0xdf

HTB: Expressway Expressway is a Linux box with only SSH and an IKE VPN service on UDP. I’ll use ike-scan in aggressive mode to leak the VPN identity and capture a pre-shared key hash, which cracks quickly with hashcat. Connecting to the IPSEC VPN doesn’t provide any additional attack surface, but the PSK works for SSH access. For privilege escalation, I’ll show exploitation of two different CVEs in sudo. In Beyond Root, I’ll look at the sudo config that allowed one of the exploits and show how to connect to the IPSec VPN with strongSwan.

Expressway from HackTheBox features IKE Aggressive Mode identity leaking and PSK cracking for SSH access. Privesc is CVEs in sudo. I'll show both hostname spoofing to bypass host-based sudoers rules, and chroot abuse via a malicious NSS library.

HTB: Barrier Barrier is a Linux box with GitLab, Authentik, and Apache Guacamole. I’ll exploit a SAML signature bypass vulnerability in GitLab’s Ruby SAML library to forge a SAML assertion and log in as admin. From GitLab’s CI/CD variables, I’ll recover an Authentik API token and use it to create an admin account. With Authentik admin access, I’ll impersonate a user in Guacamole to get an SSH shell. From there, I’ll find database credentials for Guacamole’s MariaDB backend and extract an SSH private key and passphrase for another user. That user’s bash history contains a password that works with sudo to get root.

Barrier from VulnLab now on HackTheBox features a SAML signature bypass to get GitLab admin, Authentik API abuse via a CI/CD token, SSH key extraction from Guacamole's MariaDB, and a password in bash history for root.

HTB: Guardian Guardian is a Linux box hosting a university portal built with PHP. I’ll exploit an IDOR in the chat feature to find Gitea credentials, then use the source code to identify a vulnerability in PhpSpreadsheet that allows XSS through a malicious XLSX file to steal a lecturer’s session cookie. From the lecturer account, I’ll combine a CSRF vulnerability with a weak CSRF token implementation to create an admin account. As admin, I’ll abuse a local file include with PHP filter chain injection to get RCE. After cracking a database password hash, I’ll pivot through users by modifying a writable Python script. I’ll escalate to root abusing a silly binary wrapper around apache2ctl many ways.

Guardian from HackTheBox features chat IDOR, XSS via PhpSpreadsheet CVE-2025-22131, CSRF to create an admin account, PHP filter chain LFI-to-RCE, password cracking, Python script injection, and bypassing a custom Apache config validator many ways.

I forgot to say thanks for this! Updated the post with a shout-out to you!

HTB: Bruno Bruno is a Windows Active Directory box. I’ll start by finding a .NET sample scanning application on FTP, and after reverse engineering it, discover a ZipSlip vulnerability in how it handles zip archives. Combining that with a DLL hijack, I’ll get a shell as the service account that runs the scanner. For privilege escalation, I’ll exploit the lack of LDAP signing by performing a Kerberos relay attack, setting up resource-based constrained delegation to impersonate the Administrator.

Bruno from VulnLab (now on HackTheBox) features .NET reverse engineering, ZipSlip archive path traversal into a DLL hijack for foothold, then Kerberos relay via KrbRelayUp abusing missing LDAP signing for RBCD and Administrator access.

HTB: Giveback Giveback starts with a WordPress website with a donation plugin that’s vulnerable to a RCE exploit. I’ll get a shell in a Kubernetes pod, and use it to scan an internal legacy app running PHP-CGI. I’ll abuse a vulnerability in that application to get to the next pod, where I’ll find a Kubernetes secret to interact with the API and dump secrets. I’ll use an SSH password to get on the host. For root I’ll abuse a custom wrapper around runc two different ways.

Giveback from HackTheBox is a Kubernetes box with GiveWP PHP object injection for RCE, PHP-CGI argument injection via Best-Fit characters on a legacy internal app, K8s API secret dumping, and a container escape through runc two ways.

HTB: Soulmate Soulmate has a PHP-based dating website, as well as an instance of CrushFTP. I’ll showcase two different authentication bypass CVEs to get admin access to CrushFTP. From there I can upload a PHP webshell and get a foothold on the box. I’ll find hardcoded credentials in an Erlang SSH server, and use them to get to the next user. I’ll also use them to connect to this SSH server and navigate the Erlang console as root to solve the challenge.

Soulmate from HackTheBox features a PHP dating site and CrushFTP with two auth bypass CVEs (race condition and AWS4-HMAC abuse) for admin access, PHP webshell upload for foothold, and hardcoded credentials in an Erlang SSH server for root.

HTB: Slonik Slonik showcases some interesting Linux techniques around NFS and PostgreSQL. I’ll start with an insecurely configured NFS mount where I can list and read files from anywhere on the filesystem as any user except root. I’ll find hashes for a service account in the shadow file and in a postgres history file, and crack either. The service account doesn’t have a shell set, so I can’t get a shell over SSH. I can port forward to a UNIX socket, which provides access to PostgreSQL. I’ll use that to get a shell as the postgres user. To escalate to root, I’ll abuse a cron running a PostgreSQL backup utility. In Beyond Root, I’ll talk about a bug I found and fixed in Netexec and its neat NFS tools.

Slonik from HackTheBox features NFS root filesystem escape to read sensitive files, UNIX socket SSH tunneling to PostgreSQL, RCE through PostgreSQL for a shell, and poisoning a pg_basebackup cron job with a SetUID binary for root.

Finding and Fixing a Bug in Netexec NFS Netexec has some awesome NFS capabilities. While playing Slonik from VulnLab / HackTheBox, I found an issue I couldn't understand. I'll walk through how Nete...

Netexec has some really nice NFS capabilities. I found a some weird behavior in one of them, which turned out to be a bug that just got patched. Let's walk through it.

HTB: Breach Breach is a Windows domain controller box. I’ll start by using guest access to a writable SMB share to drop ntlm_theft lure files, capturing a NetNTLMv2 hash for a domain user with Responder. After cracking that hash, I’ll use BloodHound to find a Kerberoastable MSSQL service account and crack its hash as well. Both accounts map to guest on MSSQL, but I’ll forge a silver ticket as Administrator to get sysadmin access, enable xp_cmdshell, and use GodPotato to escalate to SYSTEM.

Breach from HackTheBox and VulnLab is an AD box with a writable SMB share, ntlm_theft for hash capture, Kerberoasting, a silver ticket to get sysadmin on MSSQL, and GodPotato for SYSTEM.

I legit still don't understand why this worked. It only gets the groups if you specifically specify the user id in the ticket, and it can only be that account.

I would think if it were doing delegation I would think it could impersonate more.

HTB: Signed Signed is an assume breach Windows box where I’m given credentials for a local MSSQL account. I’ll enumerate the database, coerce authentication from the MSSQL service account using xp_dirtree, and crack the NetNTLMv2 hash. With the service account password, I’ll forge a silver ticket with the IT group’s RID to gain sysadmin privileges on the database and get command execution. For root, I’ll show three paths: using OPENROWSET BULK impersonation with silver tickets to read files as Domain Admins and find the Administrator’s password in PowerShell history, relaying NTLM authentication from the DC using a crafted DNS record, and recovering SeImpersonatePrivilege from the original logon token to escalate with GodPotato.

Signed from HackTheBox is an assume breach MSSQL box featuring silver ticket forging with group injection, OPENROWSET BULK for privileged file reads, NTLM relay via crafted DNS records, and SeImpersonate recovery from a restricted service token.

HTB: Bamboo Bamboo offers a Squid HTTP proxy through which I’ll access a PaperCut NG instance. I’ll use Spose to scan through the proxy and discover the print management application. I’ll exploit an authentication bypass vulnerability in PaperCut and use application access to enabling print scripting to get code execution. For privilege escalation, I’ll abuse a root process that runs a script from the papercut user’s home directory.

Bamboo from HackTheBox and VulnLab features Squid proxy enumeration, CVE-2023-27350 authentication bypass to RCE in PaperCut NG, and binary hijacking of a root-executed script for privilege escalation.

HTB: CodeTwo CodeTwo is a Linux box hosting a developer sandbox where users can execute JavaScript code. The site uses js2py, which I’ll exploit via CVE-2024-28397 to escape the sandbox and get remote code execution. From there, I’ll find MD5 password hashes in the SQLite database and crack one to pivot to marco. Marco can run npbackup-cli with sudo, and I’ll abuse this to read files from root’s backup, including the SSH private key, which I’ll use to get a shell as root.

CodeTwo from HackTheBox features a js2py sandbox escape via CVE-2024-28397, MD5 hash cracking from SQLite, and abusing npbackup-cli sudo permissions to read root's SSH key from backups.

Barbhack 2025 CTF Welcome to the NetExec Active Directory Lab! This lab is designed to teach you how to exploit Active Directory (AD) environments using the powerful tool NetExec. Originally featured in the Barbhack 2025 CTF, this lab is now available for free to everyone! In this lab, you’ll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest. The ultimate goal? Become Domain Administrator by following various attack paths! Ahoy, matey! Time to conquer the Seven Seas and claim the PIRATES.BRB domain!

I had the chance last weekend to play the Barbhack 2025 CTF from the NetExec team. Pirates features GPP creds, NTLMv1 relay to RBCD, DPAPI, GMSA recovery, MSSQL impersonation + SeImpersonate, constrained delegation, and NTDS forensics.

State of 0xdf (2026) YouTube video by 0xdf

Released a bit of a different video today. The State of 0xdf (2026). We'll look at the last year for my website and YT channel, go over some numbers. Definitely looking for feedback on if people like this kind of insight.

www.youtube.com/watch?v=KCo6...

Thank you so much @hackthebox.bsky.social
for recognizing me as an MVP for 2025 with this sweet swag package.

I owe a lot to HTB. Without HTB, my life would be on a completely different track. Through the platform, I've built skills and made friends. Here's to many more years of hacking.

HTB: JobTwo JobTwo is the sequel to Job, another Windows box from VulnLab released on HackTheBox. I’ll send a malicious Word document with VBA macros to the HR email address via SMTP. From the initial shell as Julian, I’ll find hMailServer and decrypt its database password using a known Blowfish key. After dumping password hashes from the mail database, I’ll crack Ferdinand’s password and pivot via WinRM. Ferdinand has access to Veeam Backup & Replication, which I’ll exploit via CVE-2023-27532 to get a shell as SYSTEM.

JobTwo from VulnLab now on HackTheBox is the sequel to Job from VulnLab. Phishing with Word macros, hMailServer database decryption with a known Blowfish key, password cracking, and CVE-2023-27532 in Veeam Backup & Replication for SYSTEM.

HTB: Job Job is a Windows box with a website saying that they are looking for resumes in Libre Office format. The box is listening on SMTP, so I’ll create a document with a malicious macro and get a shell on mailing it to the careers email address. For root, I’ll drop a webshell into the web directory, and abuse SeImpersonatePrivilege with GodPotato to get system.

Job from HackTheBox features phishing with a LibreOffice macro sent via SMTP, dropping a webshell into IIS, and abusing SeImpersonatePrivilege with GodPotato for SYSTEM.

Check it out now:

HTB: Imagery Imagery hosts a Flask-based image gallery application. I’ll exploit a stored XSS vulnerability in the bug report feature to steal an admin cookie. From the admin panel, I’ll use directory traversal to read the application source code, finding a command injection vulnerability in the image crop feature that requires access as a test user. After reading the database and cracking the test user’s password hash, I’ll exploit the command injection to get a shell. I’ll find an encrypted backup file and brute-force the pyAesCrypt password, getting access to an older backup with additional hashes. After cracking another user’s hash, I’ll pivot to a user that can run a custom backup utility as root via sudo. I’ll show two ways to abuse this. In Beyond Root, I’ll show why SSH is broken and how to get around it.

Imagery from HackTheBox features XSS to steal cookies, directory traversal for source code access, and command injection for rce. Pivots include pyAesCrypt brute-forcing and abusing a sudo backup utility exploited multiple ways.

Spent an hour in Claude Code last night and made the tables at the top of my @hackthebox.bsky.social blog posts on 0xdf.gitlab.io a bit nicer :) Feedback welcome.

HTB: HackNet HackNet hosts a social media site for hackers built with Django. I’ll find an HTML injection in the username field that, combined with how the likes page renders usernames, leads to server-side template injection. While Django templates are restrictive, I’ll use the SSTI to dump user data including plaintext passwords, finding one user whose email reveals their Linux username. After SSHing in, I’ll discover Django’s FileBasedCache uses pickle serialization with a world-writable cache directory. By replacing cache files with a malicious pickle payload, I’ll get a shell as the web user. From there, I’ll crack a GPG key password to decrypt database backups, finding a password shared in messages that works for root.

HackNet from HackTheBox features SSTI in Django templates to leak user credentials, pickle deserialization via FileBasedCache with world-writable directory, and GPG key cracking to recover database backups containing the root password.

HTB: Previous Previous starts with a NextJS application for a fictional JavaScript framework. I’ll exploit the infamous NextJS middleware vulnerability to access the authenticated portion of the site. From there, I’ll find a directory traversal vulnerability in a download API that allows reading files from the server, including the NextAuth config with hard-coded credentials. Those creds work for SSH, and I’ll pivot to root by abusing a misconfigured sudo rule that runs Terraform multiple ways.

Previous from HackTheBox features CVE-2025-29927 (NextJS middleware auth bypass), directory traversal for file read, and three ways to abuse a Terraform sudo rule with !env_reset to get root.

SANS Holiday Hack Challenge 2025: Revenge of the Gnome(s) The 2025 SANS Holiday Hack Challenge: Revenge of the Gnome(s) takes place over three acts in the Dosis neighborhood, where gnome dolls have come to life and are scurrying around furthering a plot by Frosty the Snowman to freeze the world so that it’s always winter and he never melts. I’ll work through 27 challenges ranging from beginner-friendly to expert-level, covering web exploitation, reverse engineering, cloud security, AI prompt injection, cryptography, and signal analysis to help stop Frosty and save the neighborhood. I’ll also write a hack the game itself, writing a TamperMonkey plugin to do NPC / terminal / door / item locations, teleportation, and allow walking through walls. I’ll find a bunch of hidden gnomes hanging out in a patch of snow and uncover how the game developers made the running gnomes, and a bunch of Easter Eggs as well.

In the 2025 Holiday Hack Frosty tries to freeze the neighborhood. I exploited SSTI, IDOR, prompt injection, cloud misconfigs, and reversed a SkiFree clone. Wrote a TamperMonkey plugin to teleport, walk through walls, and find hidden gnomes. KringleCon

Flagvent 2025 - Easy FV25.01

Had a ton of fun with Flagvent this year, and finished all 25 challenges! So many quirky interesting things. My favorite challenge was the hardware leet challenge. And I got to author two easy challenges as well.

0xdf.gitlab.io/flagvent2025...

Happy New Year!

HTB: WhiteRabbit WhiteRabbit is a pentesting company. I’ll exploit their Uptime Kuma instance to find the domain for their WikiJS wiki. On that I’ll find documentation for a n8n pipeline, and find an SQL injection vulnerability in how it processes email, as well as the key for crafting signatures. I’ll make a proxy to add signatures using mitmproxy and then use sqlmap to dump the database. In the DB I’ll find restic commands, which I’ll use to get a backup with SSH keys. I’ll abuse restic command injection to get root on a container, and find SSH keys for a user on the host. From there I’ll find a custom password generator, and using logs from the DB that leak the time the command was run, generate the right password for the next user. That user can run any command as root.

WhiteRabbit from HackTheBox targets a pentester's infra with Uptime Kuma enumeration, n8n webhook SQL injection via HMAC-signed requests, restic backup recovery, and reversing a time-seeded password generator for privilege escalation.

Christmas Tree Farm [AOC2025 Day 12] Advent of Code 2025 Day 12 provides a challenge that on it's face I think is nearly impossibe, figuring out if I can place a lot of specific shapes into a sp...

#AdventOfCode Day 12 involves fitting presents in space under a tree. The problem for all solutions is either hard or impossible. I'll find a shortcut looking at the data and the space required for each tree. Claude gets the answer without recognizing it.

Reactor [AOC2025 Day 11] Advent of Code 2025 Day 11 provides a list of nodes and the nodes that come after each one. I'll use recusrion to build a function that can count the number ...

#AdventOfCode Day 11 involves nodes that connect to others. I'll use recursion to count paths through the nodes. functools cache is critical here.

Factory [AOC2025 Day 10] Advent of Code 2025 Day 10 has some buttons that each control one or more outputs. In part 1, they toggle on and off a light, and I'll have to find the minim...

#AdventOfCode Day 10 involves binary xor and linear equations. Claude tries an unfiesable long solution first when he thinks he can't use packages. When I tell him how to use packages, he uses scipy to solve quickly.