BLY

Pentester
CTF player
HackTheBox
PentesterLab
THM

Posts by Year

2025 24
2024 4
2023 36

2025

Hacking de Router Nucom NJ-3R - Autenticación Basada en IP sin Validación

December 29, 2025

Descubrimiento de múltiples vulnerabilidades en router Nucom NJ-3R durante unas vacaciones.

Hacking Nucom NJ-3R Router - IP-Based Authentication Without Validation

December 29, 2025

Discovery of multiple vulnerabilities in Nucom NJ-3R router.

Router Security Authentication Bypass IoT Network Security

My first IoT hacking lab at home

December 17, 2025

Building a practical IoT pentesting laboratory with ESP32, DHT11 sensors and MQTT to reproduce real audit scenarios, from firmware extraction to data spoofing attacks.

IoT ESP32 MQTT Firmware Analysis Hardware Security Pentesting

Mi primer lab de hacking IoT en casa

December 17, 2025

Montando un laboratorio práctico de pentesting IoT con ESP32, sensores DHT11 y MQTT para reproducir escenarios reales de auditoría, desde la extracción de firmware hasta ataques de spoofing de datos.

IoT ESP32 MQTT Firmware Analysis Hardware Security Pentesting

Hacking 80% of Sushi Buffets - Critical Vulnerabilities in Management Systems

October 29, 2025

Discovery of critical vulnerabilities in the shared infrastructure of multiple sushi restaurants that expose sensitive customer data and allow manipulation of operations.

Web Pentesting API Security Swagger Broken Access Control OWASP Top 10

Hackeando el 80% de los Buffets de Sushi - Vulnerabilidades Críticas en Sistemas de Gestión

October 29, 2025

Descubrimiento de vulnerabilidades críticas en la infraestructura compartida de múltiples restaurantes de sushi que exponen datos sensibles de clientes y permiten manipular operaciones.

Pentesting Web API Security Swagger Broken Access Control OWASP Top 10

Vulnerabilidad XSS Almacenada en Servicio MCP de Deployment HTML: Análisis Técnico Completo

September 10, 2025

Análisis técnico detallado de vulnerabilidad XSS almacenada crítica descubierta mediante MCPwn en servicio MCP de deployment. Incluye explotación paso a paso, respuestas del sistema y evaluación de impacto.

XSS Stored XSS HTML Injection Web Security MCP Server MCPwn

Stored XSS Vulnerability in MCP HTML Deployment Service: Technical Analysis

September 10, 2025

Detailed technical analysis of critical stored XSS vulnerability discovered using MCPwn in MCP deployment service. Includes step-by-step exploitation, system responses, and impact assessment.

XSS Stored XSS HTML Injection Web Security MCP Server MCPwn

MCPwn: Herramienta Avanzada de Pruebas de Penetración para Servidores Model Context Protocol

September 08, 2025

Descubre MCPwn, una herramienta integral de pruebas de seguridad diseñada para auditar servidores Model Context Protocol. Aprende cómo identificar vulnerabilidades, realizar evaluaciones automatizadas y explotar fallas de seguridad comunes en implementaciones MCP.

MCP Pruebas de Seguridad Pentesting Model Context Protocol Evaluación de Vulnerabilidades

MCPwn: Advanced Penetration Testing Tool for Model Context Protocol Servers

September 08, 2025

Discover MCPwn, a comprehensive security testing tool designed for auditing Model Context Protocol servers. Learn how to identify vulnerabilities, perform automated assessments, and exploit common security flaws in MCP implementations.

MCP Security Testing Penetration Testing Model Context Protocol Vulnerability Assessment

Bypass de XSS Filter en Aplicación de Educación: Técnicas con SVG

August 26, 2025

Análisis de un bypass exitoso de filtro XSS en una aplicación web de educación utilizando elementos SVG con handlers de eventos, demostrando limitaciones en sistemas de filtrado de contenido.

XSS WAF Bypass SVG Injection Web Security Penetration Testing

XSS Filter Bypass in Educational Web Application: SVG-Based Techniques

August 26, 2025

Analysis of a successful XSS filter bypass in an educational web application using SVG elements with event handlers, demonstrating limitations in content filtering systems.

XSS WAF Bypass SVG Injection Web Security Penetration Testing

Vulnerabilities in Government Services: XSS and IDOR in Digital Platforms

August 21, 2025

Analysis of multiple security vulnerabilities found in government digital platforms, including reflected XSS and IDOR exposing private citizen conversations.

XSS IDOR Web Security Government Government Security CVE

Vulnerabilidades en Servicios Gubernamentales: XSS e IDOR en Plataformas Fiscales

August 21, 2025

Análisis de múltiples vulnerabilidades de seguridad encontradas en plataformas digitales gubernamentales, incluyendo XSS reflejados e IDOR que expone conversaciones privadas de ciudadanos.

XSS IDOR Web Security Government Seguridad Gubernamental CVE

Hacking Flappy Bird: How to Manipulate Scores Without Playing

August 21, 2025

Vulnerability analysis in the popular online Flappy Bird game that allows score manipulation through direct HTTP requests, completely bypassing game logic.

Web Security API Vulnerability Score Manipulation Game Hacking HTTP Requests

Hacking T-Rex Runner on trex-runner.com: Understanding and Bypassing Anti-Cheat Systems

August 21, 2025

Complete guide to manipulating the T-Rex Runner game on trex-runner.com using JavaScript, including how to set specific scores, bypass anti-cheat systems, and understand how servers detect manipulations in online leaderboards.

JavaScript Hacking T-Rex Game Browser Exploitation Game Manipulation Anti-Cheat Systems

Hackeando el T-Rex Runner en trex-runner.com: Entendiendo y Evadiendo el Sistema Anti-Trampas

August 21, 2025

Guía completa para manipular el juego T-Rex Runner en trex-runner.com usando JavaScript, incluyendo cómo establecer puntuaciones específicas, evitar el sistema anti-trampas y entender cómo el servidor detecta manipulaciones en las tablas de clasificación online.

JavaScript Hacking T-Rex Game Browser Exploitation Game Manipulation Anti-Cheat Systems

Hackeando Flappy Bird: Cómo Manipular Puntuaciones sin Jugar

August 21, 2025

Análisis de vulnerabilidad en el popular juego Flappy Bird online que permite manipular puntuaciones mediante requests HTTP directas, burlando completamente la lógica del juego.

Web Security API Vulnerability Score Manipulation Game Hacking HTTP Requests

Firebase Exposed: When Insecure Configurations Compromise Educational Platforms

August 21, 2025

Analysis of critical vulnerabilities in Firebase configurations that allow user data manipulation, personal information exposure, and unauthorized access to scoring systems.

Firebase NoSQL Security Firestore Web Security Configuration Error Database Security

Firebase Expuesto: Cuando las Configuraciones Inseguras Comprometen Plataformas Educativas

August 21, 2025

Análisis de vulnerabilidades críticas en configuraciones de Firebase que permiten manipulación de datos de usuarios, exposición de información personal y acceso no autorizado a sistemas de puntuación.

Firebase NoSQL Security Firestore Web Security Configuration Error Database Security

Teslamate Expuesto: Cuando los Datos de tu Tesla Están al Descubierto

August 20, 2025

Análisis de cómo las instalaciones mal configuradas de Teslamate están exponiendo datos sensibles de miles de vehículos Tesla en internet, incluyendo ubicaciones, hábitos de conducción y patrones de vida.

Tesla Teslamate Privacy Data Exposure OSINT Cybersecurity

Teslamate Exposed: When Your Tesla Data Is Out in the Open

August 20, 2025

Analysis of how misconfigured Teslamate installations are exposing sensitive data from thousands of Tesla vehicles on the internet, including locations, driving habits, and life patterns.

Tesla Teslamate Privacy Data Exposure OSINT Cybersecurity

Analysis of a Vulnerability in H6Web, Hacking Holy Week - My First CVEs

February 13, 2025

Discovery and analysis of two critical vulnerabilities (IDOR and XSS) in H6Web, resulting in my first assigned CVEs.

Web Pentesting IDOR Insecure Direct Object Reference Reflected XSS CVE H6Web

Análisis de una Vulnerabilidad en H6Web, hackeando la Semana Santa - Mis Primeros CVEs

February 13, 2025

Descubrimiento y análisis de dos vulnerabilidades críticas (IDOR y XSS) en H6Web, resultando en mis primeros CVEs asignados.

Pentesting Web IDOR Insecure Direct Object Reference Reflected XSS CVE H6Web

2024

Vulnerabilidad XSS Reflejada Encontrada en el Sitio Web de la Agencia Tributaria

September 04, 2024

Informe de Vulnerabilidad XSS en la Web de la Agencia Tributaria

Pentesting Web Reflected XSS

Review[ES] - eCPPTv3

July 04, 2024

Información, tips, cosas negativas y positivas sobre el eCPPTv3

Pivoting Linux Windows Active Directory Manual Explotation Information Gathering Reconnaissance Exploit Development Pentesting Web

Review[EN] - eCPPTv3

July 04, 2024

Information, tips, negative and positive things about eCPPTv3

Pivoting Linux Windows Active Directory Manual Explotation Information Gathering Reconnaissance Exploit Development Pentesting Web

Builder HTB - WriteUp

April 23, 2024

WriteUp de la máquina Builder de HTB.

ctf Linux Jenkins CVE Web

2023

GoodGames HTB - WriteUp

March 26, 2023

WriteUp de la máquina GoodGames de HTB.

ctf Linux Writeup Web-Enum SQLI SSTI Docker Privesc

Teacher HTB - WriteUp

March 17, 2023

WriteUp de la máquina Teacher de HTB.

ctf Linux Writeup Web-Enum Moodle Python-Script CVE

TheNoteBook HTB - WriteUp

March 16, 2023

WriteUp de la máquina TheNoteBook de HTB.

ctf Linux Writeup Web JWT WebShell Docker

NodeBlog HTB - WriteUp

March 15, 2023

WriteUp de la máquina NodeBlog de HTB.

ctf Linux Writeup Web NoSQL XXE Deserialization Data-Exposure Mongo

Canape HTB - WriteUp

March 14, 2023

WriteUp de la máquina Canape de HTB.

ctf Linux Writeup Web Git Deserialization CouchDB

Nunchucks HTB - WriteUp

March 13, 2023

WriteUp de la máquina Nunchucks de HTB.

ctf Linux Writeup Web-Enumeration SSTI Capabilities AppArmor

Sizzle HTB - WriteUp

March 12, 2023

WriteUp de la máquina Sizzle de HTB.

ctf Windows Writeup SMB-Enumeration SCF-File Web-Enumeration CA-Certificate Kerberoasting DCSync

Backend HTB - WriteUp

March 09, 2023

WriteUp de la máquina Backend de HTB.

ctf Linux Writeup Web-Enumeration Web-Fuzzing API Read-Logs

Celestial HTB - WriteUp

March 08, 2023

WriteUp de la máquina Celestial de HTB.

ctf Linux Writeup Web-Enumeration Deserialization-Attack Crontab

Cap HTB - WriteUp

March 07, 2023

WriteUp de la máquina Cap de HTB.

ctf Linux Writeup Web-Enumeration PCAP Capabilities

WebHackingPlayground - WriteUp

March 06, 2023

WriteUp de WebHackingPlayground creado por Takito.

ctf Web Writeup JWT XSS Open-Redirect OTP SSTI SMTP

Secret HTB - WriteUp

March 05, 2023

WriteUp de la máquina Secret de HTB.

ctf Linux Writeup Web-Enumeration API JWT GIT RCE SUID

Mango HTB - WriteUp

March 04, 2023

WriteUp de la máquina Mango de HTB.

ctf Linux Writeup Web-Enumeration NoSQLI Password-Reuse SUID

Squashed HTB - WriteUp

March 03, 2023

WriteUp de la máquina Squashed de HTB.

ctf Linux Writeup NFS Web-Shell Magic-Cookies X11

Carrier HTB - WriteUp

March 03, 2023

WriteUp de la máquina Carrier de HTB.

ctf Linux Writeup Web-Enumeration RCE BGP-Hijack

Joker HTB - WriteUp

March 02, 2023

WriteUp de la máquina Joker de HTB.

ctf Linux Writeup SQUID TFPT Web-Enumeration Suedoedit Tar

Blackfield HTB - WriteUp

March 01, 2023

WriteUp de la máquina Blackfield de HTB.

ctf Windows Writeup SMB-Enumeration ASREPRoast ForceChangePassword LSASS-DUMP Backup-Operators

Ambassador HTB - WriteUp

March 01, 2023

WriteUp de la máquina Ambassador de HTB.

ctf Linux Writeup Grafana Direcctory-Traversal Consul-Exploit MySQL SQLITE3

Knife HTB - WriteUp

February 28, 2023

WriteUp de la máquina Knife de HTB.

ctf Linux Writeup Web CVE Sudo-Abuse

Bart HTB - WriteUp

February 28, 2023

WriteUp de la máquina Bart de HTB.

ctf Windows Writeup Web Username-Enumeration BruteForce LogPoison SeImpersonatePrivilege

LocalPotato-CVE-2023-21746

February 27, 2023

Explotando el PoC de LocalPotato-CVE-2023-21746.

PoC Windows CVE DLL Potato

AI HTB - WriteUp

February 27, 2023

WriteUp de la máquina AI de HTB.

ctf Linux Writeup AI SQLI JDWP

Monteverde HTB - WriteUp

February 26, 2023

WriteUp de la máquina Monteverde de HTB.

ctf Windows Writeup RPC-Enum Null-Session BruteForce Azure Group-Abuse

Querier HTB - WriteUp

February 23, 2023

WriteUp de la máquina Querier de HTB.

ctf Windows Writeup MSSQL NTLMv2 xp_cmdshell Cached GPP Files

Tentacle HTB - WriteUp

February 22, 2023

WriteUp de la máquina Tentacle de HTB.

ctf Linux Writeup SQUID CVE Kerberos

Mantis HTB - WriteUp

February 22, 2023

WriteUp de la máquina Mantis de HTB.

ctf Windows Writeup Web_Enumeration MSSQL Kerberos

Frank & Herby THM - WriteUp

February 22, 2023

WriteUp de la máquina Frank & Herby de THM.

ctf BadPod Writeup git-leak MicroK8s Kubernetes

Forest HTB - WriteUp

February 20, 2023

WriteUp de la máquina Forest de HTB.

ctf Windows Writeup RPC-Enum Null-Session ASREPRoast Account Operators WriteDacl

Validation HTB - WriteUp

February 20, 2023

WriteUp de la máquina Validation de HTB.

ctf Linux Writeup SQLI Scripting PasswordLeaked

Oz HTB - WriteUp

February 20, 2023

WriteUp de la máquina Oz de HTB.

ctf Linux Writeup Docker SSTI PIVOTING SQLI

Europa HTB - WriteUp

February 19, 2023

WriteUp de la máquina Europa de HTB.

ctf Linux Writeup Virtual_Hosting SQLI Pre_Replace Crontab

DevOops HTB - WriteUp

February 19, 2023

WriteUp de la máquina DevOops de HTB.

ctf Linux Writeup Web-Fuzzing XXE Git

Active HTB - WriteUp

February 18, 2023

WriteUp de la máquina Active de HTB.

ctf Windows Writeup AD SMB

SteamCloud HTB - WriteUp

February 16, 2023

WriteUp de la máquina SteamCloud de HTB.

ctf BadPod Writeup API Kubernetes

DarkHole:2 - WriteUp

January 24, 2023

WriteUp de la máquina DarkHole:2 de Vulnhub.

ctf WriteUp SQLI Data Exfiltration

eWPT - Review

January 12, 2023

Esto es una review de la certificación de Elearn Security, donde os cuento mi experiencia.

ctf certificates