivEsc — each phase with exact commands, proof of execution, and explanation of why each step works
  6. Key Takeaways — what's genuinely interesting, what's transferable to real engagements, what I'd do differently

Use Ctrl + K to search across the entire site.

Document everything. Prove everything. Root everything.

Ujwal / Adm1rabl3 3rr0r