Aspiring Penetration Tester

Waqqas Hejazi

CTF competitor and security researcher specializing in web exploitation, Active Directory pentesting, and digital forensics. Team leader with proven track record in competitive cybersecurity challenges.

Get in Touch View GitHub

Rank 4

Best CTF Placement

Elite

Hack The Box Status

Oct 2024

CTF Career Start

Overview

About

Based in Mangaluru, India, I focus on competitive CTF challenges and security research. My expertise spans web application security, enterprise Active Directory environments, digital forensics, and reverse engineering. I lead an active CTF team and have participated in a lot of competitions online.

Expertise

Technical Skills

Core Security Domains

Web Application Security (LFI, RCE, SQLi, SSTI)
Authentication Bypass & Service Misconfiguration
Active Directory & Enterprise Security
Kerberos, AD CS, BloodHound, GPO Abuse
Digital Forensics & Incident Response
Cryptography & Applied Cryptanalysis
Reverse Engineering (Static & Dynamic)

Analysis & CTF Tools

CyberChef, Wireshark
Autopsy, Volatility
Radare2, Ghidra
BloodHound, Impacket Suite
Custom Tooling Development

Penetration Testing

Burp Suite Professional
Nmap, Gobuster, FFUF
Metasploit Framework
Exploit Development
Network Enumeration

Builds

Projects

Selected projects spanning browser-based tooling, technical publishing, and CLI automation for repeatable security workflows.

Live

Browser Diagramming Tool

ArcFlow

Browser-based diagramming tool for building clean node-and-edge flow diagrams with custom styling, smart snapping, JSON save/load, and SVG, PNG, or JPG export. Runs entirely in the browser with no backend, no dependencies, and no build step.

Featured build

Diagramming Web SVG Export JSON

Open app View GitHub

Active

Publishing Platform

WaqqasSec Writeup Platform

A dedicated home for long-form CTF writeups and technical breakdowns, giving challenge analysis a cleaner reading surface than a simple profile feed.

Ongoing

Writeups Web Knowledge Base

Open platform

Active and Upgrading

CLI Toolkit

Waqqas Toolset

Opinionated CLI toolkit for CTF, Hack The Box, lab, and repeatable Linux setup workflows, with commands for project scaffolding, notes, recon wrappers, archive handling, and workflow management.

Open source

CLI CTF HTB Linux

View GitHub

Recognition

Competitive Achievements

Track record of strong placements in national and international CTF competitions since October 2024.

Rank <30

HackTheBox India

All India Ranking on HTB Labs

Rank 4

IIT Bhubaneswar CTF

Best overall team placement to date

Rank 11

FooBar CTF 2025

NIT Durgapur · 64 competing teams

Rank 24

Pragyan CTF 2025

NIT Trichy · 440+ competing teams

Rank 58

Hack The Box Season 9

Global ranking among 9,500+ players

Elite

Hack The Box Status

Top tier ranking achieved

Writeups

Publications & CTF Writeups

Selected writeups and technical posts where I break down CTF challenges, methodologies, and mitigations.

RSTCON 2024 — Escalator

Privilege escalation writeup: found SUID binaries on the host and abused `/usr/bin/find` with `-exec` to spawn a root shell and read `/flag.txt`.

2024

PrivEsc Linux

Read writeup

Pearl CTF 2025 — oxmagic

Stego + media repair: extracted a Base64 string from image metadata, used it as a steghide passphrase, repaired a damaged WAV header, decoded Morse audio to recover the flag.

2025

Stego Forensics

Read writeup

ACECTF 2025 — Insanity Check

Logic & OSINT: used Discord role metadata and the Discord API to locate a PasteBin entry that contained the flag — a practical example of following breadcrumbs across services.

2025

OSINT API

Read writeup

PatriotCTF 2024 — Really Only Echo

Constrained shell challenge: leveraged `/bin/base64` inside an echo-only terminal to retrieve a base64-encoded flag and decode it to recover the final flag string.

2024

Pwn/Chal Linux

Read writeup

PatriotCTF 2024 — Give me four words, Vasily

Image analysis + geolocation: matched a satellite image online, extracted class name and coordinates, then used what3words to produce the three-word location included in the flag.

2024

OSINT Geolocation

Read writeup

H7CTF International — No Paste

Client-side bypass: deobfuscated page JS, discovered a hardcoded submission value that was blocked by paste/input handlers, then set the field and triggered the submit function to retrieve the flag.

2024

Web Client-side Exp

Read writeup

HackTheBox — Editor

XWiki RCE → Foothold → SSH access → SUID privilege escalation via Netdata. Leveraged XWiki exploit chain (CVE-2025-24893) to achieve remote code execution, identified credentials for user access, and exploited a SUID Netdata component (CVE-2024-32019) to obtain root shell.

2026

Web RCE Privesc

Read writeup

HackMD profile — Collection of notes

A hub for all my CTF writeups and technical notes — visit the profile to browse the full set of posts and linked repositories.

—

Index Writeups

View profile

Background

Education & Career Goals

St Aloysius (Deemed To Be University)

2025 – 2029

Currently pursuing a bachelor's degree with a focus on cybersecurity and information security.

International Junior College, Hyderabad

2022 – 2024

Completed senior secondary education with Physics, Chemistry, and Mathematics.

Oasis School, Hyderabad

Up to 2022

Completed secondary education with CBSE.

Develop comprehensive penetration testing and network security expertise through hands-on practice and continued competitive participation.

Pursue long-term career in cybersecurity and vulnerability research, contributing to enterprise security and open-source security tools.

Communication

Languages

English

Fluent

Hindi

Native

Urdu

Native

Telugu

Basic

Connect

Get in Touch

Open to collaboration, research opportunities, and professional networking.