On the night of June 28th, 2025 (technically June 29th, because the workshop was at 3AM — yes, 3 in the morning), I attended a hands-on workshop at leHACK 2025 Singularity, titled:

“Insecure time-based secret in web applications and Sandwich attack exploitation”
by Tom Chambaretaud — Technical Lead @YesWeHack & Bug Bounty Hunter

This blog post covers only a small part of the workshop: the exploitation of password reset tokens based on PHP's uniqid() function.
For more advanced scenarios and techniques (MongoDB ObjectIDs, rainbow tables, etc.), I highly recommend checking out Tom’s blog:
👉 https://www.aeth.cc

This article kicks off a comprehensive series on building a modular cybersecurity lab on VirtualBox — at zero cost. Every component is based on well-maintained, open-source software, with no proprietary licenses required.

💡 Want to go straight into the build process? Jump to:
Building the Cybersecurity Homelab

Network Diagram​