0xdf

HTB: Slonik Slonik showcases some interesting Linux techniques around NFS and PostgreSQL. I’ll start with an insecurely configured NFS mount where I can list and read files from anywhere on the filesystem as any user except root. I’ll find hashes for a service account in the shadow file and in a postgres history file, and crack either. The service account doesn’t have a shell set, so I can’t get a shell over SSH. I can port forward to a UNIX socket, which provides access to PostgreSQL. I’ll use that to get a shell as the postgres user. To escalate to root, I’ll abuse a cron running a PostgreSQL backup utility. In Beyond Root, I’ll talk about a bug I found and fixed in Netexec and its neat NFS tools.

Slonik from HackTheBox features NFS root filesystem escape to read sensitive files, UNIX socket SSH tunneling to PostgreSQL, RCE through PostgreSQL for a shell, and poisoning a pg_basebackup cron job with a SetUID binary for root.

Netexec has some awesome NFS capabilities. While playing Slonik from VulnLab / HackTheBox, I found an issue I couldn't understand. I'll walk through how Nete... Finding and Fixing a Bug in Netexec NFS

Netexec has some really nice NFS capabilities. I found a some weird behavior in one of them, which turned out to be a bug that just got patched. Let's walk through it.

HTB: Breach Breach is a Windows domain controller box. I’ll start by using guest access to a writable SMB share to drop ntlm_theft lure files, capturing a NetNTLMv2 hash for a domain user with Responder. After cracking that hash, I’ll use BloodHound to find a Kerberoastable MSSQL service account and crack its hash as well. Both accounts map to guest on MSSQL, but I’ll forge a silver ticket as Administrator to get sysadmin access, enable xp_cmdshell, and use GodPotato to escalate to SYSTEM.

Breach from HackTheBox and VulnLab is an AD box with a writable SMB share, ntlm_theft for hash capture, Kerberoasting, a silver ticket to get sysadmin on MSSQL, and GodPotato for SYSTEM.

I legit still don't understand why this worked. It only gets the groups if you specifically specify the user id in the ticket, and it can only be that account.

I would think if it were doing delegation I would think it could impersonate more.

HTB: Signed Signed is an assume breach Windows box where I’m given credentials for a local MSSQL account. I’ll enumerate the database, coerce authentication from the MSSQL service account using xp_dirtree, and crack the NetNTLMv2 hash. With the service account password, I’ll forge a silver ticket with the IT group’s RID to gain sysadmin privileges on the database and get command execution. For root, I’ll show three paths: using OPENROWSET BULK impersonation with silver tickets to read files as Domain Admins and find the Administrator’s password in PowerShell history, relaying NTLM authentication from the DC using a crafted DNS record, and recovering SeImpersonatePrivilege from the original logon token to escalate with GodPotato.

Signed from HackTheBox is an assume breach MSSQL box featuring silver ticket forging with group injection, OPENROWSET BULK for privileged file reads, NTLM relay via crafted DNS records, and SeImpersonate recovery from a restricted service token.

HTB: Bamboo Bamboo offers a Squid HTTP proxy through which I’ll access a PaperCut NG instance. I’ll use Spose to scan through the proxy and discover the print management application. I’ll exploit an authentication bypass vulnerability in PaperCut and use application access to enabling print scripting to get code execution. For privilege escalation, I’ll abuse a root process that runs a script from the papercut user’s home directory.

Bamboo from HackTheBox and VulnLab features Squid proxy enumeration, CVE-2023-27350 authentication bypass to RCE in PaperCut NG, and binary hijacking of a root-executed script for privilege escalation.

HTB: CodeTwo CodeTwo is a Linux box hosting a developer sandbox where users can execute JavaScript code. The site uses js2py, which I’ll exploit via CVE-2024-28397 to escape the sandbox and get remote code execution. From there, I’ll find MD5 password hashes in the SQLite database and crack one to pivot to marco. Marco can run npbackup-cli with sudo, and I’ll abuse this to read files from root’s backup, including the SSH private key, which I’ll use to get a shell as root.

CodeTwo from HackTheBox features a js2py sandbox escape via CVE-2024-28397, MD5 hash cracking from SQLite, and abusing npbackup-cli sudo permissions to read root's SSH key from backups.

Barbhack 2025 CTF Welcome to the NetExec Active Directory Lab! This lab is designed to teach you how to exploit Active Directory (AD) environments using the powerful tool NetExec. Originally featured in the Barbhack 2025 CTF, this lab is now available for free to everyone! In this lab, you’ll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest. The ultimate goal? Become Domain Administrator by following various attack paths! Ahoy, matey! Time to conquer the Seven Seas and claim the PIRATES.BRB domain!

I had the chance last weekend to play the Barbhack 2025 CTF from the NetExec team. Pirates features GPP creds, NTLMv1 relay to RBCD, DPAPI, GMSA recovery, MSSQL impersonation + SeImpersonate, constrained delegation, and NTDS forensics.

YouTube video by 0xdf State of 0xdf (2026)

Released a bit of a different video today. The State of 0xdf (2026). We'll look at the last year for my website and YT channel, go over some numbers. Definitely looking for feedback on if people like this kind of insight.

www.youtube.com/watch?v=KCo6...

Thank you so much @hackthebox.bsky.social
for recognizing me as an MVP for 2025 with this sweet swag package.

I owe a lot to HTB. Without HTB, my life would be on a completely different track. Through the platform, I've built skills and made friends. Here's to many more years of hacking.

HTB: JobTwo JobTwo is the sequel to Job, another Windows box from VulnLab released on HackTheBox. I’ll send a malicious Word document with VBA macros to the HR email address via SMTP. From the initial shell as Julian, I’ll find hMailServer and decrypt its database password using a known Blowfish key. After dumping password hashes from the mail database, I’ll crack Ferdinand’s password and pivot via WinRM. Ferdinand has access to Veeam Backup & Replication, which I’ll exploit via CVE-2023-27532 to get a shell as SYSTEM.

JobTwo from VulnLab now on HackTheBox is the sequel to Job from VulnLab. Phishing with Word macros, hMailServer database decryption with a known Blowfish key, password cracking, and CVE-2023-27532 in Veeam Backup & Replication for SYSTEM.

HTB: Job Job is a Windows box with a website saying that they are looking for resumes in Libre Office format. The box is listening on SMTP, so I’ll create a document with a malicious macro and get a shell on mailing it to the careers email address. For root, I’ll drop a webshell into the web directory, and abuse SeImpersonatePrivilege with GodPotato to get system.

Job from HackTheBox features phishing with a LibreOffice macro sent via SMTP, dropping a webshell into IIS, and abusing SeImpersonatePrivilege with GodPotato for SYSTEM.

Check it out now:

HTB: Imagery Imagery hosts a Flask-based image gallery application. I’ll exploit a stored XSS vulnerability in the bug report feature to steal an admin cookie. From the admin panel, I’ll use directory traversal to read the application source code, finding a command injection vulnerability in the image crop feature that requires access as a test user. After reading the database and cracking the test user’s password hash, I’ll exploit the command injection to get a shell. I’ll find an encrypted backup file and brute-force the pyAesCrypt password, getting access to an older backup with additional hashes. After cracking another user’s hash, I’ll pivot to a user that can run a custom backup utility as root via sudo. I’ll show two ways to abuse this. In Beyond Root, I’ll show why SSH is broken and how to get around it.

Imagery from HackTheBox features XSS to steal cookies, directory traversal for source code access, and command injection for rce. Pivots include pyAesCrypt brute-forcing and abusing a sudo backup utility exploited multiple ways.

Spent an hour in Claude Code last night and made the tables at the top of my @hackthebox.bsky.social blog posts on 0xdf.gitlab.io a bit nicer :) Feedback welcome.

HTB: HackNet HackNet hosts a social media site for hackers built with Django. I’ll find an HTML injection in the username field that, combined with how the likes page renders usernames, leads to server-side template injection. While Django templates are restrictive, I’ll use the SSTI to dump user data including plaintext passwords, finding one user whose email reveals their Linux username. After SSHing in, I’ll discover Django’s FileBasedCache uses pickle serialization with a world-writable cache directory. By replacing cache files with a malicious pickle payload, I’ll get a shell as the web user. From there, I’ll crack a GPG key password to decrypt database backups, finding a password shared in messages that works for root.

HackNet from HackTheBox features SSTI in Django templates to leak user credentials, pickle deserialization via FileBasedCache with world-writable directory, and GPG key cracking to recover database backups containing the root password.

HTB: Previous Previous starts with a NextJS application for a fictional JavaScript framework. I’ll exploit the infamous NextJS middleware vulnerability to access the authenticated portion of the site. From there, I’ll find a directory traversal vulnerability in a download API that allows reading files from the server, including the NextAuth config with hard-coded credentials. Those creds work for SSH, and I’ll pivot to root by abusing a misconfigured sudo rule that runs Terraform multiple ways.

Previous from HackTheBox features CVE-2025-29927 (NextJS middleware auth bypass), directory traversal for file read, and three ways to abuse a Terraform sudo rule with !env_reset to get root.

SANS Holiday Hack Challenge 2025: Revenge of the Gnome(s) The 2025 SANS Holiday Hack Challenge: Revenge of the Gnome(s) takes place over three acts in the Dosis neighborhood, where gnome dolls have come to life and are scurrying around furthering a plot by Frosty the Snowman to freeze the world so that it’s always winter and he never melts. I’ll work through 27 challenges ranging from beginner-friendly to expert-level, covering web exploitation, reverse engineering, cloud security, AI prompt injection, cryptography, and signal analysis to help stop Frosty and save the neighborhood. I’ll also write a hack the game itself, writing a TamperMonkey plugin to do NPC / terminal / door / item locations, teleportation, and allow walking through walls. I’ll find a bunch of hidden gnomes hanging out in a patch of snow and uncover how the game developers made the running gnomes, and a bunch of Easter Eggs as well.

In the 2025 Holiday Hack Frosty tries to freeze the neighborhood. I exploited SSTI, IDOR, prompt injection, cloud misconfigs, and reversed a SkiFree clone. Wrote a TamperMonkey plugin to teleport, walk through walls, and find hidden gnomes. KringleCon

Flagvent 2025 - Easy FV25.01

Had a ton of fun with Flagvent this year, and finished all 25 challenges! So many quirky interesting things. My favorite challenge was the hardware leet challenge. And I got to author two easy challenges as well.

0xdf.gitlab.io/flagvent2025...

Happy New Year!

HTB: WhiteRabbit WhiteRabbit is a pentesting company. I’ll exploit their Uptime Kuma instance to find the domain for their WikiJS wiki. On that I’ll find documentation for a n8n pipeline, and find an SQL injection vulnerability in how it processes email, as well as the key for crafting signatures. I’ll make a proxy to add signatures using mitmproxy and then use sqlmap to dump the database. In the DB I’ll find restic commands, which I’ll use to get a backup with SSH keys. I’ll abuse restic command injection to get root on a container, and find SSH keys for a user on the host. From there I’ll find a custom password generator, and using logs from the DB that leak the time the command was run, generate the right password for the next user. That user can run any command as root.

WhiteRabbit from HackTheBox targets a pentester's infra with Uptime Kuma enumeration, n8n webhook SQL injection via HMAC-signed requests, restic backup recovery, and reversing a time-seeded password generator for privilege escalation.

Advent of Code 2025 Day 12 provides a challenge that on it's face I think is nearly impossibe, figuring out if I can place a lot of specific shapes into a sp... Christmas Tree Farm [AOC2025 Day 12]

#AdventOfCode Day 12 involves fitting presents in space under a tree. The problem for all solutions is either hard or impossible. I'll find a shortcut looking at the data and the space required for each tree. Claude gets the answer without recognizing it.

Advent of Code 2025 Day 11 provides a list of nodes and the nodes that come after each one. I'll use recusrion to build a function that can count the number ... Reactor [AOC2025 Day 11]

#AdventOfCode Day 11 involves nodes that connect to others. I'll use recursion to count paths through the nodes. functools cache is critical here.

Advent of Code 2025 Day 10 has some buttons that each control one or more outputs. In part 1, they toggle on and off a light, and I'll have to find the minim... Factory [AOC2025 Day 10]

#AdventOfCode Day 10 involves binary xor and linear equations. Claude tries an unfiesable long solution first when he thinks he can't use packages. When I tell him how to use packages, he uses scipy to solve quickly.

Advent of Code 2025 Day 9 processing the verticies of a polygon. First I'll loop over each pair of corners and find the largest possible square that can be m... Movie Theater [AOC2025 Day 9]

#AdventOfCode Day9 is a beast. I'll have to find squares inside a large polygon defined by almost 500 points. I'll use ray finding and edge crossing to solve it. Claude tries an unfiesable long solution first, then gets it.

Advent of Code 2025 Day 8 involves connecting points in order of their distances apart. In part 1, I'll connect the closest 1000 points, and find the size of... Playground [AOC2025 Day 8]

#AdventOfCode Day8 showcases a union find technique to track and merge sets of points in 3D space. Claude does basically the exactly same thing I did :)

Advent of Code 2025 Day 7 visualizes a bean as it moves down the space hitting splitters. In part 1, I need to count the number of splits that happen. In par... Laboratories [AOC2025 Day 7]

#AdventOfCode Day7 is about tracking a beam down a space as it hits things that split it into two. In part 1 I'll count the number of splits for a beam, and in part two the number of paths a particle could take choosing left or right at each split.

HTB: Editor Editor is a Linux box hosting a code editor website, with documentation on an XWiki instance. I’ll exploit a vulnerability in XWiki’s Solr search that allows unauthenticated Groovy script injection to get remote code execution and a shell. From there, I’ll find database credentials in the XWiki Hibernate config and pivot to a user who reuses the password. Enumerating localhost services, I’ll find NetData running an older version that installs a vulnerable ndsudo SetUID binary that is vulnerable to PATH injection, which I’ll abuse to get root.

Editor from HackTheBox features unauthenticated Groovy script injection in XWiki's Solr search for RCE, password reuse from the Hibernate config, and PATH injection in NetData's ndsudo SetUID binary for root.

Advent of Code 2025 Day 6 is all about parsing columns of text. In part 1, I'll parse lines of integers and operators as columns, calculating their products ... Trash Compactor [AOC2025 Day 6]

#AdventOfCode Day6 is all about handling columns of data. In part 1, I'll combine columns of ints. In part 2, I'll build the ints from columns of characters. Claude nails it quickly, but with some verbose ugly code.

Advent of Code 2025 Day 5 plays with overlapping ranges. I get a long list of ranges for ids of fresh ingredients. In part 1, I work through another list of ... Cafeteria [AOC2025 Day 5]

#AdventOfCode Day5 is all about handling overlapping ranges. First I'll count from a list, then find the size of all the overlapping ranges.

Advent of Code 2025 Day 4 is the first grid challenge of the year. I'm given spaces in a warehouse that have pallets of paper on them. A forklift can only ac... Printing Department [AOC2025 Day 4]

#AdventOfCode Day4 is the first grid challenge of the year. I'll count spaces with no more than 3 filled neighbors. In part 2, I'll iterate to remove those spaces and check again until I've removed all that can be removed.