More than 10 years inside adversary footprints. Red-team operator, exploit author, field researcher — designing intrusions across infrastructure, web, mobile, API and cloud surface. Stealth, discipline, precision.
proceed ↓Architecting intrusions across infrastructure, web, API, mobile, and cloud.
Red Team — full-scope adversary emulation against hardened enterprise and government estates. Author of Velocity, a fully-interactive TUI C2, alongside EDR evasion primitives, Active Directory abuse chains, and phishing infrastructure built to move quietly.
Bug Bounty — over 150 critical vulnerabilities disclosed across Synack and public programs. Remote code execution, authentication bypass, API takeover, cloud misconfiguration, and the occasional zero-day — surfaced through custom exploits and purpose-built recon automation.
CTF — capturing flags since 2011, currently with DeadSec and Friendly Maltese Citizens.
⟦V⟧──▶──◉ │ C2 │ ◉──▶──⟦0⟧
The first fully-interactive TUI C2 framework — Python orchestration, Zig-powered implants. Fully customizable malleable profiles, multi-agent fleet handling, and entire operations driven from a single terminal window. Lightweight, blazing fast, with an optional web console. Opsec engineered from the socket up.
release · tbd ◴ ╱╲_╱╲
( -.-)
o_(")(")
★ 400+
Passive subdomain discovery aggregating dozens of sources. 400+ stars. v1.3 ships advanced tech detection, filtering, and reverse-lookup mode for deeper subdomain intelligence.
view repository →┌─[SQLi] │ 0x27 └─▶ drop
Blind and time-based SQL injection automation with payload fuzzing and extraction routines tuned for latency-delicate targets.
view profile →┬┴┬┴┐ ┤◎└── ┬┴┬┴┘
A deliberately tiny Windows reverse shell — minimal footprint, fast deploy, built for constrained egress and small staging windows.
view repository → ╭────╮
│ 🗝 │
╰─┬──╯
▼ SYSTEM
Local Privilege Escalation from Windows service accounts to NT AUTHORITY\SYSTEM — SeBackupPrivilege token abuse, a pocket variant of the potato family for opportunistic ops.
Unsafe eval() inside a dynamic backend router turned a benign frontend breadcrumb into arbitrary PHP execution. A walkthrough of how a routing primitive — hidden behind minified client code — escalated to full remote code execution.
Fingerprinting gRPC-Web traffic via HTTP headers, decoding base64 payloads, and rebuilding Protocol Buffer schemas from minified JavaScript. Practical techniques for operators hitting modern RPC surfaces.
Walkthrough of the HackTheBox Luke machine — REST API enumeration, JWT authentication abuse, PHP source leakage, and Ajenti-based foothold to shell.
Walkthrough of the NekoCat web challenge from CSAW CTF 2018 Finals — chaining stored XSS against an admin bot to leak a secret, forging cookies, and landing Python pickle RCE on a Flask backend.
$ whoami marouane belabbassi · senior offensive security specialist $ locate --available engagements · red-team · appsec · research · mentoring $ cat contact.yaml
$ echo "end-of-transmission" > /dev/stdout