João Vítor Bonin

Product Security Engineer at SAP Office of the CSO. 8 years at SAP across support, enterprise architecture, and security governance. Currently focused on product security assessments and vulnerability management, while building offensive security skills toward OSCP.

Post-grad Red Team Operations (FIAP 2025), CRTA (CyberWarfare Labs 2026), OSCP in progress (OffSec), eJPTv2 (INE 2023). 2x National Champion at SAP CTF Brazil (2018, 2024).

Writing about red team operations, Active Directory attacks, cloud pentest, and C2 infrastructure. Learning out loud.

HTB: Analytics - OSCP Prep Write-up

Next up: Analytics, an Easy Linux box. Pre-auth RCE on Metabase, Docker escape via environment variable credential leak, and a kernel exploit chain for root. Machine info Name Analytics Platform HackTheBox OS Linux Difficulty Easy TL;DR Metabase 0.46.6 vulnerable to pre-auth RCE (CVE-2023-38646) Initial shell lands inside a Docker container Environment variables leak SSH credentials (metalytics:An4lytics_ds20223#) SSH to the host as metalytics, then kernel exploit CVE-2023-2640 + CVE-2023-32629 (overlayfs) for root Recon RustScan + Nmap 1 rustscan -a 10.129.21.240 -- -sV -sC -Pn -A ...

April 20, 2026 · 4 min · João Vítor Bonin

HTB: Markup - OSCP Prep Write-up

Markup is done. A Very Easy Windows box, but with a solid lesson on XXE injection - from discovering the vulnerability to weaponizing it for file read and SSH key extraction. Clean privesc through AutoLogon credentials found by WinPEAS. Machine info Name Markup Platform HackTheBox OS Windows Difficulty Very Easy TL;DR Login with default credentials admin:password Order form submits XML - vulnerable to XXE injection XXE with PHP wrapper to read process.php source and confirm the vulnerability Extract Daniel’s SSH private key via XXE WinPEAS finds AutoLogon credentials for Administrator Recon RustScan + Nmap 1 rustscan -a 10.129.95.192 -- -sV -sC -Pn -A ...

April 19, 2026 · 3 min · João Vítor Bonin

HTB: Nibbles - OSCP Prep Write-up

Another one down from the Lain Kusanagi list - this time it’s Nibbles, an Easy Linux box. Classic web enumeration into authenticated RCE, with a clean sudo privesc to wrap it up. Machine info Name Nibbles Platform HackTheBox OS Linux Difficulty Easy TL;DR Nibbleblog v4.0.3 with default credentials (admin:nibbles) Authenticated file upload RCE (CVE-2015-6967) for initial shell as nibbler sudo -l reveals monitor.sh can be run as root with NOPASSWD Overwrite monitor.sh with SUID payload on /bin/bash to get root Recon RustScan + Nmap 1 rustscan -a 10.129.20.162 -- -sV -sC -Pn -A ...

April 17, 2026 · 3 min · João Vítor Bonin

HTB: Sea - OSCP Prep Write-up

Why this post exists This is the first in a series of write-ups I’m publishing as part of my OSCP preparation. The strategy is to follow the Lain Kusanagi curated list (a fork/evolution of the classic TJNull list), which selects HackTheBox machines with attack vectors and exploitation patterns similar to those found in the exam. The goal of these posts is not just to document the solution, but to consolidate what I’ve learned: each write-up is structured as a condensed pentest report - recon, enumeration, foothold, privesc and takeaways - in the same format OffSec expects in the exam. ...

April 16, 2026 · 6 min · João Vítor Bonin