Who is Wathsala Dewmina?

Wathsala Dewmina, also known as PwnedCake, is an Offensive Security Researcher, Red Teamer, and Penetration Tester from Sri Lanka. He is a Top 3 CTF player in Sri Lanka on HackTheBox and TryHackMe, and holds certifications including CPTS, CRTA, and EJPT.

PwnedCake is the online alias of Wathsala Dewmina, an Offensive Security Researcher specializing in Active Directory exploitation, web application security, and CTF challenges. He shares HackTheBox writeups and security research on his blog.

What certifications does PwnedCake have?

PwnedCake (Wathsala Dewmina) holds multiple security certifications including CPTS (Certified Penetration Testing Specialist), CRTA (Certified Red Team Analyst), eJPT (eLearnSecurity Junior Penetration Tester), and AD-RTS (Active Directory Red Team Specialist).

HackTheBox - RustyKey Writeup

A detailed walkthrough of the RustyKey machine from HackTheBox, featuring Timeroasting, DACL abuse, DLL hijacking via 7-Zip shell extensions, and Resource-Based Constrained Delegation for complete domain compromise.

Nov 11, 2025 HackTheBox, Hard

HackTheBox CodePartTwo Machine Writeup by PwnedCake

HackTheBox CodePartTwo Writeup - Easy Linux Machine

Complete walkthrough of HackTheBox CodePartTwo machine by Wathsala Dewmina (PwnedCake). An Easy Linux machine exploiting CVE-2024-28397 js2py sandbox escape vulnerability for RCE and abusing npbackup-cli for privilege escalation to root.

Nov 4, 2025 HackTheBox, Easy

HackTheBox WhiteRabbit Machine Writeup by PwnedCake

HackTheBox WhiteRabbit Writeup - Insane Linux Machine

Complete walkthrough of HackTheBox WhiteRabbit machine by Wathsala Dewmina (PwnedCake). An Insane-level Linux machine featuring Uptime Kuma enumeration, HMAC-signed SQL injection bypass, Restic backup abuse for privilege escalation, and password generator reverse engineering.

Jun 3, 2025 HackTheBox, Insane

HackTheBox - Code Writeup

A detailed walkthrough of the Code machine from HackTheBox, featuring Server-Side Template Injection (SSTI) exploitation and privilege escalation via backup script manipulation.

Mar 29, 2025 HackTheBox, Easy

HackTheBox Infiltrator Machine Writeup by PwnedCake

HackTheBox Infiltrator Writeup - Insane Active Directory Machine

Complete walkthrough of HackTheBox Infiltrator machine by Wathsala Dewmina (PwnedCake). An Insane-level Active Directory machine featuring Kerberos AS-REP roasting, BloodHound DACL exploitation, Output Messenger abuse, GMSA password reading, and ADCS ESC4 privilege escalation to Domain Admin.

Jan 19, 2025 HackTheBox, Insane

HackTheBox Challenge - ProxyAsAService

Exploiting URL parsing inconsistencies and SSRF to bypass localhost restrictions and extract environment variables from a Flask debug endpoint.

Jan 15, 2025 HackTheBox, Web Challenges