// term

Advanced

Chaining SSRF and IDOR to Achieve Cross-Tenant Data Access

How we chained a blind SSRF vulnerability with an IDOR in a SaaS platform's internal API to read files belonging to arbitrary tenants — and collected a $25,000 bug bounty.

Infrastructure Pentestingadvanced

Active Directory Takeover: From Domain User to Domain Admin in 4 Hours

Full walkthrough of a real internal engagement — LLMNR poisoning for initial creds, Kerberoasting for a service account, and DCSync for the keys to the kingdom.