4-day longest streak
███╗ ███╗██╗ ██╗██████╗ ███████╗ █████╗ ██╗ ██╗███╗ ██╗ ████╗ ████║██║ ██║██╔══██╗██╔════╝██╔══██╗██║ ██║████╗ ██║ ██╔████╔██║██║ ██║██████╔╝███████╗███████║██║ ██║██╔██╗ ██║ ██║╚██╔╝██║██║ ██║██╔══██╗╚════██║██╔══██║██║ ██║██║╚██╗██║ ██║ ╚═╝ ██║╚██████╔╝██║ ██║███████║██║ ██║███████╗██║██║ ╚████║ ╚═╝ ╚═╝ ╚═════╝ ╚═╝…
███╗ ███╗██╗ ██╗██████╗ ███████╗ █████╗ ██╗ ██╗███╗ ██╗
████╗ ████║██║ ██║██╔══██╗██╔════╝██╔══██╗██║ ██║████╗ ██║
██╔████╔██║██║ ██║██████╔╝███████╗███████║██║ ██║██╔██╗ ██║
██║╚██╔╝██║██║ ██║██╔══██╗╚════██║██╔══██║██║ ██║██║╚██╗██║
██║ ╚═╝ ██║╚██████╔╝██║ ██║███████║██║ ██║███████╗██║██║ ╚████║
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚══════╝╚═╝╚═╝ ╚═══╝
███╗ ███╗ ██████╗ ██╗ ██╗ █████╗
████╗ ████║██╔═══██╗██║ ██║ ██╔══██╗
██╔████╔██║██║ ██║██║ ██║ ███████║
██║╚██╔╝██║██║ ██║██║ ██║ ██╔══██║
██║ ╚═╝ ██║╚██████╔╝███████╗███████╗██║ ██║
╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝

bash
mursalin@kali:~$ cat whoami.txt
yaml
Name : Mursalin Molla
Alias : TheMursalin
Location : Kolkata, India
Degree : BCA @ IGNOU (2025 - 2027)
Role : Penetration Tester · Security Researcher · Bug Bounty Hunter
Experience : Security Analyst Intern @ Craw Cyber Security (6 months)
Cert : OSCP - In Progress
Open To : Junior Pentester · VAPT Analyst · Remote / International Roles
Motto : "Break things ethically. Fix things responsibly."
Current Ops
bash
mursalin@kali:~$ systemctl status current_ops
● WEBSCOUT.service
Status : active (running)
Desc : Web recon & CVE fingerprinting CLI
Detects : 30+ technologies · CVE cross-reference · header/cookie audits
● BAC_HUNTER_V3.service
Status : active (running)
Desc : Broken Access Control testing suite
Covers : 19+ test cases · IDOR · JWT bypass · verb tampering · mass assignment
● SSRF_KILLER.service
Status : active (running)
Desc : SSRF detection & exploitation framework
Covers : 300+ bypass payloads · 9 cloud metadata targets · OOB detection
● oscp_prep.service
Status : active (running)
Tasks : HTB machines · manual exploitation · reverse shell delivery · AD attacks
📁 WebScout · 📁 BAC Hunter V3 · 📁 SSRF Killer v2.0
Loadout
bash
mursalin@kali:~$ pacman -Q | grep skills
offensive-security [installed]
!Web App Pentesting
!Network Pentesting
!Active Directory Attacks
!VAPT
!OWASP Top 10
!Bug Bounty
pentesting-arsenal [installed]
!Burp Suite
!Nmap
!Metasploit
!SQLMap
!FFUF
!BloodHound
!Wireshark
!Hashcat
!Amass
!Nikto
languages-cloud-os [installed]

Writeups & CTF Notes
🐱 I publish HTB walkthroughs and CTF writeups right here on GitHub.
Star ⭐ this profile and follow @TheMursalin to get notified when a new one drops!
Machines covered so far:Antique · Usage · CozyHosting · Broker · Sau · Expressway · Cicada · UnderPass · Headless · Escape · Remote · Mailing · Active · Forest · Busqueda · *(more dropping regularly)*
| 🐱 GitHub Writeups | 📺 YouTube |
|:---:|:---:|
| github.com/TheMursalin — ⭐ Follow! | Root With Mursalin — HTB walkthroughs |
Open Source Tools
- 🔍 WebScout — Web recon & CVE detection CLI. Fingerprints 30+ technologies (CMS, JS frameworks, web servers, CDNs), cross-references a CVE database, and audits HTTP security headers with severity-tagged JSON/HTML reports.
- 🎯 BAC Hunter V3 — Broken Access Control testing suite automating 19+ test cases — IDOR, JWT bypass, HTTP verb tampering, mass assignment — with a differential response comparison engine, CVSS scoring, and dark-themed HTML reports.
- 🛰️ SSRF Killer v2.0 — SSRF detection and exploitation framework with 300+ bypass payloads, multi-protocol support, cloud metadata harvesting across 9 cloud providers, and out-of-band (OOB) detection.
Experience
bash
mursalin@kali:~$ cat experience.log
> ♦️ Security Analyst Intern — Craw Cyber Security · *Sep 2025 – Mar 2026*
> - Worked on real-world cybersecurity projects, delivering results within deadlines
> - Gained hands-on exposure to threat analysis, vulnerability assessment, and security monitoring
> - Assisted in identifying and mitigating risks across systems and networks
> - Collaborated with senior analysts to strengthen organizational security posture
Achievements
| 🥷 HTB Rank | 🌍 TryHackMe | 🚩 CTFs | 🐛 Disclosures | 🔒 Certification |
|:---:|:---:|:---:|:---:|:---:|
| #899 / 2M+ users | Top 8% Worldwide | 150+ Solved | Grammarly (HackerOne) | OSCP — In Progress |
GitHub Analytics


bash
mursalin@kali:~$ ssh-keyscan --social
bash
mursalin@kali:~$ echo $MOTTO
*"Break things ethically. Fix things responsibly."* — Mursalin 🎯
-
network-scanner ★ PINNED
A Network Security Scanner in Python that discovers hosts with Nmap, detects open ports/services, grabs banners, runs basic vulnerability checks, and generates HTML and JSON reports for analysis.
Python ★ 0 6mo agoExplain → -
phish-detect ★ PINNED
A machine learning project for phishing email detection using Python, scikit-learn, and feature engineering.
Python ★ 0 10mo agoExplain → -
webscout ★ PINNED
WebScout is an open-source reconnaissance and vulnerability assessment tool designed to fingerprint web technologies, audit HTTP security headers, and surface known CVEs for detected libraries and frameworks — all from a single Python script.
Python ★ 0 3mo agoExplain → -
bachunter ★ PINNED
BAC Hunter is a low-noise, bug-bounty-ready Python suite for detecting Broken Access Control vulnerabilities — the #1 vulnerability class in the OWASP Top 10 (A01:2021). It automates 19 targeted test cases covering everything from basic admin panel enumeration to JWT algorithm bypass, all with stealth controls designed for real-world engagements.
Python ★ 3 2mo agoExplain → -
Blackfield_Walkthrough
Blackfield was a beautiful Windows Activity directory box
★ 1 1mo agoExplain → -
Algernon
No description.
★ 0 3d agoExplain → -
Themursalin
No description.
★ 0 13d agoExplain → -
TheMursalin.github.io
No description.
HTML ★ 0 14d agoExplain → -
Twiggy
No description.
★ 0 22d agoExplain → -
demoss
No description.
★ 0 25d agoExplain → -
Atom
No description.
★ 0 25d agoExplain → -
Outdated
No description.
★ 0 29d agoExplain → -
Absolute
No description.
★ 0 1mo agoExplain → -
Mentor
No description.
★ 0 1mo agoExplain → -
Jeeves
No description.
★ 0 1mo agoExplain → -
Intelligence_Walkthrough
No description.
★ 0 1mo agoExplain → -
StreamIO_Walkthrough
No description.
★ 0 1mo agoExplain → -
Support_Walkthrough
No description.
★ 0 1mo agoExplain → -
ServMon_Walkthrough
No description.
★ 0 1mo agoExplain → -
Escape_Walkthrough
No description.
★ 0 1mo agoExplain → -
Pandora_Walkthrough
No description.
★ 0 1mo agoExplain → -
Magic_Walkthrough
No description.
★ 0 1mo agoExplain → -
CozyHosting_Walkthrough
No description.
★ 0 2mo agoExplain → -
SSRFKiller
Advanced SSRF detection and exploitation framework — bypass payloads, cloud metadata harvesting, internal port scanning, gopher/dict/ldap attacks, and JSON reporting.
Python ★ 0 2mo agoExplain → -
Networked_Walkthrough
No description.
★ 0 2mo agoExplain → -
Boardlight_Walkthrough
No description.
★ 0 2mo agoExplain → -
Soccer_Walkthrough
No description.
★ 0 2mo agoExplain → -
Intentions_Walkthrough
No description.
★ 0 2mo agoExplain → -
Broker_Walkthrough
No description.
★ 0 2mo agoExplain → -
Help_Walkthrough
No description.
★ 0 2mo agoExplain → -
CVE-2026-31431
No description.
Python ★ 0 2mo agoExplain → -
CVE-2025-32432
No description.
Python ★ 0 2mo agoExplain → -
Certified_Walkthrough
No description.
★ 0 2mo agoExplain → -
Titanic_Walkthrough
No description.
★ 0 2mo agoExplain → -
Administrator_Walkthrough
No description.
★ 0 2mo agoExplain → -
Dog_Walkthrough
No description.
★ 0 2mo agoExplain → -
Fluffy_Walkthrough
No description.
★ 0 2mo agoExplain → -
TheFrizz_Walkthrough
No description.
★ 0 2mo agoExplain → -
Backdrop_CMS_1.27.1_Exploit
No description.
Python ★ 0 2mo agoExplain → -
TombWatcher_Walkthrough
No description.
★ 0 2mo agoExplain → -
bushqueda_walkthrough
No description.
★ 0 2mo agoExplain → -
Active_Walkthrough_HTB
Active is one of those boxes that every person studying Active Directory security should do at least once. It is rated Easy, but the techniques it covers — GPP password decryption and Kerberoasting — are things you will encounter in real penetration tests. Not CTF tricks. Real attack paths that have compromised actual organizations
★ 0 3mo agoExplain → -
HTB-Mailing-A-Complete-Walkthrough
If you've been grinding through HackTheBox machines, Mailing is one of those boxes that genuinely teaches you something. It's rated Easy, runs on Windows, and chains together a few real-world vulnerabilities — a directory traversal, a credential leak, CVE-2024-21413, and a LibreOffice macro exploit. Let's walk through it step by step.
★ 0 3mo agoExplain → -
Editor_Walkthrough
No description.
★ 0 2mo agoExplain → -
Sau_Walkthrough-
No description.
★ 0 2mo agoExplain →
No repos match these filters.