> whoami_

Hadariel Heilige (not real name)

My name is Sergey and I'm a pentester and SEO specialist. I actually work at SEO now, but in my spare time I do pentesting, both to order and on my own initiative. At first, it was just a hobby, but going through various lessons, I liked it more and more, especially since a few years ago I saw that cyber security will take an important part in IT in the future.
At first I took free courses and courses downloaded illegally, but then I made some money (with my new skills) and started buying them (I also bought what I downloaded illegally - I respect other people's work). Then I started communicating with other pentesters and white hat hackers, and started solving tasks on Hack-The-Box, HackThisSite and other sites where you can legally practice your skills while looking for new orders to look for vulnerabilities and bug bounties.
My next goal is to obtain OSCP and CEH certificates.

free simple website templates

Some of my projects

Below you can see some of the projects I worked with. Usually I work with web applications and sites, but I can also test your software (server access), API and other things connected to the Internet in one way or another


Dangerous Vulnerabilities

Interested in a quality check of your site ? Then you should contact me 😊 
In the footer of the site you can see buttons to my social network. Feel free to communicate with me!


Poor filtration -> RCE -> Got Root!

Poor filtration in uploading files, which subsequently led to the RCE and accordingly it was possible to upload web-shell, which allowed me to get root access to all sites located on the same server. (System administrators, please, set up access correctly)


XSS vulnerability

It's much more interesting here. Xss was found in a GET request after the "play" button in the uploaded video was pressed. The problem was that any user could watch the video from the link and xss would trigger.



The easiest thing in my memory. Looks like a serious site, but vulnerability is like in the training labs.
SQLi - just add a quote


XSS vulnerability

Found xss in GET request on search page.
Through the WAF like a piece of cake



Not that it was hard, but I had to run Burp Suite 😁.
The vulnerability was on the product page. We should have generated a special request.


WordPress flaws

Not only is WP itself leaky, but also the presence of vulnerable versions of plug-ins allows you to conduct Stored XSS and DoS-attack. In order to close these holes, you just had to upgrade to the current versions.