Expressway from HackTheBox features IKE Aggressive Mode identity leaking and PSK cracking for SSH access. Privesc is CVEs in sudo. I'll show both hostname spoofing to bypass host-based sudoers rules, and chroot abuse via a malicious NSS library.

Barrier from VulnLab now on HackTheBox features a SAML signature bypass to get GitLab admin, Authentik API abuse via a CI/CD token, SSH key extraction from Guacamole's MariaDB, and a password in bash history for root.

Guardian from HackTheBox features chat IDOR, XSS via PhpSpreadsheet CVE-2025-22131, CSRF to create an admin account, PHP filter chain LFI-to-RCE, password cracking, Python script injection, and bypassing a custom Apache config validator many ways.

Bruno from VulnLab (now on HackTheBox) features .NET reverse engineering, ZipSlip archive path traversal into a DLL hijack for foothold, then Kerberos relay via KrbRelayUp abusing missing LDAP signing for RBCD and Administrator access.

Giveback from HackTheBox is a Kubernetes box with GiveWP PHP object injection for RCE, PHP-CGI argument injection via Best-Fit characters on a legacy internal app, K8s API secret dumping, and a container escape through runc two ways.

Soulmate from HackTheBox features a PHP dating site and CrushFTP with two auth bypass CVEs (race condition and AWS4-HMAC abuse) for admin access, PHP webshell upload for foothold, and hardcoded credentials in an Erlang SSH server for root.

Slonik from HackTheBox features NFS root filesystem escape to read sensitive files, UNIX socket SSH tunneling to PostgreSQL, RCE through PostgreSQL for a shell, and poisoning a pg_basebackup cron job with a SetUID binary for root.

Netexec has some really nice NFS capabilities. I found a some weird behavior in one of them, which turned out to be a bug that just got patched. Let's walk through it.

Breach from HackTheBox and VulnLab is an AD box with a writable SMB share, ntlm_theft for hash capture, Kerberoasting, a silver ticket to get sysadmin on MSSQL, and GodPotato for SYSTEM.

Signed from HackTheBox is an assume breach MSSQL box featuring silver ticket forging with group injection, OPENROWSET BULK for privileged file reads, NTLM relay via crafted DNS records, and SeImpersonate recovery from a restricted service token.

Bamboo from HackTheBox and VulnLab features Squid proxy enumeration, CVE-2023-27350 authentication bypass to RCE in PaperCut NG, and binary hijacking of a root-executed script for privilege escalation.

CodeTwo from HackTheBox features a js2py sandbox escape via CVE-2024-28397, MD5 hash cracking from SQLite, and abusing npbackup-cli sudo permissions to read root's SSH key from backups.

I had the chance last weekend to play the Barbhack 2025 CTF from the NetExec team. Pirates features GPP creds, NTLMv1 relay to RBCD, DPAPI, GMSA recovery, MSSQL impersonation + SeImpersonate, constrained delegation, and NTDS forensics.

Released a bit of a different video today. The State of 0xdf (2026). We'll look at the last year for my website and YT channel, go over some numbers. Definitely looking for feedback on if people like this kind of insight. www.youtube.com/watch?v=KCo6...

Thank you so much @hackthebox.bsky.social for recognizing me as an MVP for 2025 with this sweet swag package. I owe a lot to HTB. Without HTB, my life would be on a completely different track. Through the platform, I've built skills and made friends. Here's to many more years of hacking.

JobTwo from VulnLab now on HackTheBox is the sequel to Job from VulnLab. Phishing with Word macros, hMailServer database decryption with a known Blowfish key, password cracking, and CVE-2023-27532 in Veeam Backup & Replication for SYSTEM.

Job from HackTheBox features phishing with a LibreOffice macro sent via SMTP, dropping a webshell into IIS, and abusing SeImpersonatePrivilege with GodPotato for SYSTEM.

Imagery from HackTheBox features XSS to steal cookies, directory traversal for source code access, and command injection for rce. Pivots include pyAesCrypt brute-forcing and abusing a sudo backup utility exploited multiple ways.

Spent an hour in Claude Code last night and made the tables at the top of my @hackthebox.bsky.social blog posts on 0xdf.gitlab.io a bit nicer :) Feedback welcome.

HackNet from HackTheBox features SSTI in Django templates to leak user credentials, pickle deserialization via FileBasedCache with world-writable directory, and GPG key cracking to recover database backups containing the root password.

Previous from HackTheBox features CVE-2025-29927 (NextJS middleware auth bypass), directory traversal for file read, and three ways to abuse a Terraform sudo rule with !env_reset to get root.

In the 2025 Holiday Hack Frosty tries to freeze the neighborhood. I exploited SSTI, IDOR, prompt injection, cloud misconfigs, and reversed a SkiFree clone. Wrote a TamperMonkey plugin to teleport, walk through walls, and find hidden gnomes. KringleCon

Had a ton of fun with Flagvent this year, and finished all 25 challenges! So many quirky interesting things. My favorite challenge was the hardware leet challenge. And I got to author two easy challenges as well. 0xdf.gitlab.io/flagvent2025... Happy New Year!

WhiteRabbit from HackTheBox targets a pentester's infra with Uptime Kuma enumeration, n8n webhook SQL injection via HMAC-signed requests, restic backup recovery, and reversing a time-seeded password generator for privilege escalation.

#AdventOfCode Day 12 involves fitting presents in space under a tree. The problem for all solutions is either hard or impossible. I'll find a shortcut looking at the data and the space required for each tree. Claude gets the answer without recognizing it.

#AdventOfCode Day 11 involves nodes that connect to others. I'll use recursion to count paths through the nodes. functools cache is critical here.

#AdventOfCode Day 10 involves binary xor and linear equations. Claude tries an unfiesable long solution first when he thinks he can't use packages. When I tell him how to use packages, he uses scipy to solve quickly.

#AdventOfCode Day9 is a beast. I'll have to find squares inside a large polygon defined by almost 500 points. I'll use ray finding and edge crossing to solve it. Claude tries an unfiesable long solution first, then gets it.

#AdventOfCode Day8 showcases a union find technique to track and merge sets of points in 3D space. Claude does basically the exactly same thing I did :)

#AdventOfCode Day7 is about tracking a beam down a space as it hits things that split it into two. In part 1 I'll count the number of splits for a beam, and in part two the number of paths a particle could take choosing left or right at each split.

Editor from HackTheBox features unauthenticated Groovy script injection in XWiki's Solr search for RCE, password reuse from the Hibernate config, and PATH injection in NetData's ndsudo SetUID binary for root.

#AdventOfCode Day6 is all about handling columns of data. In part 1, I'll combine columns of ints. In part 2, I'll build the ints from columns of characters. Claude nails it quickly, but with some verbose ugly code.

#AdventOfCode Day5 is all about handling overlapping ranges. First I'll count from a list, then find the size of all the overlapping ranges.

#AdventOfCode Day4 is the first grid challenge of the year. I'll count spaces with no more than 3 filled neighbors. In part 2, I'll iterate to remove those spaces and check again until I've removed all that can be removed.

#AdventOfCode Day3 is all about finding the largest int possible from a string by selecting n digits without changing the order. Claude went for a super long running solution today, but after I told it to find a better one, it solved quickly.

One of the challenges I wrote just went live on flagvent.org

#AdventOfCode Day2 video is up! I'll compare using string operations and regex for part 1, and then regex makes part 2 trivial. Claude solves it just using string comparisons.

#AdventOfCode Day1 video released yesterday! Part 1 is pretty straight forward using modulo to track a dial as it spins around 0-99. Part 2 is a bit trickier, with some edge cases to take into account.

Holiday CTFs are here! Intro video about Advent of Code and my approach this year. (And check out https://flagvent.org/ and the Sans Holiday Hack as well).

Era from HackTheBox has multiple IDOR vulnerabilities followed by a PHP injection invoking the PHP SSH module to run commands on the host. Then there's a signed Linux binary to negotiate for root.

Mirage from HackTheBox is an Active Directory box with NATS, NFS, Kerberoasting, cross-session relay, account enabling and fixing logonHours, and ESC10.

I had a lot of fun with Outbound from HackTheBox. I'll abuse a CVE in RoundCube, then extract passwords from the database and abuse below for root. Three beyond root sections in this one :)

RustyKey from HackTheBox is an assume breach AD box. I'll Timeroast to get a better foothold, and after some AD privilege chaining with BloodHound, perform a CLSID hijack, and then abuse AddAllowedToAct to RBCD to escalate to administrator.

If you're using writeups to learn how to hack on HackTheBox (or other CTFs), use AI as a tutor. In this video I'll show a free prompt to use, as well as a Claude Skill I developed.

Dump from VulnLab released on HackTheBox last week. It has some very trick injections and a sudo rule puzzle to work out - I'll show two ways.

Voleur is an assume breach active directory box from HackTheBox. It has lots of passwords, deleted user recovery, DPAPI, targeted kerberoasting, and hashes from registry hives.

Store from VulnLab released on HackTheBox yesterday. It's got a web decryption known plaintext attack, directory traversal, node inspect, and Chrome debug.

Artificial from HackTheBox is starts with uploading a malicious TensorFlow model to get a foothold through deserialization. I'll abuse Backrest in three different ways for root.

DarkCorp from HackTheBox lived up to it's insane rating. Pivots from Linux to Windows and back, abuse of cross-OS Kerberos, and lots more. Several new techniques in this one.

TombWatcher from HackTheBox is an assume breach Windows AD box. BloodHound shows a path abusing targeted Kerberoasting, GMSA, password change, and shadow creds. Then there's AD Recycle Bin and ESC15.