Aspiring Penetration Tester

Waqqas Hejazi

CTF competitor and security researcher specializing in web exploitation, Active Directory pentesting, and digital forensics. Team leader with proven track record in competitive cybersecurity challenges.

Get in Touch View GitHub
Rank 4
Best CTF Placement
Elite
Hack The Box Status
159 WPM
Peak Typing Speed
Oct 2024
CTF Career Start
Overview

About

Based in Mangaluru, India, I focus on competitive CTF challenges and security research. My expertise spans web application security, enterprise Active Directory environments, digital forensics, and reverse engineering. I lead an active CTF team and have participated in a lot of competitions online.

Expertise

Technical Skills

Core Security Domains

  • Web Application Security (LFI, RCE, SQLi, SSTI)
  • Authentication Bypass & Service Misconfiguration
  • Active Directory & Enterprise Security
  • Kerberos, AD CS, BloodHound, GPO Abuse
  • Digital Forensics & Incident Response
  • Cryptography & Applied Cryptanalysis
  • Reverse Engineering (Static & Dynamic)

Analysis & CTF Tools

  • CyberChef, Wireshark
  • Autopsy, Volatility
  • Radare2, Ghidra
  • BloodHound, Impacket Suite
  • Custom Tooling Development

Penetration Testing

  • Burp Suite Professional
  • Nmap, Gobuster, FFUF
  • Metasploit Framework
  • Exploit Development
  • Network Enumeration
Recognition

Competitive Achievements

Track record of strong placements in national and international CTF competitions since October 2024.

Rank <30

HackTheBox India

All India Ranking on HTB Labs

Rank 4

IIT Bhubaneswar CTF

Best overall team placement to date

Rank 11

FooBar CTF 2025

NIT Durgapur · 64 competing teams

Rank 24

Pragyan CTF 2025

NIT Trichy · 440+ competing teams

Rank 58

Hack The Box Season 9

Global ranking among 9,500+ players

Elite

Hack The Box Status

Top tier ranking achieved

Writeups

Publications & CTF Writeups

Selected writeups and technical posts where I break down CTF challenges, methodologies, and mitigations.

RSTCON 2024 — Escalator
Privilege escalation writeup: found SUID binaries on the host and abused `/usr/bin/find` with `-exec` to spawn a root shell and read `/flag.txt`.
2024
PrivEsc Linux
Read writeup
Pearl CTF 2025 — oxmagic
Stego + media repair: extracted a Base64 string from image metadata, used it as a steghide passphrase, repaired a damaged WAV header, decoded Morse audio to recover the flag.
2025
Stego Forensics
Read writeup
ACECTF 2025 — Insanity Check
Logic & OSINT: used Discord role metadata and the Discord API to locate a PasteBin entry that contained the flag — a practical example of following breadcrumbs across services.
2025
OSINT API
Read writeup
PatriotCTF 2024 — Really Only Echo
Constrained shell challenge: leveraged `/bin/base64` inside an echo-only terminal to retrieve a base64-encoded flag and decode it to recover the final flag string.
2024
Pwn/Chal Linux
Read writeup
PatriotCTF 2024 — Give me four words, Vasily
Image analysis + geolocation: matched a satellite image online, extracted class name and coordinates, then used what3words to produce the three-word location included in the flag.
2024
OSINT Geolocation
Read writeup
H7CTF International — No Paste
Client-side bypass: deobfuscated page JS, discovered a hardcoded submission value that was blocked by paste/input handlers, then set the field and triggered the submit function to retrieve the flag.
2024
Web Client-side Exp
Read writeup
IRON CTF 2024 — b64SiteViewer
App logic & host checks: audited a Flask app that intended to restrict `/admin` to localhost; bypassed the naive IP check using `127.1` to execute commands and reveal environment variables containing the flag.
2024
Web RCE
Read writeup
HackMD profile — Collection of notes
A hub for all my CTF writeups and technical notes — visit the profile to browse the full set of posts and linked repositories.
Index Writeups
View profile
Background

Education & Career Goals

St Aloysius (Deemed To Be University)

2025 – 2029

Currently pursuing a bachelor's degree with a focus on cybersecurity and information security.

International Junior College, Hyderabad

2022 – 2024

Completed senior secondary education with Physics, Chemistry, and Mathematics.

Oasis School, Hyderabad

Up to 2022

Completed secondary education with CBSE.

Develop comprehensive penetration testing and network security expertise through hands-on practice and continued competitive participation.
Pursue long-term career in cybersecurity and vulnerability research, contributing to enterprise security and open-source security tools.
Communication

Languages

English
Fluent
Hindi
Native
Urdu
Native
Telugu
Basic
Connect

Get in Touch

Open to collaboration, research opportunities, and professional networking.

Email
waqqass3c@gmail.com
Phone
+91-123456789
GitHub
w4qq4s
LinkedIn
Waqqas Hejazi
HackTheBox
xtasyyy #IN