HTB: AirTouch AirTouch simulates a wireless network environment. I’ll start by pulling a default password from SNMP to SSH as a consultant user inside a container with virtual wireless interfaces. From there, I’ll capture and crack a WPA2-PSK handshake to join the tablet network, then decrypt the captured traffic in WireShark to recover session cookies for a router management site. A client-side role cookie gates an admin upload feature, where I’ll bypass the PHP extension filter with a phtml file to get RCE. Hardcoded credentials in the source give me the next user, and sudo gets me root, where I find the CA and server certs for the corporate wireless network. I’ll use those with eaphammer to stand up an evil twin of AirTouch-Office and capture a PEAP-MSCHAPv2 challenge, which cracks to reveal a user’s password. That gets me onto the corporate network, where a hostapd eap_user file leaks an admin password, and sudo gets me to root.

AirTouch from HackTheBox is a wireless box featuring SNMP enumeration, WPA2-PSK capture and crack, WireShark traffic decryption, client-side cookie role bypass with a phtml upload, and an evil twin via eaphammer to capture a crackable challenge.

HTB: Eighteen Eighteen is a Windows Server 2025 assume-breach box starting with MSSQL credentials. I’ll use MSSQL login impersonation to access the financial planner database and recover a Werkzeug PBKDF2 hash for the web admin. After cracking the hash and spraying the password against domain users, I’ll get a WinRM shell. From there, I’ll identify that the domain is running at the Windows 2025 functional level and exploit Bad Successor, abusing the dMSA migration feature to create a delegated managed service account that inherits the Administrator’s group memberships, giving full domain admin access.

Eighteen from HackTheBox is an assume breach Windows Server 2025 box featuring MSSQL impersonation, Werkzeug hash cracking, password spraying, and Bad Successor (CVE-2025-53779) to abuse dMSA migration for domain admin.

HTB: DarkZero DarkZero is an assume breach Windows box with two forests connected by a bidirectional cross-forest trust. Starting with given credentials, I’ll enumerate MSSQL on DC01 and find a linked server to DC02 in the other forest where the mapped account is sysadmin. I’ll enable xp_cmdshell on DC02 to get a shell as the SQL service account. To escalate to SYSTEM on DC02, I’ll show four paths: recovering SeImpersonatePrivilege from the original logon token via named pipe impersonation, using ADCS certificate enrollment to get an NT hash and change the password for a service logon with RunAsCS, NTLM authentication reflection using the CMTI DNS record trick to relay the machine account back to its own LDAPS, and CVE-2024-30088. As SYSTEM on DC02, I’ll abuse the cross-forest TGT delegation to capture DC01’s machine account TGT and use it to dump all domain hashes from DC01.

DarkZero from HackTheBox features cross-forest MSSQL linked servers, four privesc paths (token theft, ADCS/RunAsCS, NTLM reflection via CMTI, CVE-2024-30088), and cross-forest TGT delegation for domain takeover.

HTB: Snapped Snapped is a Linux box hosting a static site behind nginx, with an Nginx UI admin panel. I’ll exploit CVE-2026-27944 to decrypt a backup download from the Nginx UI to find bcrypt password hashes in a SQLite database. I’ll crack one to get SSH access. To escalate to root, I’ll exploit CVE-2026-3888, a recent vulnerability in snapd where systemd-tmpfiles deletes snap-confine’s private temp directory, allowing me to win a race condition and replace the dynamic linker with a malicious payload that runs as root.

Snapped from HackTheBox features CVE-2026-27944 to download and decrypt Nginx UI backups without auth, bcrypt cracking for a shell, and CVE-2026-3888 to exploit a snapd race condition for root.

HTB: Principal Principal is a Linux box with a Java web application using pac4j for JWT authentication. I’ll exploit a vulnerability in pac4j-jwt that allows forging encrypted JWTs using only the server’s public RSA key, bypassing signature verification to access the admin dashboard. From there, I’ll find credentials in the settings and spray them against SSH to get a shell as svc-deploy. For root, I’ll abuse access to an SSH certificate authority private key to sign a certificate for the root principal and SSH in.

Principal from HackTheBox features a pac4j JWT authentication bypass (CVE-2026-29000) to forge admin tokens using just the public key, password reuse to SSH, and abusing an SSH CA private key to sign a root certificate.

HTB: Browsed Browsed is a Linux box hosting a browser extension repository where uploaded extensions are tested in a headless Chrome instance. I’ll analyze the Chrome debug logs to discover an internal Gitea instance and a Python Flask app running on localhost. By crafting a malicious Chrome extension with a background service worker, I’ll perform SSRF to reach the internal Flask app and exploit a Bash arithmetic evaluation injection in a shell script to get remote code execution. For root, I’ll abuse a world-writable pycache directory to poison a Python bytecode file imported by a sudo-allowed script, getting code execution as root.

Browsed from HackTheBox features Chrome extension analysis and SSRF via a malicious extension, Bash arithmetic injection through -eq evaluation for RCE, and Python pycache bytecode poisoning for root.

HTB: Conversor Conversor is a Linux box hosting a Flask web application that converts nmap XML output to HTML using XSLT. I’ll find the source code and exploit insecure use of os.path.join to write a Python reverse shell into a cron-executed scripts directory, or alternatively abuse XSLT’s exslt:document extension to write files to the server. From there, I’ll find an MD5-hashed password in the SQLite database and crack it to pivot to the next user. For root, I’ll exploit CVE-2024-48990 in needrestart by poisoning the PYTHONPATH environment variable, or abuse needrestart’s Perl config file to get direct code execution.

Conversor from HackTheBox features XSLT injection and os.path.join abuse for file write, and CVE-2024-48990 in needrestart (plus a config GTFObin) for root.

HTB: Gavel Gavel is a Linux box hosting a PHP auction website with an exposed .git directory. I’ll recover the source code with git-dumper and exploit a novel SQL injection technique that bypasses PDO’s backtick-quoted prepared statements to dump the database. After cracking a bcrypt hash, I’ll access the admin panel and exploit PHP’s runkit extension to inject arbitrary code into auction rules, getting RCE. I’ll pivot to the next user via password reuse, then reverse engineer a custom daemon that validates submitted PHP rules against a restrictive php.ini. Since file_put_contents isn’t disabled, I’ll overwrite the php.ini to remove all restrictions, then use a second submission to get a root shell.

Gavel from HackTheBox features a novel PDO prepared statement SQLi bypass, PHP runkit code injection for RCE, and overwriting a sandbox php.ini to escalate from restricted PHP execution to root.

HTB: Expressway Expressway is a Linux box with only SSH and an IKE VPN service on UDP. I’ll use ike-scan in aggressive mode to leak the VPN identity and capture a pre-shared key hash, which cracks quickly with hashcat. Connecting to the IPSEC VPN doesn’t provide any additional attack surface, but the PSK works for SSH access. For privilege escalation, I’ll show exploitation of two different CVEs in sudo. In Beyond Root, I’ll look at the sudo config that allowed one of the exploits and show how to connect to the IPSec VPN with strongSwan.

Expressway from HackTheBox features IKE Aggressive Mode identity leaking and PSK cracking for SSH access. Privesc is CVEs in sudo. I'll show both hostname spoofing to bypass host-based sudoers rules, and chroot abuse via a malicious NSS library.

HTB: Barrier Barrier is a Linux box with GitLab, Authentik, and Apache Guacamole. I’ll exploit a SAML signature bypass vulnerability in GitLab’s Ruby SAML library to forge a SAML assertion and log in as admin. From GitLab’s CI/CD variables, I’ll recover an Authentik API token and use it to create an admin account. With Authentik admin access, I’ll impersonate a user in Guacamole to get an SSH shell. From there, I’ll find database credentials for Guacamole’s MariaDB backend and extract an SSH private key and passphrase for another user. That user’s bash history contains a password that works with sudo to get root.

Barrier from VulnLab now on HackTheBox features a SAML signature bypass to get GitLab admin, Authentik API abuse via a CI/CD token, SSH key extraction from Guacamole's MariaDB, and a password in bash history for root.

HTB: Guardian Guardian is a Linux box hosting a university portal built with PHP. I’ll exploit an IDOR in the chat feature to find Gitea credentials, then use the source code to identify a vulnerability in PhpSpreadsheet that allows XSS through a malicious XLSX file to steal a lecturer’s session cookie. From the lecturer account, I’ll combine a CSRF vulnerability with a weak CSRF token implementation to create an admin account. As admin, I’ll abuse a local file include with PHP filter chain injection to get RCE. After cracking a database password hash, I’ll pivot through users by modifying a writable Python script. I’ll escalate to root abusing a silly binary wrapper around apache2ctl many ways.

Guardian from HackTheBox features chat IDOR, XSS via PhpSpreadsheet CVE-2025-22131, CSRF to create an admin account, PHP filter chain LFI-to-RCE, password cracking, Python script injection, and bypassing a custom Apache config validator many ways.

I forgot to say thanks for this! Updated the post with a shout-out to you!

HTB: Bruno Bruno is a Windows Active Directory box. I’ll start by finding a .NET sample scanning application on FTP, and after reverse engineering it, discover a ZipSlip vulnerability in how it handles zip archives. Combining that with a DLL hijack, I’ll get a shell as the service account that runs the scanner. For privilege escalation, I’ll exploit the lack of LDAP signing by performing a Kerberos relay attack, setting up resource-based constrained delegation to impersonate the Administrator.

Bruno from VulnLab (now on HackTheBox) features .NET reverse engineering, ZipSlip archive path traversal into a DLL hijack for foothold, then Kerberos relay via KrbRelayUp abusing missing LDAP signing for RBCD and Administrator access.

HTB: Giveback Giveback starts with a WordPress website with a donation plugin that’s vulnerable to a RCE exploit. I’ll get a shell in a Kubernetes pod, and use it to scan an internal legacy app running PHP-CGI. I’ll abuse a vulnerability in that application to get to the next pod, where I’ll find a Kubernetes secret to interact with the API and dump secrets. I’ll use an SSH password to get on the host. For root I’ll abuse a custom wrapper around runc two different ways.

Giveback from HackTheBox is a Kubernetes box with GiveWP PHP object injection for RCE, PHP-CGI argument injection via Best-Fit characters on a legacy internal app, K8s API secret dumping, and a container escape through runc two ways.

HTB: Soulmate Soulmate has a PHP-based dating website, as well as an instance of CrushFTP. I’ll showcase two different authentication bypass CVEs to get admin access to CrushFTP. From there I can upload a PHP webshell and get a foothold on the box. I’ll find hardcoded credentials in an Erlang SSH server, and use them to get to the next user. I’ll also use them to connect to this SSH server and navigate the Erlang console as root to solve the challenge.

Soulmate from HackTheBox features a PHP dating site and CrushFTP with two auth bypass CVEs (race condition and AWS4-HMAC abuse) for admin access, PHP webshell upload for foothold, and hardcoded credentials in an Erlang SSH server for root.

HTB: Slonik Slonik showcases some interesting Linux techniques around NFS and PostgreSQL. I’ll start with an insecurely configured NFS mount where I can list and read files from anywhere on the filesystem as any user except root. I’ll find hashes for a service account in the shadow file and in a postgres history file, and crack either. The service account doesn’t have a shell set, so I can’t get a shell over SSH. I can port forward to a UNIX socket, which provides access to PostgreSQL. I’ll use that to get a shell as the postgres user. To escalate to root, I’ll abuse a cron running a PostgreSQL backup utility. In Beyond Root, I’ll talk about a bug I found and fixed in Netexec and its neat NFS tools.

Slonik from HackTheBox features NFS root filesystem escape to read sensitive files, UNIX socket SSH tunneling to PostgreSQL, RCE through PostgreSQL for a shell, and poisoning a pg_basebackup cron job with a SetUID binary for root.

Finding and Fixing a Bug in Netexec NFS Netexec has some awesome NFS capabilities. While playing Slonik from VulnLab / HackTheBox, I found an issue I couldn't understand. I'll walk through how Nete...

Netexec has some really nice NFS capabilities. I found a some weird behavior in one of them, which turned out to be a bug that just got patched. Let's walk through it.

HTB: Breach Breach is a Windows domain controller box. I’ll start by using guest access to a writable SMB share to drop ntlm_theft lure files, capturing a NetNTLMv2 hash for a domain user with Responder. After cracking that hash, I’ll use BloodHound to find a Kerberoastable MSSQL service account and crack its hash as well. Both accounts map to guest on MSSQL, but I’ll forge a silver ticket as Administrator to get sysadmin access, enable xp_cmdshell, and use GodPotato to escalate to SYSTEM.

Breach from HackTheBox and VulnLab is an AD box with a writable SMB share, ntlm_theft for hash capture, Kerberoasting, a silver ticket to get sysadmin on MSSQL, and GodPotato for SYSTEM.

I legit still don't understand why this worked. It only gets the groups if you specifically specify the user id in the ticket, and it can only be that account.

I would think if it were doing delegation I would think it could impersonate more.

HTB: Signed Signed is an assume breach Windows box where I’m given credentials for a local MSSQL account. I’ll enumerate the database, coerce authentication from the MSSQL service account using xp_dirtree, and crack the NetNTLMv2 hash. With the service account password, I’ll forge a silver ticket with the IT group’s RID to gain sysadmin privileges on the database and get command execution. For root, I’ll show three paths: using OPENROWSET BULK impersonation with silver tickets to read files as Domain Admins and find the Administrator’s password in PowerShell history, relaying NTLM authentication from the DC using a crafted DNS record, and recovering SeImpersonatePrivilege from the original logon token to escalate with GodPotato.

Signed from HackTheBox is an assume breach MSSQL box featuring silver ticket forging with group injection, OPENROWSET BULK for privileged file reads, NTLM relay via crafted DNS records, and SeImpersonate recovery from a restricted service token.

HTB: Bamboo Bamboo offers a Squid HTTP proxy through which I’ll access a PaperCut NG instance. I’ll use Spose to scan through the proxy and discover the print management application. I’ll exploit an authentication bypass vulnerability in PaperCut and use application access to enabling print scripting to get code execution. For privilege escalation, I’ll abuse a root process that runs a script from the papercut user’s home directory.

Bamboo from HackTheBox and VulnLab features Squid proxy enumeration, CVE-2023-27350 authentication bypass to RCE in PaperCut NG, and binary hijacking of a root-executed script for privilege escalation.

HTB: CodeTwo CodeTwo is a Linux box hosting a developer sandbox where users can execute JavaScript code. The site uses js2py, which I’ll exploit via CVE-2024-28397 to escape the sandbox and get remote code execution. From there, I’ll find MD5 password hashes in the SQLite database and crack one to pivot to marco. Marco can run npbackup-cli with sudo, and I’ll abuse this to read files from root’s backup, including the SSH private key, which I’ll use to get a shell as root.

CodeTwo from HackTheBox features a js2py sandbox escape via CVE-2024-28397, MD5 hash cracking from SQLite, and abusing npbackup-cli sudo permissions to read root's SSH key from backups.

Barbhack 2025 CTF Welcome to the NetExec Active Directory Lab! This lab is designed to teach you how to exploit Active Directory (AD) environments using the powerful tool NetExec. Originally featured in the Barbhack 2025 CTF, this lab is now available for free to everyone! In this lab, you’ll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest. The ultimate goal? Become Domain Administrator by following various attack paths! Ahoy, matey! Time to conquer the Seven Seas and claim the PIRATES.BRB domain!

I had the chance last weekend to play the Barbhack 2025 CTF from the NetExec team. Pirates features GPP creds, NTLMv1 relay to RBCD, DPAPI, GMSA recovery, MSSQL impersonation + SeImpersonate, constrained delegation, and NTDS forensics.

State of 0xdf (2026) YouTube video by 0xdf

Released a bit of a different video today. The State of 0xdf (2026). We'll look at the last year for my website and YT channel, go over some numbers. Definitely looking for feedback on if people like this kind of insight.

www.youtube.com/watch?v=KCo6...

Thank you so much @hackthebox.bsky.social
for recognizing me as an MVP for 2025 with this sweet swag package.

I owe a lot to HTB. Without HTB, my life would be on a completely different track. Through the platform, I've built skills and made friends. Here's to many more years of hacking.

HTB: JobTwo JobTwo is the sequel to Job, another Windows box from VulnLab released on HackTheBox. I’ll send a malicious Word document with VBA macros to the HR email address via SMTP. From the initial shell as Julian, I’ll find hMailServer and decrypt its database password using a known Blowfish key. After dumping password hashes from the mail database, I’ll crack Ferdinand’s password and pivot via WinRM. Ferdinand has access to Veeam Backup & Replication, which I’ll exploit via CVE-2023-27532 to get a shell as SYSTEM.

JobTwo from VulnLab now on HackTheBox is the sequel to Job from VulnLab. Phishing with Word macros, hMailServer database decryption with a known Blowfish key, password cracking, and CVE-2023-27532 in Veeam Backup & Replication for SYSTEM.

HTB: Job Job is a Windows box with a website saying that they are looking for resumes in Libre Office format. The box is listening on SMTP, so I’ll create a document with a malicious macro and get a shell on mailing it to the careers email address. For root, I’ll drop a webshell into the web directory, and abuse SeImpersonatePrivilege with GodPotato to get system.

Job from HackTheBox features phishing with a LibreOffice macro sent via SMTP, dropping a webshell into IIS, and abusing SeImpersonatePrivilege with GodPotato for SYSTEM.

Check it out now:

HTB: Imagery Imagery hosts a Flask-based image gallery application. I’ll exploit a stored XSS vulnerability in the bug report feature to steal an admin cookie. From the admin panel, I’ll use directory traversal to read the application source code, finding a command injection vulnerability in the image crop feature that requires access as a test user. After reading the database and cracking the test user’s password hash, I’ll exploit the command injection to get a shell. I’ll find an encrypted backup file and brute-force the pyAesCrypt password, getting access to an older backup with additional hashes. After cracking another user’s hash, I’ll pivot to a user that can run a custom backup utility as root via sudo. I’ll show two ways to abuse this. In Beyond Root, I’ll show why SSH is broken and how to get around it.

Imagery from HackTheBox features XSS to steal cookies, directory traversal for source code access, and command injection for rce. Pivots include pyAesCrypt brute-forcing and abusing a sudo backup utility exploited multiple ways.

Spent an hour in Claude Code last night and made the tables at the top of my @hackthebox.bsky.social blog posts on 0xdf.gitlab.io a bit nicer :) Feedback welcome.