r/offensive_security

▲ 36 r/offensive_security+5 crossposts

Got an AI agent past a Cloudflare WAF by giving it a RAG over past bypass research

Sharing a workflow that worked for me. The retrieval layer involved is my own project, so mentioning that upfront.

Setup: I was testing an XSS on a target behind Cloudflare, and every payload I tried was getting blocked by the WAF.

This time, instead of manually digging through old writeups, I gave my agent access to a retrieval layer built on top of a corpus of web security research (Preview RAG). The agent queries it in plain language, gets back actual writeups with sources attached, and uses that context to generate and test payload variants. One of those variants eventually got through and the XSS fired.

I'm not claiming the bypass itself is novel. It may already exist in a public writeup somewhere. What mattered to me was the workflow: the agent wasn't limited to whatever happened to be inside its training data. It could pull in relevant prior research and iterate from there.

That's the main reason I built this in the first place. Models have a training cutoff, but WAF evasion evolves quickly. Public bypasses get patched, new techniques appear, and the most useful information is usually the newest information. A retrieval layer helps bridge that gap.

The corpus is updated regularly and exposed over MCP, so it can be connected to any model with minimal setup, including smaller open-weight models.

Current limitations: it's strongest on client-side topics right now—XSS, WAF evasion, CSP, CORS, SSRF, request smuggling, and similar areas. Server-side coverage is improving, but still thinner, and it definitely won't have an answer for every problem.

Happy to share more about the setup. I'm honestly more interested in where this approach fails than where it succeeds. If you've experimented with agent-driven WAF bypassing and ran into hard limits, I'd love to hear about them.

Where to learn?

Hey, fellow people I assume theres hundreds of people asking the same question - where can you even start for completely free, in my case it's about eJPT, i wanted to try INE but i seen the prices and as a broke 20 year-old i decided to give it up and search youtube.

I learned some stuff from TCM Heath Adams that helped me go on THM and just do some basic rooms but whenever i find eJPT-like rooms i can sit and scratch my head for hours and come up with nothing.

Are there any alternative places i should be lurking in? I'm not asking for a professional 200+ hours course that will teach me A-Z how to pentest but something that i can get started with and eventually from there be able to know what should be next.

I have a background and cert as sysadmin and so networks, AD, etc. are really nothing new even on the advanced level.

I appreciate all the answers.

reddit.com
u/povk668 — 1 day ago
▲ 167 r/offensive_security+7 crossposts

A searchable knowledge base of web security research, for you or your AI agent

Built a small tool web security research.

You query it in plain English and it returns actual writeups with the source URL and the exact section that matches your question. No AI summaries or made-up answers.

Right now it's focused on XSS, WAF bypasses, CSP, CORS, SSRF, request smuggling, XS-Leaks, cache poisoning, prototype pollution, JWT/auth stuff, etc. Server-side coverage is next.

I mainly built it because when I'm stuck, somebody has usually already written about a similar problem. Finding that writeup is the hard part, especially for newer techniques that general models often miss.

Would genuinely appreciate feedback on where it fails. If you try it, let me know what you searched for and whether the results were actually useful.

u/Substantial_Kick4689 — 5 days ago

OSCP/CPTS and GPEN/SEC560 Complement Each Other

I'd like to share my thoughts based on my experience. I hope this helps others understand the differences between these certifications and what each one is really good at.

OSCP/CTPS (There was no CPTS when I came in this industry) will teach you how to perform different types of enumeration and show you how to leverage publicly known vulnerabilities associated with services and protocol versions.

Those skills helped me break into the penetration testing industry over 10 years ago as OSCP and OSCE holder , so I'm still so grateful for that. However, they didn't teach me how to conduct a professional penetration test in a corporate environment. I did ... Like many OSCP holders. But these won't make you a good or decent penetration tester that's why CREST CRT cert comes in for regulation and compliance perspe.

GPEN/SEC560 will provide you with a methodology to follow/ a structured penetration testing methodology—from rules of engagement and scoping to execution, documentation, handling out-of-scope stuffs , and understanding legal and contractual constraints. Those are essential aspects of professional consulting that are often overlooked when focusing only on technical exploitation.

In my opinion, OSCP and SEC560 complement each other well. OSCP builds strong technical foundations, while SEC560 helps bridge the gap between technical skills and performing high-quality penetration tests in real-world corporate environments.This is exactly what CREST says as well.

reddit.com
u/Dumblydore2026 — 6 days ago
▲ 129 r/offensive_security+7 crossposts

Credentials Hunting

Built a small credential-hunting tool for authorized post-exploitation enumeration on Windows and Linux.

https://github.com/NeCr00/Credential-Hunting

The idea is simple: after gaining access to a host, the tool helps identify hardcoded reusable credentials that may support privilege escalation or lateral movement. It focuses on passwords and host-access credentials, not generic API tokens.

It runs in phases:

  1. OS-specific checks
  2. Credential databases and known credential files
  3. Suspicious filename discovery
  4. Broad filetype content scanning

The goal is to make credential discovery faster, cleaner, and less noisy during HTB-style labs, CTFs, and real-world authorized pentests.

Would love feedback from other pentesters on detection logic, false-positive reduction, and useful locations/filetypes to include.

u/Necrowtf — 9 days ago

Question about EJPT difficulty + Advice

Hello, I'm a 16 yr old learning pentesting. I've been learning through TryHackMe for about 6 months and I am comfortable with most tools and pentesting methodologies, scanning, enumeration, exploit identification, exploitation, and privelege escalation. I can do most of the Medium difficulty rooms with little assistence, and some hard rooms. I recently got EJPT course and I haven't looked at most of the material as I think that I already have a basic knowledge on the topics. Instead, I have mostly completed the CTF challenges that INE provides for the course and I think that they are quite easier compared to most THM rooms.

What else should I do to prepare and what difficulty should I expect, and what certs should I go after next? After this, i'm planning to do the Tryhackme courses and rooms on AD (I have THM premium) and then do PJPT and the PNPT/OSCP.

Any advice would be appreciated.

Thanks

reddit.com
u/Old_Refrigerator5167 — 7 days ago

Failed OSCP exam on my second attempt, looking for advice

As the title says, I failed my 2nd exam attempt which I had yesterday. I ended up on 50 points with the AD root and one standalone. This is a better result compared to my first attempt in April where I only got 10 points. This exam felt harder than the first one and I feel that I'd have passed if I got my first set.

I intend to resit the exam at some point this year as I still have my LearnOne till December.

I am thinking of maybe enrolling to the TCM academy and redoing all of the Lainkusanagi by myself as I have been using hints to maximise time as I work full time as a software dev which can be mentally tasking at times and also have a family that I want to spend time with.

Anything else that people would suggest?

Though I'm gutted by the result, I should remember that I have responsibilities such as work and family and the I only started fully trying in cyber security last October when I enrolled for the eJPT (which I liked) and started with Offsec in December.

Looking forward to hearing what people say

reddit.com
u/SpeedPositive1224 — 9 days ago

Failed my OSCP attempt. Completely brick-walled by the AD pivot. Any Advice?

Hey everyone,
Just finished my OSCP exam attempt and unfortunately failed. I'm trying to treat this as a learning experience and prepare for the retake immediately.
My biggest bottleneck was the Active Directory set. I managed to get an initial foothold and eventually escalated privileges on the first machine.
The problem? I couldn't for the life of me find a way to pivot or authenticate to Machine 2.
I **honestly feel like I tried absolutely everything humanly possible, threw the entire book at it, and completely ran out of ideas. Everythings was empty and I could not dump any hashes or Kerberoasting tickets. I found one user creds but it was useless, I also did pass-sprying but without any resultats**

**Also, is it possible that I just got hit with one of those infamous "nightmare sets" that people occasionally whisper about?**

**After submitong the report the offsec will gave me full walktrougu how to solve my set?**

Obviously, I'm not asking for exam spoilers due to NDA, but conceptually speaking... what am I missing here?

reddit.com
u/Normal_Price3049 — 10 days ago

Got banned by offsec poor escalation team which they call investigation

Hello I just gave my exam in 22nd april after waiting for certificate 10 days got a mail for getting escalation for investigation of acc as they said irregularities find with your accounts wtf offsec within 1week how the hell ill share my notes I didnt even solved your labs cause I was prepared from real life AD environment just spent my fucking 2yrs in AD so youre not accepting that someone can solve the exam soon with great attacks I have my logs with me legit not faking due the issue occurred in my system I was not able to copy paste the commands result from my VM to chrome by God's grace I have the fucking proof that im a legit student I think you havent even rechecked my exam logs if you did you might have seen 15 fucking active terminal with results of my manual nmap result evil-winrm and active reverse shell in AD which I was doing on my own and your AI Proctor gave me msg to run the commands I have proof and ill be giving a court notice to youre company for scaming legitimate students and failing them knowing he is legit you cant digest this very much offsec is doing that Indian and foreign wala thing giving certificate to other orgin people on the next day when a Indian tries you do this scrutiny to hell that even a wink of eyes you say cheating shame on your offsec if you really value the integrity the how the fuck everything is available on telegram even your OSED NOTES I have proof of everything as being a forensic Investigator its my habit to collect evidence of everything to safe myself from this kind of bullshit behavior i can proof myself I was giving my exam legit and soon going to receiving a notice from US court with all the proof of my exam even I have my vm ware logs #offsec

reddit.com
u/Budget_Hovercraft436 — 7 days ago

Failed my OSCP attempt. Completely brick-walled by the AD pivot. Is it a nightmare set?

Hey everyone,
Just finished my OSCP exam attempt and unfortunately failed. I'm trying to treat this as a learning experience and prepare for the retake immediately.
My biggest bottleneck was the Active Directory set. I managed to get an initial foothold and eventually escalated privileges on the first machine.
The problem? I couldn't for the life of me find a way to pivot or authenticate to Machine 2.
I honestly feel like I tried absolutely everything humanly possible, threw the entire book at it, and completely ran out of ideas. Everythings was empty and I could not dump any hashes or Kerberoasting tickets. I found one user creds but it was useless, I also did pass-sprying but without any resultats

Also, is it possible that I just got hit with one of those infamous "nightmare sets" that people occasionally whisper about?

After submitong the report the offsec will gave me full walktrougu how to solve my set?

Obviously, I'm not asking for exam spoilers due to NDA, but conceptually speaking... what am I missing here?

reddit.com
u/Normal_Price3049 — 10 days ago

need advices

I don't have a development background & I'm thinking about getting into (AppSec). I have learned some Java & Kotlin & to be honest, I haven't even started studying the OWASP Top 10 yet. Even so I can sometimes spot vulnerabilities and suggest possible remediations.

My main concern isn't coding. What confuses me is that many redditors say that if you want to work in AppSec, you should first spend two years as a software developer and then move into AppSec. If I do that, I feel like it will be too late.

What should I do? I'm worried that if I spend the next 6–7 months learning AppSec seriously, I might later discover that companies only hire AppSec engineers who have a software development background.

Could you please give me serious advice?

reddit.com
u/Agreeable_Print_4116 — 10 days ago
▲ 4 r/offensive_security+7 crossposts

Google Cybersecurity Certificate or Redfox Cybersecurity Academy?

One gives you the basics.
The other pushes you into real labs, real tools, and real attack chains.

This blog breaks down the honest difference between beginner-friendly security awareness and hands-on technical skill-building for pentesting, red teaming, and AppSec careers.

Read now: https://www.redfoxsec.com/blog/google-cybersecurity-certification-vs-redfox-cybersecurity-academy-an-honest-comparison

u/redfoxsecurity — 12 days ago

Free OSCP Active Directory Set: Full Attack Chain (Available for 24 hours!)

Hey all!

Something I keep noticing is just how thin the prep material is for full Active Directory chains. Tons of resources walk you through techniques one at a time, but hardly any tie them together into a realistic chain you can run from beginning to end. The flow from first foothold to domain control is exactly what OSCP test you on, so I build each lab as one complete scenario instead of a bunch of isolated tricks.

The previous chain pulled in a huge number of downloads, so we went ahead and built a fresh one with an entirely new attack path... AD Chain 10: Replicant (Become the controller), free for the next 24 hours!

What you get:

  • 3 downloadable VMs that run locally inside a single Active Directory domain, just like the real OSCP exam
  • Realistic, exam-style AD scenarios
  • A complete step by step tutorial covering setup, topology, and the full attack chain
  • A complete guided walkthrough for the whole chain
  • A fast setup guide for both VirtualBox and VMware so you can get going quickly

Requirements:

  • A laptop with 8GB of RAM or more (watch the setup video if you're short on RAM)
  • 16GB or more will run it smoothly with no trouble at all
  • The ability to install VirtualBox or VMware
  • Heads up: MacOS (M1/M2/M3) ARM64 won't work with these labs. Anything else should run fine.

The chains are structured so you get to rehearse the same discovery, exploitation, post exploitation, lateral movement, and privilege escalation steps that show up in exam-style AD challenges. The whole thing is designed around learning by doing rather than just reading along.

More chains are on the way since folks have been finding them so useful. Always glad to hear feedback or suggestions for what you'd like next!

Happy hacking everyone! 💙

https://preview.redd.it/lvrfxqq7f29h1.png?width=1200&format=png&auto=webp&s=456cff647ed40028d4c156071174944545c03ba3

https://preview.redd.it/gw9noph8f29h1.png?width=1200&format=png&auto=webp&s=988472b4eb4826c043d85317f094769d840f7534

reddit.com
u/HackerBlueprint — 13 days ago
▲ 6 r/offensive_security+1 crossposts

Offenso Academy or RedTeam Hacker Academy for Cybersecurity in Kerala? Need Honest Reviews & Advice

Hi everyone,
I'm planning to build a career in cybersecurity and I'm currently confused between Offenso Academy and RedTeam Hacker Academy in Kerala. Both seem to have good marketing, hands-on training, and placement claims, but I want to hear from people who have actually studied there or know someone who has.
I'm looking for honest opinions on:
Quality of teaching and trainers
Hands-on labs and practical learning
Course curriculum (beginner to advanced)
Placement assistance and internship opportunities
Industry-recognized certifications
Learning environment and student support
Whether the course is worth the money
Hidden pros and cons that aren't mentioned in advertisements
If you're an alumnus of either academy, could you please share:
Which course you took
Your overall experience
Whether you got placed or found a job after completing the course
What you liked and what you didn't
I'm investing a significant amount of money, so I want to make the right decision instead of relying on promotional content.
Any genuine reviews or suggestions would be greatly appreciated.

reddit.com
u/Ill-Teaching9662 — 11 days ago