Mastodawn

Pterodactyl from HackTheBox features unauth directory traversal in Pterodactyl Panel, pearcmd trick for RCE, and a Polkit + udisks chain mounting a SetUID XFS image for root. Beyond Root: two recent Linux kernel page-cache LPEs.

https://0xdf.gitlab.io/2026/05/16/htb-pterodactyl.html

HTB: Pterodactyl

Pterodactyl hosts a Minecraft community site alongside an instance of the Pterodactyl game-server management panel. I’ll exploit an unauthenticated directory traversal in the panel’s locale endpoint that gets PHP to include arbitrary files on disk, and chain it with the classic PEAR pearcmd technique to write and execute a webshell. From there I’ll read database credentials, crack a bcrypt hash, and pivot to a user who reuses that password. The box runs openSUSE, where I’ll abuse a PAM environment-variable flaw to convince Polkit I’m a local console session, then exploit a libblockdev/udisks vulnerability to mount a crafted XFS image carrying a SetUID-root shell and escalate to root. In Beyond Root, I’ll get CopyFail and DirtyFrag (two recent Linux kernel page-cache privilege-escalation exploits) working on the host.

0xdf hacks stuff

0xdf May 9

Diving into Dirty Frag, the second Linux page-cache local privesc in two weeks. CVE-2026-43284 + CVE-2026-43500 provide full distro coverage.

I walk through both variants, the broken disclosure, and demo both versions on the HTB Snapped machine.

https://www.youtube.com/watch?v=B5eUI_e7iwE

Dirty Frag Explained

YouTube

0xdf May 9

Overwatch from HackTheBox features anonymous SMB, .NET reverse engineering, MSSQL linked server abuse with AD-integrated DNS to capture cleartext credentials via Responder, and a PowerShell command injection in a WCF service for SYSTEM.

https://0xdf.gitlab.io/2026/05/09/htb-overwatch.html

HTB: Overwatch

Overwatch starts with anonymous SMB access to a software share that hosts a custom .NET monitoring binary. I’ll reverse engineer it to recover SQL Server credentials and identify a WCF service with a PowerShell command injection sink. With the SQL creds, I’ll find a linked server pointing to a non-resolving host and abuse CREATE_CHILD on the AD-integrated DNS zone to add a record pointing the hostname at my host, capturing cleartext SQL authentication with Responder when the linked server connects out. Those credentials provide WinRM as a user in Remote Management Users. From there, I’ll exploit the WCF KillProcess command injection on a localhost SOAP endpoint to get code execution as SYSTEM, demonstrating four different ways to interact with the WCF service. In Beyond Root, I’ll look at a log that captured the Windows Administrator password from an HTB pre-release cleanup script.

0xdf hacks stuff

0xdf Apr 30

Diving into the latest Linux exploit, Copy Fail. I'll show how it works, deobfuscate the author's POC, and run it on a HackTheBox machine (and show how to cleanup).

https://www.youtube.com/watch?v=wQ914geKOcw

Copy Fail Explained [CVE-2026-31431]

YouTube

0xdf Apr 25

Sorcery from HackTheBox has Cypher injection, passkey XSS on a headless Chrome bot, Kafka wire protocol SSRF, Xvfb framebuffer reads, .NET reversing for Docker Registry OTPs, and FreeIPA role abuse for root.

https://0xdf.gitlab.io/2026/04/25/htb-sorcery.html

HTB: Sorcery

Sorcery is a Linux box with a Rust Rocket web app backed by Neo4j, Gitea, and a Kafka message bus. I’ll exploit Cypher injection in a derive-macro-generated query to leak the seller registration key, then use XSS in a product description to register a passkey on the admin account through a headless Chrome bot. I’ll also show a shortcut to change the admin’s password using cypher injection. As admin, a port-debug tool becomes an SSRF I can use to send Kafka wire protocol messages, which I’ll use to get RCE in the DNS container. From there, I’ll recover a CA keypair from FTP, phish the next user with mitmproxy proxying their own Gitea login page, read a password out of an Xvfb framebuffer, and reverse a .NET binary to generate OTPs for Docker Registry auth. Pulling layers out of a pushed image leaks another password, and the final pivots abuse FreeIPA roles to change one user’s password over LDAP and bootstrap sudo rights to root. I’ll show a couple unintended paths using pspy to capture creds as well.

0xdf hacks stuff

0xdf Apr 18

AirTouch from HackTheBox is a wireless box featuring SNMP enumeration, WPA2-PSK capture and crack, WireShark traffic decryption, client-side cookie role bypass with a phtml upload, and an evil twin via eaphammer to capture a crackable challenge.

https://0xdf.gitlab.io/2026/04/18/htb-airtouch.html

HTB: AirTouch

AirTouch simulates a wireless network environment. I’ll start by pulling a default password from SNMP to SSH as a consultant user inside a container with virtual wireless interfaces. From there, I’ll capture and crack a WPA2-PSK handshake to join the tablet network, then decrypt the captured traffic in WireShark to recover session cookies for a router management site. A client-side role cookie gates an admin upload feature, where I’ll bypass the PHP extension filter with a phtml file to get RCE. Hardcoded credentials in the source give me the next user, and sudo gets me root, where I find the CA and server certs for the corporate wireless network. I’ll use those with eaphammer to stand up an evil twin of AirTouch-Office and capture a PEAP-MSCHAPv2 challenge, which cracks to reveal a user’s password. That gets me onto the corporate network, where a hostapd eap_user file leaks an admin password, and sudo gets me to root.

0xdf hacks stuff

0xdf Apr 11

Eighteen from HackTheBox is an assume breach Windows Server 2025 box featuring MSSQL impersonation, Werkzeug hash cracking, password spraying, and Bad Successor (CVE-2025-53779) to abuse dMSA migration for domain admin.

https://0xdf.gitlab.io/2026/04/11/htb-eighteen.html

HTB: Eighteen

Eighteen is a Windows Server 2025 assume-breach box starting with MSSQL credentials. I’ll use MSSQL login impersonation to access the financial planner database and recover a Werkzeug PBKDF2 hash for the web admin. After cracking the hash and spraying the password against domain users, I’ll get a WinRM shell. From there, I’ll identify that the domain is running at the Windows 2025 functional level and exploit Bad Successor, abusing the dMSA migration feature to create a delegated managed service account that inherits the Administrator’s group memberships, giving full domain admin access.

0xdf hacks stuff

0xdf Apr 4

DarkZero from HackTheBox features cross-forest MSSQL linked servers, four privesc paths (token theft, ADCS/RunAsCS, NTLM reflection via CMTI, CVE-2024-30088), and cross-forest TGT delegation for domain takeover.

https://0xdf.gitlab.io/2026/04/04/htb-darkzero.html

HTB: DarkZero

DarkZero is an assume breach Windows box with two forests connected by a bidirectional cross-forest trust. Starting with given credentials, I’ll enumerate MSSQL on DC01 and find a linked server to DC02 in the other forest where the mapped account is sysadmin. I’ll enable xp_cmdshell on DC02 to get a shell as the SQL service account. To escalate to SYSTEM on DC02, I’ll show four paths: recovering SeImpersonatePrivilege from the original logon token via named pipe impersonation, using ADCS certificate enrollment to get an NT hash and change the password for a service logon with RunAsCS, NTLM authentication reflection using the CMTI DNS record trick to relay the machine account back to its own LDAPS, and CVE-2024-30088. As SYSTEM on DC02, I’ll abuse the cross-forest TGT delegation to capture DC01’s machine account TGT and use it to dump all domain hashes from DC01.

0xdf hacks stuff

0xdf Apr 1

Snapped from HackTheBox features CVE-2026-27944 to download and decrypt Nginx UI backups without auth, bcrypt cracking for a shell, and CVE-2026-3888 to exploit a snapd race condition for root.

https://0xdf.gitlab.io/2026/04/01/htb-snapped.html

HTB: Snapped

Snapped is a Linux box hosting a static site behind nginx, with an Nginx UI admin panel. I’ll exploit CVE-2026-27944 to decrypt a backup download from the Nginx UI to find bcrypt password hashes in a SQLite database. I’ll crack one to get SSH access. To escalate to root, I’ll exploit CVE-2026-3888, a recent vulnerability in snapd where systemd-tmpfiles deletes snap-confine’s private temp directory, allowing me to win a race condition and replace the dynamic linker with a malicious payload that runs as root.

0xdf hacks stuff

0xdf Mar 30

Principal from HackTheBox features a pac4j JWT authentication bypass (CVE-2026-29000) to forge admin tokens using just the public key, password reuse to SSH, and abusing an SSH CA private key to sign a root certificate.

https://0xdf.gitlab.io/2026/03/30/htb-principal.html

HTB: Principal

Principal is a Linux box with a Java web application using pac4j for JWT authentication. I’ll exploit a vulnerability in pac4j-jwt that allows forging encrypted JWTs using only the server’s public RSA key, bypassing signature verification to access the admin dashboard. From there, I’ll find credentials in the settings and spray them against SSH to get a shell as svc-deploy. For root, I’ll abuse access to an SSH certificate authority private key to sign a certificate for the root principal and SSH in.

0xdf hacks stuff

Website	https://0xdf.gitlab.io/about
YouTube	https://www.youtube.com/c/0xdf0xdf
Twitter	0xdf_