Build a pentest machine from Pi/Arduino/ESP32, master Flipper/Proxmark/HackRF/JTAG, learn 0-day research + responsible disclosure, and graduate CTF mastery — culminating in red-team field operations.
This is the advanced track for builders who want to operate at the edge: hardware-class attacks, original vulnerability research, and competition-grade CTF skill. The course walks the full stack: build the pentest machine (Pi/Arduino/ESP32 selection, form factor, power, LTE exfil, custom Kali); operate dropboxes (LUKS + kill switches, Sliver/Mythic C2, pivoting); attack wireless (Wi-Fi handshakes/PMKID, Pineapple, BLE, Zigbee, LoRa); deliver HID payloads (Rubber Ducky v3, Bash Bunny, O.MG cable, Digispark, P4wnP1); play with RF (Flipper Zero, sub-GHz, NFC/RFID, Proxmark3, HackRF/RTL-SDR); hardware-hack (UART, JTAG/SWD, SPI flash dump, I2C, ChipWhisperer + DPA/CPA + glitching); analyse firmware (binwalk, Ghidra, QEMU + FirmAE, bootloader/U-Boot escape, IoT bug hunting); do 0-day research (vuln classes, AFL++/libFuzzer/syzkaller, exploit primitives + ROP, mitigation bypasses, responsible disclosure + Pwn2Own/ZDI); master CTFs (categories + beginner ladder + HTB + THM + PortSwigger Academy + pwn.college + live CTFs + your own methodology); and put it together as red-team field operations. Anchored in real devices (Pi 5, Flipper Zero, HackRF One, Proxmark3 RDV4, ChipWhisperer-Nano), real frameworks (Sliver, Mythic, AFL++, syzkaller, Ghidra), real CTF platforms (HackTheBox, TryHackMe, pwn.college, CTFtime, PortSwigger Web Security Academy), and real disclosure venues (Project Zero, ZDI, Pwn2Own). Five capstones (you pick one): Pi dropbox + LTE C2, custom HID payload + detection rule, end-to-end RF attack chain, firmware-to-CVE on a $30 device, 10 medium-difficulty CTF writeups across categories.
Built by Lakshya Kumar
Paste this into any AI chat. Fill in the bracketed parts with your context — you'll get back a straight answer on whether this belongs on your plate.
We grant free access case-by-case — students, career-switchers, builders on a tight budget. Sign in to send us a note.
Sign in to applyComplete all modules, then submit the required number of capstone projects. Each must earn a passing rating from an admin reviewer.
Build a complete Pi dropbox: LUKS-encrypted root, GPIO tamper-triggered LUKS-header nuke, 72-hour dead-man timer, Sliver implant with mTLS to a redirector VPS, autossh fallback, LTE/4G out-of-band exfil. Stand it up on a hostile-network sim, verify C2 beacons + each kill-switch path. Submit config bundle + logs + photos.
Pick one HID platform (Rubber Ducky / Bash Bunny / Digispark / Flipper / P4wnP1). Build a payload that detects OS, opens a reverse shell to your lab C2, and self-cleans. Then write the defensive side: a Sysmon/auditd rule that detects the payload's behaviour. Submit payload source, video, detection rule, and detection logs.
I am learning advanced hardware-class pentesting + 0-day research + competition-grade CTFs — building a pentest machine from Raspberry Pi / Arduino / ESP32, choosing form factor (workstation / drop box / implant), running custom Kali (Pi-Tail, NetHunter, Sticky Fingers), persistence with LUKS + kill switches, C2 with Sliver / Mythic / Havoc, pivoting via ligolo-ng / chisel, wireless attacks (PMKID, WPS, evil twin, EAPHammer, BLE with Sniffle, Zigbee with Killerbee, LoRa), HID/USB attacks (Rubber Ducky DuckyScript v3, Bash Bunny, O.MG Cable, Digispark, P4wnP1), RF/NFC (Flipper Zero, Proxmark3 RDV4, HackRF One + GNU Radio, RTL-SDR, IR, iButton), hardware hacking (UART, JTAG/SWD with OpenOCD, SPI flash with flashrom, I2C with Saleae, ChipWhisperer + DPA/CPA + voltage glitching), firmware analysis (binwalk, Ghidra, QEMU + FirmAE + firmadyne, U-Boot escape, Mirai-class IoT bugs), 0-day vulnerability research (AFL++, libFuzzer, syzkaller, triage, exploit primitives + ROP/JOP, ASLR/KASLR/SMEP/SMAP/CFI bypass, responsible disclosure via Project Zero / ZDI / Pwn2Own), and CTF mastery (HackTheBox + Pro Labs, TryHackMe, picoCTF, OverTheWire, PortSwigger Academy, pwn.college, DEF CON CTF, Google CTF). Help me work through the actual mechanics with reference to real devices, real CVEs, real CTF platforms, and real disclosure paths — always on equipment I own or have written authorisation to test.
Pick one authorised RF scenario in your own lab (Faraday-shielded): 125 kHz LF fob clone with Flipper + Proxmark, 433 MHz fixed-code capture+replay with HackRF + GNU Radio, or IR remote replay. Document equipment, frequencies, captures, legal basis, and a defensive recommendation. Submit photos, recordings, writeup.
Buy a $30-50 IoT device. Extract firmware (UART/JTAG/SPI). Reverse-engineer in Ghidra. Find one CVE-class bug (cmd injection / hardcoded cred / overflow / auth bypass). Reproduce on the real device. Write a full security advisory with CVSS. Optionally responsibly disclose to the vendor with a 90-day embargo. Submit advisory + PoC + reproduction logs.
Solve 10 medium-difficulty challenges across 3+ categories from HTB / TryHackMe / picoCTF / PortSwigger Academy. For each, write a complete walkthrough on a public blog or GitHub: enumeration, hypothesis-elimination, exploitation, takeaway. The walkthroughs are the deliverable — they prove how you think, not just what you solved.
Rubber Ducky, Bash Bunny, WiFi Pineapple, O.MG.