TeamTonTac

Sign in Subscribe

Evilginx 104: Outlook's Deception - Bypass the External Email Warning

Evilginx 104: Outlook's Deception - Bypass the External Email Warning

After outsmarting Google in our last post, it’s time to turn our attention to the next giant - Microsoft Outlook. Introduction Welcome back to our Evilginx phishing series. In previous installments, we explored modern phishing techniques, infrastructure design, and evasion strategies like bypassing Google Safe Browsing. Today, we'

OSCE3: Ton Tac's Adventure

OSCE3: Ton Tac's Adventure

Back when I first started learning about cybersecurity, I never imagined I’d one day earn the OSCE3 certification. In those early days, I was just using tools without really understanding how they worked under the hood. Everything felt overwhelming, and the deeper concepts seemed out of reach. OSCP: The

Evilginx 103: Google’s Defenses - A Deep Dive into Safe Browsing

Paid-members only

Google Safe Browsing

Evilginx 103: Google’s Defenses - A Deep Dive into Safe Browsing

In the Evilginx series, we’ve explored the power of adversary-in-the-middle (AiTM) phishing and how attackers can leverage Evilginx2 to bypass traditional authentication mechanisms. In Evilginx 101, we broke down the fundamentals of modern phishing, explaining how AiTM techniques allow attackers to intercept and steal session cookies. Then, in Evilginx

Whitebox pentesting: A week, a challenge, and a goal

Whitebox pentesting: A week, a challenge, and a goal

Most of my day-to-day work revolves around graybox and blackbox testing, but I felt the urge to push my limits with whitebox testing. So I gave myself a week — one focused, intense week — to dive in. What came out of it were some surprising (and satisfying) results. I had previously

BSCP Exam Survival Guide: What You Need to Know Before the 'Battle'

BSCP Exam Survival Guide: What You Need to Know Before the 'Battle'

Introduction Hello everyone, It's been a while since I last wrote a blog post. Today, I want to share my journey of obtaining the certificate considered as an "entry-level" in web security, as well as tips and tricks for the exam. Burp Suite Certified Practitioner (BSCP)

Double CVE Apache VCL (CVE 2024-53678 & CVE 2024-53679)

First of all, I would like to thank you for being here to listen to me share. Have a great day! Product Overview VCL stands for Virtual Computing Lab. It is a free and open-source cloud computing platform that aims to deliver dedicated, custom computing environments to users. The compute

Android Pentest Series: Double encrypt Mobile API (Not only AES but also RSA)

Android Pentest Series: Double encrypt Mobile API (Not only AES but also RSA)

Breaking encrypted traffic with RSA and AES in Android application

Evilginx 102: Hacker’s Blueprint - Building the Ultimate Phishing Infra

Evilginx 102: Hacker’s Blueprint - Building the Ultimate Phishing Infra

In our previous post, Evilginx 101: Introduction to Modern Phishing & Adversary-in-the-Middle Attacks, we explored how Evilginx works as a powerful Adversary-in-the-middle (AitM) framework for phishing attacks. Now, let’s dive deeper into the attacker’s perspective and understand how to build an effective phishing infrastructure that can bypass multi-factor

Trigrep - Automated Security Scanning for Source Code with the Power of Semgrep and Trivy Integration

Trigrep - Automated Security Scanning for Source Code with the Power of Semgrep and Trivy Integration

Understanding SAST and SCA * SAST (Static Application Security Testing): This technique analyzes source code, bytecode, or binary code for vulnerabilities without executing the application. It is useful for detecting security issues such as injection flaws, insecure coding practices, and hardcoded credentials. * SCA (Software Composition Analysis): SCA scans third-party dependencies and

Build your Phishing-as-a-Service

Paid-members only

Phishing Infrastructure Featured

Build your Phishing-as-a-Service

Evilginx 101: Introduction to Modern Phishing & Adversary-in-the-Middle Attacks

Evilginx Featured

Evilginx 101: Introduction to Modern Phishing & Adversary-in-the-Middle Attacks

What is an Adversary-in-the-Middle (AiTM) Attack? An Adversary-in-the-Middle (AiTM) attack is a sophisticated phishing technique where an attacker intercepts and manipulates communication between a victim and a legitimate service. Unlike traditional phishing, which relies on tricking users into entering their credentials on a fake login page, AiTM attacks go a

Android Pentest: How I Decrypted Mobile API

Mobile Pentest Featured

Android Pentest: How I Decrypted Mobile API

First of all, I would like to thank you for being here to listen to me share my story. Have a great day! Overview I am writing this blog to share my recent experience when I pentested an android application. It was easy to capture the application request but the

How to become a Pro Penetration Testing Intern

How to become a Pro Penetration Testing Intern

Introduction In a world filled with cybersecurity threats, understanding and performing penetration testing (pentest) is not only a skill but also a crucial tool for protecting systems. Pentesting helps security experts discover vulnerabilities, assess risks, and suggest solutions before attackers can exploit them. If you’re a beginner wanting to

Who is the Hunter, Who is the Prey ??? (CVE-2024-51735)

Who is the Hunter, Who is the Prey ??? (CVE-2024-51735)

Product Overview Osmedeus is a Workflow Engine for Offensive Security that allows you to build and run a reconnaissance system on a wide range of targets, including domains, URLs, CIDRs, and GitHub repositories. It was designed to establish a strong foundation and has the ability to adapt and function automatically

My first CVE story (CVE-2025-24372)

Introduction Today is a special day for me, a CVE was released where I am the discoverer: CVE-2025-24372. I have my first CVE! How to find A while back, I discovered the XSS vulnerability of a website while doing the company's pentest project. Let’s call it redacted.

Insecure Deserialization in Python

Insecure Deserialization in Python

Introduction to Object Serialization Imagine playing a game where you've invested significant effort into progressing your character. However, for some reason, you need to stop playing and don’t want to lose your progress. Have you ever wondered how the game saves your character’s state? Let'

OSWE Journey

First of all, I would like to thank you for being here to listen to me share my journey. Have a great day! Overview 1. The starting point 2. The preparation 3. The exam 4. Some advice I. The starting point I am not a professional CTF player or someone

How I passed OSCP with "2 times"

How I passed OSCP with "2 times"

In this blog, I will share my journey of overcoming OSCP. I will be documenting my experience to prepare for the OSCP as well as my exam day experience with the experience of a newbie and 2 times 😵 (so expensive with anyone failed). I can only sum it up in

How to pass OSEP for the first time

How to pass OSEP for the first time

How I passed OSEP on the first attempt