Tricks learned from the Vulnhub Drunk admin VM

Here are some pentest tips & tricks that I got from solving the Vulnhub Drunk admin challenge. You’ll find my detailed walkthrough here.

  • File upload quick reference:
    • First, analyze the normal behavior
      • Upload different file types
      • Is the filename you supply changed by the server?
      • If yes, try uploading the file a second time. Does the server attribute a different filename this time?
      • If the new name is always the same but seems random, identify if it is a hash with hash-identifier. The new name given by the server might be the (MD5, SHA1…) encoded value of your filename (with or without its extension)
      • Where are the uploaded files located? Can you access them?
    • If only images are allowed and you want to upload and execute PHP files:
More …

The 5 Hacking NewsLetter 1


Hi, I’m very happy to present you the first edition of The 5 Hacking NewsLetter! The idea behind it is to share with you every week the 5 coolest things related to hacking/pentest/bug bounty that I came across and enjoyed. I got the idea from Tim Ferris’s 5 bullet friday email newsletter.

Also, this is a newsletter that I’m posting directly on the blog. If you prefer to receive it in your inbox, I invite you to subscribe to this blog. I’ll then notify you when any article is out.

Without further ado, here are the 5 items of this week!

1. Web Hacking YouTube channel

Web Hacking 101: Pro Tips

I’ve been following Peter Yaworski for a while (since he published his book Web Hacking 101: How to Make Money Hacking Ethically). But I’ve only discovered this week his Web Hacking Pro Tips interviews.
They’re a must watch! He brings on big names of the Web hacking scene.

More …

Vulnhub Drunk admin walkthrough

Welcome to my new blog! Let’s dive into a Web hacking challenge for this first post.


I am mostly focusing on Web challenges these days because I’m trying to improve my web app pentest checklist. I stumbled upon this challenge on Vulnhub and was attracted to the funny title.

Now let’s see what this drunk admin has in stock for us!

More …