Liam Smydo

Cybersecurity Enthusiast

Hi, I’m Liam. This site contains my various cybersecurity projects, CTF write-ups, and labs, including detailed technical write-ups and different resources I find useful. Below, you’ll find some of my recent projects and CTF write-ups.

Recent

API Testing Labs + Methodology - PortSwigger

25 April 2026·4126 words·20 mins

Complete API pentesting notes + working through PortSwigger labs

TryHackMe: Internal

17 April 2026·1560 words·8 mins

A hard TryHackMe box that chains WordPress brute-forcing, PHP webshell injection, credential harvesting from a plaintext file, and a Ligolo-ng pivot to an internal Jenkins instance — ultimately escalating to root via a plaintext password left in a Docker container.

TryHackMe: Enterprise

15 April 2026·1821 words·9 mins

A hard TryHackMe Active Directory box that chains anonymous SMB/LDAP enumeration, OSINT credential recovery from a public Git repository, Kerberoasting, and PrintNightmare (CVE-2021-1675) local privilege escalation to fully compromise the domain.

TryHackMe: Daily Bugle

14 April 2026·1633 words·8 mins

A hard TryHackMe box exploiting a known Joomla 3.7 SQL injection vulnerability to extract and crack admin credentials, followed by a PHP webshell for initial access and a yum sudo misconfiguration for privilege escalation to root.

HackSmarter Web App Pentesting Capstone

8 April 2026·6504 words·31 mins

Comprehensive web application penetration test of the Hack Smarter e-commerce platform. 30 vulnerabilities identified — SQL injection, RCE, XSS, SSRF, CSRF, IDOR, and session management weaknesses — with a full attack chain from unauthenticated visitor to remote code execution.

PSObfuscate - Build, encode, wrap, and deliver PowerShell payloads

16 March 2026·886 words·5 mins

Building PSObfuscate: A PowerShell Payload Builder for Operators Who Value Their Time

↑