João Vítor Bonin

Product Security Engineer at SAP Office of the CSO. 8 years at SAP across support, enterprise architecture, and security governance. Currently focused on product security assessments and vulnerability management, while building offensive security skills toward OSCP.

Post-grad Red Team Operations (FIAP 2025), CRTA (CyberWarfare Labs 2026), OSCP in progress (OffSec), eJPTv2 (INE 2023). 2x National Champion at SAP CTF Brazil (2018, 2024).

Writing about red team operations, Active Directory attacks, cloud pentest, and C2 infrastructure. Learning out loud.

HTB: Nibbles - OSCP Prep Write-up

Another one down from the Lain Kusanagi list - this time it’s Nibbles, an Easy Linux box. Classic web enumeration into authenticated RCE, with a clean sudo privesc to wrap it up. Machine info Name Nibbles Platform HackTheBox OS Linux Difficulty Easy TL;DR Nibbleblog v4.0.3 with default credentials (admin:nibbles) Authenticated file upload RCE (CVE-2015-6967) for initial shell as nibbler sudo -l reveals monitor.sh can be run as root with NOPASSWD Overwrite monitor.sh with SUID payload on /bin/bash to get root Recon RustScan + Nmap 1 rustscan -a 10.129.20.162 -- -sV -sC -Pn -A ...

HTB: Sea - OSCP Prep Write-up

Why this post exists This is the first in a series of write-ups I’m publishing as part of my OSCP preparation. The strategy is to follow the Lain Kusanagi curated list (a fork/evolution of the classic TJNull list), which selects HackTheBox machines with attack vectors and exploitation patterns similar to those found in the exam. The goal of these posts is not just to document the solution, but to consolidate what I’ve learned: each write-up is structured as a condensed pentest report - recon, enumeration, foothold, privesc and takeaways - in the same format OffSec expects in the exam. ...