Security Researcher

PRANTO
KUMAR
SHIL

My focus is offensive security — breaking systems down methodically, mapping attack surfaces, and chaining vulnerabilities into real impact. Not running tools. Understanding what's underneath them.

View My Work Get In Touch
Pranto Kumar Shil
pran0x // available
Available for engagements
PGP: 0xDEADBEEF
TZ: UTC+6 (Dhaka)

01 // Hall of Fame

Responsible Disclosures

Vulnerabilities responsibly disclosed to organizations worldwide. All details withheld per coordinated disclosure agreements.

0 Companies Notified
0 Critical Findings
0% Responsible Disclosure

// Details withheld per responsible disclosure policy

02 // About

Who I Am

My work centers on web application security and penetration testing — rooted in deep enumeration, trust boundary analysis, and adversary simulation. I don't stop at finding a vulnerability. I follow the chain until the full impact is clear.

I'm driven by one question: how would an attacker get in? That mindset shapes how I approach every target, every assessment, and every system I touch.

ACTIVE CNSP — Certified Network Security Practitioner
ACTIVE CAPT — Certified Associate Penetration Tester
2+ CVEs Reported
12+ Pentest Engagements
$5K+ Bug Bounty Earned
Top 1% HackTheBox Rank

03 // Skills

Capabilities

Web Security

  • OWASP Top 10 & Beyond
  • SQL / NoSQL Injection
  • XSS, CSRF, SSRF
  • OAuth & JWT Attacks
  • API Security Testing
  • GraphQL Exploitation
  • Business Logic Flaws
  • Burp Suite Pro

Network Security

  • Network Reconnaissance
  • Protocol Analysis
  • Man-in-the-Middle Attacks
  • Firewall / IDS Evasion
  • Active Directory Attacks
  • Lateral Movement
  • Wireshark / tcpdump
  • Nmap / Masscan

Penetration Testing

  • Red Team Operations
  • Physical Security
  • Social Engineering
  • Post-Exploitation
  • Privilege Escalation
  • Metasploit Framework
  • Custom Exploit Dev
  • Full Kill-Chain Attacks

Programming

  • Python (exploit scripts)
  • Bash / PowerShell
  • JavaScript / Node.js
  • C / C++ (low-level)
  • Go (tooling)
  • PHP (source review)
  • Assembly (x86/x64)

Vulnerability Research

  • CVE Research & Reporting
  • 0-day Discovery
  • Reverse Engineering
  • Binary Analysis
  • Fuzzing Techniques
  • IDA Pro / Ghidra
  • Responsible Disclosure

Cloud & Infrastructure

  • AWS / Azure Pentest
  • Container Escapes
  • Kubernetes Attacks
  • IAM Misconfiguration
  • Serverless Security
  • S3 / Blob Exposure
  • CI/CD Pipeline Attacks

Proficiency

Web Application Penetration Testing95%
Network Security & Recon90%
Vulnerability Research85%
Python / Exploit Development88%
Cloud Security75%
Reverse Engineering70%

04 // Work

Research & Findings

CVE Research CRITICAL — CVSS 9.8

Auth Bypass in Enterprise SSO Platform

Discovered a critical authentication bypass vulnerability in a widely-deployed enterprise SSO platform affecting 10,000+ organizations. The flaw allowed full account takeover via a JWT signature confusion attack without valid credentials.

JWT Auth Bypass CVE-2024-XXXX Responsible Disclosure $12,000 Bounty
exploit.py
# JWT alg:none confusion attack
$ python3 exploit.py --target https://target.sso/

[*] Fetching JWT from /api/auth...
[*] Detected algorithm: RS256
[!] Testing alg confusion...
[+] Vulnerable! Accepted unsigned token
[+] Access granted as: admin@corp.internal
[!] CRITICAL — Report immediately
01
Bug Bounty HIGH — CVSS 8.1

SSRF to Internal AWS Metadata

Chained an open redirect with an SSRF vulnerability to exfiltrate AWS EC2 instance metadata including IAM credentials, leading to full cloud account compromise.

SSRF AWS Open Redirect Cloud
02
Network Pentest CRITICAL

AD Domain Takeover via Kerberoasting

Full Active Directory domain compromise achieved during red team engagement by chaining Kerberoasting, password spraying, and DCSync attack to gain Domain Admin.

Active Directory Kerberoasting DCSync Red Team
03
Open Source Tool PUBLIC

AutoRecon-Web — Automated Web Recon

Built an open-source automated web reconnaissance framework integrating 30+ tools into a unified pipeline. 2,000+ GitHub stars. Used by CTF players and pentesters worldwide.

Python OSS Automation 2K+ Stars
04
CTF 1ST PLACE

CTF Champion — NationalCyberSec BD 2024

Captured first place in the National Cybersecurity CTF Bangladesh 2024, solving 47 of 50 challenges across web, forensics, cryptography, and binary exploitation.

CTF Web Crypto Pwn
05

05 // Contact

Get In Touch

Available for penetration testing engagements, bug bounty collaborations, security consulting, and responsible disclosure conversations. Response time typically within 24 hours.

Contact with me via Email github.com linkedin.com X / Twitter HackerOne Profile

// PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF...REPLACE WITH YOUR ACTUAL PGP KEY...ABAAKCRAm
7gK3xQRpAJ9...XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key ID: 0xDEADBEEF
Fingerprint: XXXX XXXX XXXX XXXX XXXX
            XXXX XXXX XXXX XXXX XXXX

-----END PGP PUBLIC KEY BLOCK-----