Mastodawn

Conversor from HackTheBox features XSLT injection and os.path.join abuse for file write, and CVE-2024-48990 in needrestart (plus a config GTFObin) for root.

https://0xdf.gitlab.io/2026/03/21/htb-conversor.html

HTB: Conversor

Conversor is a Linux box hosting a Flask web application that converts nmap XML output to HTML using XSLT. I’ll find the source code and exploit insecure use of os.path.join to write a Python reverse shell into a cron-executed scripts directory, or alternatively abuse XSLT’s exslt:document extension to write files to the server. From there, I’ll find an MD5-hashed password in the SQLite database and crack it to pivot to the next user. For root, I’ll exploit CVE-2024-48990 in needrestart by poisoning the PYTHONPATH environment variable, or abuse needrestart’s Perl config file to get direct code execution.

0xdf hacks stuff

0xdf Mar 14

Gavel from HackTheBox features a novel PDO prepared statement SQLi bypass, PHP runkit code injection for RCE, and overwriting a sandbox php.ini to escalate from restricted PHP execution to root.

https://0xdf.gitlab.io/2026/03/14/htb-gavel.html

HTB: Gavel

Gavel is a Linux box hosting a PHP auction website with an exposed .git directory. I’ll recover the source code with git-dumper and exploit a novel SQL injection technique that bypasses PDO’s backtick-quoted prepared statements to dump the database. After cracking a bcrypt hash, I’ll access the admin panel and exploit PHP’s runkit extension to inject arbitrary code into auction rules, getting RCE. I’ll pivot to the next user via password reuse, then reverse engineer a custom daemon that validates submitted PHP rules against a restrictive php.ini. Since file_put_contents isn’t disabled, I’ll overwrite the php.ini to remove all restrictions, then use a second submission to get a root shell.

0xdf hacks stuff

0xdf Mar 7

Expressway from HackTheBox features IKE Aggressive Mode identity leaking and PSK cracking for SSH access. Privesc is CVEs in sudo. I'll show both hostname spoofing to bypass host-based sudoers rules, and chroot abuse via a malicious NSS library.

https://0xdf.gitlab.io/2026/03/07/htb-expressway.html

HTB: Expressway

Expressway is a Linux box with only SSH and an IKE VPN service on UDP. I’ll use ike-scan in aggressive mode to leak the VPN identity and capture a pre-shared key hash, which cracks quickly with hashcat. Connecting to the IPSEC VPN doesn’t provide any additional attack surface, but the PSK works for SSH access. For privilege escalation, I’ll show exploitation of two different CVEs in sudo. In Beyond Root, I’ll look at the sudo config that allowed one of the exploits and show how to connect to the IPSec VPN with strongSwan.

0xdf hacks stuff

0xdf Mar 3

Barrier from VulnLab now on HackTheBox features a SAML signature bypass to get GitLab admin, Authentik API abuse via a CI/CD token, SSH key extraction from Guacamole's MariaDB, and a password in bash history for root.

https://0xdf.gitlab.io/2026/03/03/htb-barrier.html

HTB: Barrier

Barrier is a Linux box with GitLab, Authentik, and Apache Guacamole. I’ll exploit a SAML signature bypass vulnerability in GitLab’s Ruby SAML library to forge a SAML assertion and log in as admin. From GitLab’s CI/CD variables, I’ll recover an Authentik API token and use it to create an admin account. With Authentik admin access, I’ll impersonate a user in Guacamole to get an SSH shell. From there, I’ll find database credentials for Guacamole’s MariaDB backend and extract an SSH private key and passphrase for another user. That user’s bash history contains a password that works with sudo to get root.

0xdf hacks stuff

0xdf Feb 28

Guardian from HackTheBox features chat IDOR, XSS via PhpSpreadsheet CVE-2025-22131, CSRF to create an admin account, PHP filter chain LFI-to-RCE, password cracking, Python script injection, and bypassing a custom Apache config validator many ways.

https://0xdf.gitlab.io/2026/02/28/htb-guardian.html

HTB: Guardian

Guardian is a Linux box hosting a university portal built with PHP. I’ll exploit an IDOR in the chat feature to find Gitea credentials, then use the source code to identify a vulnerability in PhpSpreadsheet that allows XSS through a malicious XLSX file to steal a lecturer’s session cookie. From the lecturer account, I’ll combine a CSRF vulnerability with a weak CSRF token implementation to create an admin account. As admin, I’ll abuse a local file include with PHP filter chain injection to get RCE. After cracking a database password hash, I’ll pivot through users by modifying a writable Python script. I’ll escalate to root abusing a silly binary wrapper around apache2ctl many ways.

0xdf hacks stuff

0xdf Feb 24

Bruno from VulnLab (now on HackTheBox) features .NET reverse engineering, ZipSlip archive path traversal into a DLL hijack for foothold, then Kerberos relay via KrbRelayUp abusing missing LDAP signing for RBCD and Administrator access.

https://0xdf.gitlab.io/2026/02/24/htb-bruno.html

HTB: Bruno

Bruno is a Windows Active Directory box. I’ll start by finding a .NET sample scanning application on FTP, and after reverse engineering it, discover a ZipSlip vulnerability in how it handles zip archives. Combining that with a DLL hijack, I’ll get a shell as the service account that runs the scanner. For privilege escalation, I’ll exploit the lack of LDAP signing by performing a Kerberos relay attack, setting up resource-based constrained delegation to impersonate the Administrator.

0xdf hacks stuff

0xdf Feb 21

Giveback from HackTheBox is a Kubernetes box with GiveWP PHP object injection for RCE, PHP-CGI argument injection via Best-Fit characters on a legacy internal app, K8s API secret dumping, and a container escape through runc two ways.

https://0xdf.gitlab.io/2026/02/21/htb-giveback.html

HTB: Giveback

Giveback starts with a WordPress website with a donation plugin that’s vulnerable to a RCE exploit. I’ll get a shell in a Kubernetes pod, and use it to scan an internal legacy app running PHP-CGI. I’ll abuse a vulnerability in that application to get to the next pod, where I’ll find a Kubernetes secret to interact with the API and dump secrets. I’ll use an SSH password to get on the host. For root I’ll abuse a custom wrapper around runc two different ways.

0xdf hacks stuff

0xdf Feb 14

Soulmate from HackTheBox features a PHP dating site and CrushFTP with two auth bypass CVEs (race condition and AWS4-HMAC abuse) for admin access, PHP webshell upload for foothold, and hardcoded credentials in an Erlang SSH server for root.

https://0xdf.gitlab.io/2026/02/14/htb-soulmate.html

HTB: Soulmate

Soulmate has a PHP-based dating website, as well as an instance of CrushFTP. I’ll showcase two different authentication bypass CVEs to get admin access to CrushFTP. From there I can upload a PHP webshell and get a foothold on the box. I’ll find hardcoded credentials in an Erlang SSH server, and use them to get to the next user. I’ll also use them to connect to this SSH server and navigate the Erlang console as root to solve the challenge.

0xdf hacks stuff

0xdf Feb 12

Slonik from HackTheBox features NFS root filesystem escape to read sensitive files, UNIX socket SSH tunneling to PostgreSQL, RCE through PostgreSQL for a shell, and poisoning a pg_basebackup cron job with a SetUID binary for root.

https://0xdf.gitlab.io/2026/02/12/htb-slonik.html

HTB: Slonik

Slonik showcases some interesting Linux techniques around NFS and PostgreSQL. I’ll start with an insecurely configured NFS mount where I can list and read files from anywhere on the filesystem as any user except root. I’ll find hashes for a service account in the shadow file and in a postgres history file, and crack either. The service account doesn’t have a shell set, so I can’t get a shell over SSH. I can port forward to a UNIX socket, which provides access to PostgreSQL. I’ll use that to get a shell as the postgres user. To escalate to root, I’ll abuse a cron running a PostgreSQL backup utility. In Beyond Root, I’ll talk about a bug I found and fixed in Netexec and its neat NFS tools.

0xdf hacks stuff

0xdf Feb 11

Netexec has some really nice NFS capabilities. I found a some weird behavior in one of them, which turned out to be a bug that just got patched. Let's walk through it.

https://www.youtube.com/watch?v=WVWPgOjIpoI

Finding and Fixing a Bug in Netexec NFS

YouTube

Website	https://0xdf.gitlab.io/about
YouTube	https://www.youtube.com/c/0xdf0xdf
Twitter	0xdf_