Cybersecurity undergraduate and web developer based in Sri Lanka, passionate about penetration testing, VAPT, and ethical hacking.
Loading
Cybersecurity undergraduate and web developer based in Sri Lanka, passionate about penetration testing, VAPT, and ethical hacking.
A collection of penetration tests, CTF writeups, web builds, and security tooling — built hands-on, documented thoroughly.
01
Easy
Classic Easy Linux box. Exploited a vulnerable Samba service to gain direct root access. Full walkthrough covering enumeration, exploitation and post-exploitation.
02
Easy
EternalBlue (MS17-010) exploitation on a Windows target. Manual exploit without Metasploit — using Impacket and custom Python scripts.
03
Easy
Elastix / FreePBX server with multiple attack vectors. Exploited Local File Inclusion to grab credentials, then escalated to root via sudo misconfiguration.
04
Hard
Elastix / FreePBX server with multiple attack vectors. Exploited Local File Inclusion to grab credentials, then escalated to root via sudo misconfiguration.
05
Mixed
Multi-day Capture The Flag — 24 challenges spanning web exploitation, OSINT, digital forensics, reverse engineering, and cryptography.
06
Medium
Mr Robot themed room — three hidden flags using WordPress exploitation, dictionary attack and SUID binary privilege escalation.
07
Client Project
Full company website for Dreamway Education — responsive design, PHP backend, contact form with mail integration, and SEO-optimised pages.
08
Internal Tool
Internal inventory tracking system built for Timex Garments. Role-based access control, stock management, PDF report generation, and audit logs.
09
High Severity
Full web application vulnerability assessment. Identified SQL Injection, XSS, IDOR and broken authentication. CVSS-rated report with PoC and remediation steps.
10
Medium Severity
Internal network vulnerability assessment — open ports, weak protocols, unpatched services and misconfigured firewall rules identified and documented.
11
Advanced
Built a full AD environment in VirtualBox — domain controller, workstations, and file server. Simulated Kerberoasting, Pass-the-Hash and BloodHound enumeration.
12
Intermediate
Full OSINT reconnaissance on a consenting test target — email enumeration, social media mapping, domain/WHOIS analysis, and breach data correlation.
13
Intermediate
Simulated phishing engagement using the Social Engineering Toolkit. Crafted pretexting scenario, credential harvesting page, and awareness gap report for the client.
14
Intermediate
Python script that wraps Nmap for automated recon — service version detection, OS fingerprinting, and outputs a formatted HTML/JSON report.
15
Intermediate
Toolkit of Python scripts for common CTF crypto challenges — Caesar, Vigenère, Base64 chaining, XOR bruteforce, and RSA weak key exploitation.
16
Practical
Bash/Python automation that scans the local network, identifies active hosts, pulls MAC addresses and hostnames, and logs results to a CSV for IT audit.
Nothing in this category — check back soon.
Whether it's a pentest, web build, VAPT, or a security audit — let's talk about what you need.
