Kelvin Security Labs

https://kelvin-0110.github.io/Kelvin Security LabsHands-on cybersecurity labs, TryHackMe writeups, and penetration testing notes covering web exploitation, privilege escalation, and real-world attack techniques. # UPDATED 2026-06-09T20:32:09+05:30 Kelvin https://kelvin-0110.github.io/ Jekyll © 2026 Kelvin /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png Unrestricted File Upload Leads to Remote Code Execution | Calliope Gallery2026-06-09T19:00:00+05:30 2026-06-09T20:28:55+05:30 https://kelvin-0110.github.io/posts/calliope-gallery-unrestricted-file-upload/ Shivansh Sharma

Lab Link Lab: Calliope Gallery Overview Calliope Gallery allows artists to upload portfolio images through their account dashboard. A forgotten configuration change introduced for an image thumbnailing integration caused uploaded files to be processed by PHP within the upload directory. By uploading a specially crafted JPEG containing PHP code, it was possible to achieve Remote Code Executi...

XXE Injection via Envelope Import Leads to Arbitrary File Read | Foldmark2026-06-09T18:00:00+05:30 2026-06-09T20:28:55+05:30 https://kelvin-0110.github.io/posts/foldmark-xxe-injection/ Shivansh Sharma

Lab Link Lab: Foldmark Overview Foldmark is a document envelope platform that allows organizations to import XML envelopes from competing e-signature providers. The importer parses user-supplied XML files and renders a preview containing the signer, document title, timestamp, and organization. Because external entity processing was enabled, the XML parser was vulnerable to XML External Enti...

Local File Inclusion via Template Router | CostThis2026-06-09T10:30:00+05:30 2026-06-09T20:28:55+05:30 https://kelvin-0110.github.io/posts/costthis-local-file-inclusion/ Shivansh Sharma

Lab Link Lab: CostThis Overview CostThis uses a simple page router that dynamically loads content from files stored on disk. The page being rendered is controlled through a URL parameter, making the application susceptible to Local File Inclusion (LFI). By abusing directory traversal sequences, it was possible to force the application to include arbitrary files from the server filesystem an...

IDOR in Password Reset API Leads to Administrator Account Takeover | TheForms2026-06-08T23:00:00+05:30 2026-06-09T20:28:55+05:30 https://kelvin-0110.github.io/posts/theforms-idor-account-takeover/ Shivansh Sharma

Lab Link Lab: TheForms Overview TheForms is a community platform featuring chat functionality, user profiles, and administrative controls. During testing, the password reset functionality was found to rely solely on a user UUID embedded within the request path. Because the endpoint failed to verify ownership of the target account, any authenticated user could reset the password of another u...

JWT Algorithm Confusion Leads to Privilege Escalation | Halftone Studio2026-06-08T20:00:00+05:30 2026-06-09T20:28:55+05:30 https://kelvin-0110.github.io/posts/halftone-studio-jwt-algorithm-confusion/ Shivansh Sharma

Lab Link Lab: Halftone Studio Overview Halftone Studio recently migrated from API keys to JWT-based authentication. During the migration, support was temporarily expanded to accommodate multiple token formats. The application exposes its public verification key and JWT metadata, creating the conditions for a JWT Algorithm Confusion vulnerability. By abusing the verifier’s trust in the token...