0xdf
@0xdf_
Followers
22,582
Following
440
Media
390
Statuses
2,547
Training Architect @ HackTheBox "Potentially a legit security researcher" he/him 0xdf on discord
Joined January 2015
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Telegram
• 1234743 Tweets
Hezbollah
• 209380 Tweets
SB19 RED CARPET PREMIERE
• 145965 Tweets
#Cvitt1000mgXZeeNunew
• 127172 Tweets
ORM YOUNG OTOP 2024
• 114772 Tweets
#YoungOTOPxออมกรณ์นภัส
• 112897 Tweets
ARMYS LOVE YOONGI
• 104819 Tweets
ダンス・ダンス・ダンス
• 77526 Tweets
WE LOVE YOU BTS
• 75335 Tweets
1Z BALIBAGAN SA RED CARPET
• 74476 Tweets
WE TRUST YOU YOONGI
• 64981 Tweets
ST☆RISH
• 44374 Tweets
ARMYS PRIDE YOONGI
• 39347 Tweets
OUR BELOVED YOONGI
• 35407 Tweets
#BACKSLIVEで愛し合おう
• 23387 Tweets
#光る君へ
• 20209 Tweets
#PAKvsBAN
• 19731 Tweets
新幹線運転見合わせ
• 11549 Tweets
Ruさん
• 10852 Tweets
エヴァQ
• 10691 Tweets
The important thing I always tell people: Never call a phone number you get from an email / text / phone call that could be suspicious. If you think account may be hacked, go get the number from the official website and call that. Same goes for links to login pages.
6
518
3K
The clever / evil part is that they managed to register the account "Billing Department of PayPal", and then to use an invoice (which is designed to say "hello, I'm requesting $1000") as an email from the security team saying "hello, you've already been charged $1000"
1
110
2K
This is a real paypal site. It just happens to be an invoice from someone to me, asking for $1000. I doubt anyone reads this text and clicks the "Pay $1,000" button. Rather, the intent is to scare you with official looking emails with large $$$ in them into making that call.
1
84
2K
The email looked like things I've got from PayPal before. The colors and templating were good. And the email address was from the legit paypal domain.
9
136
2K
Make sure you talk to the less computer savvy people in your life about this kind of stuff.
4
83
2K
Scrolling down, here's the clever part. I'm presented with urgency and large but not too large dollar amounts. Who wouldn't act now to prevent being charged $1000?
13
67
1K
This is relatively convincing, and I suspect a lot of people call this phone number in a panic ready to make sure they aren't charged $1000.
1
31
1K
I don't know what they do once you call. I would guess that they ask for your username and password, and then try to get into your account and drain it that way. Or ask for your credit card number etc to "issue a refund".
13
41
1K
Clicking on the link makes it a bit clearer what's going on, if you take the time to look at it:
10
62
1K
This of course is harder when you get a scam phone call from "Microsoft". You can't just look up a number for them and call back, since MS doesn't offer that.
Still be skeptical of people who reach out to you, where you can, ensure you are talking to who you think you are.
11
47
1K
I don't have access to a
@PayPal
business account, but
@atjontv
does, and was able to recreate this exact attack, explaining the one part I was unsure on, and confirming the rest. (Screenshots in thread, shared with permission) 🧵
6
595
1K
@akrembasha
@PayPal
It's not. They went into PayPal and generated an invoice to send me, and PayPal did. They just used the custom text space to make it look like a security alert.
5
19
611
Building a new Windows FlareVM today. Most difficult part is disabling Defender (the instructions in the README don't work anymore).
In case it helps anyone in the future, the instructions in this post do:
9
117
437
RE just retired from
@hackthebox_eu
. As the creator of the box, I tried to bring phishing/macro obfuscation concepts to the initial access. The intended privescs were the WinRar ACE file exploit, and XXE in Ghidra. I'll show two unintended privescs too.
9
103
432
Blog from
@ippsec
and me on the
@hackthebox_eu
blog - Finding that balance between not giving up too early and being pointlessly stuck is important. But the answer isn't "never seek help". Trying harder isn't always the answer when you're trying to learn.
10
107
396
Finally got around to updating my 5 year old SMB enumerations cheat sheet! Check it out here, and let me know what I should add.
8
87
390
If you play CTFs with a fake TLD (like *.htb), you're probably used to typing siteisup.htb into firefox and getting a google search. Just learned you can add this key in about:config, and now it will stop searching!
I'm overly excited about this.
19
79
359
I learned so much about Kerberos solving Rebound. It was very difficult, but such a great experience. There's Kerberoasting without auth, cross session with RemotePotato0, and abusing delegation, both constrained and RBCD!
6
66
330
Earlier today, I pushed a blog post for the 2017 HackTheBox machine Jail. With that, has a blog post for every retired
@hackthebox_eu
machine. To celebrate, a thread on about my blog, including some stats, goals, and a thank you. 🧵
1/13
17
46
298
Just discovered faketime, and it's super useful when you need to sync with another host but dont want to muck with your system time. Will change the time for just the command that follows (which can be bash if you want to do a bunch of stuff).
7
63
298
Hackback just retired from
@hackthebox_eu
. This is the hardest HTB box. Web exploitation, socks proxy over aspx, named pipe injection, and root via arbitrary write and DiagHub. In Beyond root, I'll show an unintended root, look at the aspx shell, and rdp.
7
74
285
One of my favorite things about
@hackthebox_eu
(besides the fun of solving boxes) is using it as a playground to test out exploits.
#PrintNightmare
is 🔥 right now. I'll demo exploits from
@cube0x0
and
@calebjstewart
/
@_johnhammond
, both LPE and RCE.
2
76
281
A thread about box reviews on HackTheBox.
I (and many others) read every review submitted for machines on HackTheBox. I get genuine joy from every 5 star review. It means someone learned something, and probably had fun at the same time! And that's the point of HackTheBox. 1/8
8
27
265
Until recently, Ethereal was the hardest box I'd completed on
@hackthebox_eu
. I'm a huge fan, great work by
@egre55
and
@MinatoTW_
. It took me three blog posts to write it all up. Start here: . Then check out posts on brute forcing pbox and writing a shell
5
99
260
@atjontv
went into PayPal and generated an invoice, a feature in PayPal business accounts. The invoice was to "a
@thismymail
.com", and "b
@thismymail
.com" is put in the "CC" field.
With the real phish, a -> billing.dprt
@paypal
.com, and b -> me.
1
15
240
Response was a truly insane box from
@hackthebox_eu
. I'll decrypt Meterpreter traffic from a PCAP, directory traverse via a TLS certificate, read FTP over a POST request, write a HTTP proxy to exploit a HMAC oracle/SSRF, and rebuild a partial SSH key.
2
38
241
Not too many CTFs give you the change to exploit Active Directory and Kerberoast!
@hackthebox_eu
4
86
241
nmap scanning is a foundational skill for hacking. UDP scanning can be slow and/or unreliable. A quick video with some tips and tricks for scanning UDP with nmap in a reasonable time frame, as well as some exploration of unexpected data.
2
49
240
Spider from
@hackthebox_eu
is all about injections in interesting places. SSTI in a username, SQLI in a cookie, blind SSTI, and XXE in a cookie.
1
50
234
I first solved Kotarak while watching
@ippsec
when I had no idea how to solve this stuff. Now, almost three years later, I had a lot of fun going back and solving it again toward my goal of having a writeup for every retired machine from
@hackthebox_eu
.
6
25
232
Sizzle was one of my favorites on
@hackthebox_eu
. scf + responder to catch NetNTLMs, WinRM with Certificate, Kerberoasting, and DCSync. So much fun! In Beyond Root, I'll show two unintended paths for the box, and explore why Burp breaks NTLM HTTP auth.
6
83
222
I was surprised last week that
@hackthebox_eu
retired its first Endgame lab, P.O.O. I cobbled together my notes from 1.5 years ago into a writeup. Some really neat MSSQL and IIS exploitation, with a little sprinkle of AD thrown in at the end.
11
65
215
The invoice is sent to a (which in the real scenario is some probably not real email at , so it bounces).
The email b gets looks like this:
1
6
205
RopeTwo was the hardest box yet on
@hackthebox_eu
. Only three steps, all binary exploitation: JavaScript v8 engine, heap pwn, kernel module.
In Beyond root, I'll show the unintended route (since patched) that led to first blood.
6
44
203
It says "Hello, a
@thismymail
.com". If a is a contact in the senders email account, they can also give them a name. In the real phish, this was "PayPal User", hence why it says "Hello, PayPal User".
1
4
202
EndGame Xen writeup posted:
A neat lab with phishing, Citrix virtual desktops, Active Directory, packet capture, kerberoasting, etc, from
@hackthebox_eu
.
I tried to show the commands I used a year ago, and highlight what I might do differently today.
5
65
203
One of my favorite things about
@hackthebox_eu
is that they were one of the first to make hacking Active Directory accessible all. Sauna is another in that line, where I'll get access via AS-REP Roast, escalate via autologon creds, and perform a DCSync.
4
40
197
In Forge from
@hackthebox_eu
, I'll chain a redirect and two SSRFs together to read files from a private FTP server. Then I'll abuse pdb in a Python script to get root. In Beyond Root, I'll bypass the filter on the website, and look at the webserver config
4
40
189
The link leads to the invoice, which shows the "a
@thismymail
.com" email as the bill to. In the real phish, this said "PayPal User", and then on the next line, "billing.dprt
@paypal
.com".
1
6
189
Explore is the first Android box on
@hackthebox_eu
. There's a simple unauthenticated read in ES File Explorer that leaks information to enable SSH, and
then a port forward to the debug port. The most interesting part was the filesystem.
2
41
186
Attended was another monster insane box from
@hackthebox_eu
. Phishing with a vim exploit and most outbound blocked, exploiting malicious SSH config, and a relatively contrived yet fun and challenging buffer overflow using SSH keys on a remote host.
4
37
179
Absolute is a very difficult Windows box from
@hackthebox_eu
that is all about Kerberos exploitation. There's user enumeration, as-rep-roasting, LDAP enum, dynamic binary analysis, shadow credentials, and krbrelay.
3
45
174
Docker is a technology I use sometimes, but my knowledge is very basic. I learned a ton from this video on the different docker networks.
Thanks,
@NetworkChuck
0
37
179
Everytime someone tells me they found some value in something I've written, it absolutely makes my day. I'm not a new years resolution person, but I am resolving to try to tell people when I find something they did useful. 30 seconds can really make someone else feel great.
14
8
175
Earlier this week
@_JohnHammond
's analysis of a phishing email identifed a malicious domain. I take the analysis a couple steps further using
@PassiveTotal
and
@MaltegoHQ
.
PS - There's a YouTube video in this one. Let me know if you find that useful.
4
44
172
Just reached 1000 subscribers on YouTube. 🥳🎉🍾
Still humbles me that so many are interested in what I have to share. I'm having a lot of fun practicing talking and presenting. And of course, having a lot of fun solving the challenges 😊
10
7
168
APT didn't have that many steps, but all of them relied on deep understanding of Windows, and the ability to modify tools to get what was needed. Leaking IPv6 over RPC, brute force NTLM hashes over Kerberos, and forcing crackable Net-NTLMv1.
4
34
171
Spent a bunch of time this weekend finishing up a video explaining what happens when you do a "shell upgrade". It's a breakdown of TTYs, why you want one, how you start one, raw vs cooked modes. Hopefully can wrap it up tonight and get it out by tomorrow! Excited about this one!
8
11
171
Search is a really nice AD box from
@hackthebox_eu
. There's Kerberoasting, password reuse/sprays, GMSA, PowerShell Web Access, and client-certificates. I'll use Bloodhound and LDAP through out as a guide.
Oh, and a short YouTube video on using jq!
2
42
170
I've run into a lot of JavaScript obfuscation in CTFs and in life in general. Came across this video which is a brilliant walk through of how one such method works.
2
36
165
Cerberus from
@hackthebox_eu
involves exploiting several CVEs. I'll get into an Ubuntu VM by exploiting Icinga, then escalate via Firejail. I'll get creds from SSSD, and pivot to the Windows host, escalating again via ADSelfService Plus.
3
50
161
Scrambled from
@hackthebox_eu
disabled NTLM auth, breaking how I typically interact with a Windows host. .NET RE, Silver Tickets, Kerberoasting. I'll show attacking from both Windows and Linux. And JuicyPotatoNG in Beyond Root.
4
32
165
For those of you who don't like to compile, this may come in handy:
2
59
163
Json just retired from
@hackthebox_eu
. There's a .NET deserialization vulnerability, and three paths to privesc, including abusing filezilla, reversing a custom binary to get creds, and juicy potato.
2
42
161
The ZeroLogon exploit has blown up over the last week as POCs have been published. Quick post with some background and taking it for a spin on the Monteverde machine from
@hackthebox_eu
.
5
76
161
I just learned that Chisel updated to include a socks option (I know I'm way behind here...). Updated version of my chisel post, now with a cheat sheet at the top:
If there are other common scenarios that should be in the cheat sheet, leave a comment.
1
52
160
A windows VM is something that's really useful for CTFs, even if used only a small percentage of the time.
@ippsec
showed off networking his Win and Parrot VMs so that he didn't have to take his VPN down and up to switch in
@hackthebox_eu
. I did the same.
2
58
158
This week its Bankrobber from
@hackthebox_eu
. I'll use the XSS first to get the admin's cookie, then to do a XSRF to get code execution. The privesc is a buffer overflow without RE. In Beyond Root, I'll examine the automation for the XSS and the binary.
1
45
156
If you liked my phishing docs talk, definitely watch this video from
@_johnhammond
. Really neat stuff 😊
1
36
151
Knocked out the Offshore Prolab from
@hackthebox_eu
over the last few weeks. Really a lot of fun. Provided a good way to learn a lot of active directory concepts, and a chance to work on pivoting and tunnels. Thanks to
@mrb3n813
and everyone else at HTB for the neat lab.
10
6
154
I've been unhappy with how terminals look on my site for a while now. I've tried to change it before, but got overwhelmed in Jekyll / Rouge.
This weekend, I figured it out! New CSS terminal look! I checked a few hundred posts, but let me know if you find something broken.
10
7
152
Alamot's writeup of LaCasaDePapel introduced me to a new tool - Chankro. It is a way to bypass php disable_functions and get execution on Linux. I wanted to try it myself:
3
45
154
Patents was a crazy box, involving XXE in a word doc, LFI, log poisoning, and then pivoting out of a docker container exploiting a custom binary with ROP. Should have been rated insane, not hard. It's retired from
@hackthebox_eu
, so here's my write-up:
4
27
151
Support will be the fourth box I've had the honor to have go live on
@hackthebox_eu
! It's based on a real life PenTest story, and I had a lot of fun building it.
I hope you all enjoy it!
Have you tried turning it off and on again? 🤔
Support
#Easy
#Windows
Machine created by
@0xdf_
will go live 30 July 2022 at 19:00:00 UTC.
Late will be retired! Join now and start
#hacking
:
#HackTheBox
#CyberSecurity
#InfoSec
#NewRelease
3
25
119
2
18
151
Bookworm from
@hackthebox_eu
has a crazy interesting insane foothold where I exploit a directory traversal to read files though an exploit combining file upload, XSS, and IDOR. After that, there's symlink abuse and sqli injection to postscript injection.
0
25
149
Anubis from
@hackthebox_eu
was an insane Windows box. The root step is all about abusing certificates based on a blog post from
@elkement
. Before that, there's Windows dockers, ASP injection, and Jamovi exploitation.
1
32
146
My second submission on htb. Really hope people enjoy this one!
Don't trust everything you see! RE will go live 20 July 2019 at 19:00:00 UTC. CTF will be retired! You still have time to hack your way in at:
3
39
134
7
15
144
My 4th challenge going to release on
@hackthebox_eu
. Without spoiling anything else, unlike the other three, this one isn't a phishing document 🙃
1
15
148
Resolute sent me into a rabbit hole. I'll look at why cme reports Pwn3d! for ryan, and at an unintended PSExec exploit that gives a system shell, and try to show why.
6
35
146
Fingerprint was truly an insane machine from
@hackthebox_eu
. Lots of combining exploits to make progress. EAR, XSS, directory traversal, custom Java serialization, browser fingerprints, aes padding attacks, and more.
3
32
143
Quick cheat-sheet on modifying Jar files. More examples to come when the challenge is no longer active.
3
44
141
PlayerTwo just retired from
@hackthebox_eu
. This box had so many steps, and pushed enumeration, fuzzing, and binary exploitation to the limits. To get root, heap exploitation! Plus, lots of Beyond Root, with a couple unintended paths and digging deeper.
7
38
140
The exploit for initial access to Smasher2 involves identifying an error in reference counting in a custom Python library written in C. This is probably the hardest step I've done on
@hackthebox_eu
. For root, I'll exploit a kernel driver to get a shell.
1
35
138
Took the recent exploit from
@orange_8361
for a spin again Jeeves from
@hackthebox_eu
. A clever exploit that worked as I hoped.
2
45
139
Helpline just retired from
@hackthebox_eu
. This box found a way to have a ton of paths, all of which were quite hard. I'll show as many as I can, broken across three posts. Start here:
After enumeration, you can choose to continue on windows or kali.
1
40
138
Took a look at the PwnBox VIP feature from
@hackthebox_eu
. They did some amazing stuff providing a Parrot VM in a browser, with really cool features for persisting files between sessions. Probably won't be my daily VM, but it has a place in my toolbox.
5
44
133
Postman writeup is live. Easy Linux box, but the Metasploit Redis exploit doesn't work. I'll use Redis to write an SSH key, and look at why the Metasploit exploit failed in Beyond Root:
@hackthebox_eu
1
38
138
Intelligence from
@hackthebox_eu
was a neat windows box focused on heavy enumeration and classic Windows exploitation techniques.
3
31
135
First challenge I've submitted to
@hackthebox_eu
is going to be released Friday.
Good luck to all! I hope you enjoy it.
3
12
135
I learned some neat stuff about SNMP and SeLinux working on Pit from
@hackthebox_eu
. SeLinux is so powerful, this just scratches the surface. Thanks to
@ippsec
for some lessons :)
1
26
136
In Visual from
@hackthebox_eu
I'll exploit a Visual Studio build service. The most interesting part is recovering SeImpersonate for the local service account using FullPower so that I can run a Potato exploit.
0
22
138
There's a reason Travel from
@hackthebox_eu
has a rating of 4.9/5. It was just a great box from
@ATeamJKR
and
@xct_de
. The best of the several stages was sending a SSRF to use Gopher to poison memcache with a serialized PHP payload to write a webshell.
2
33
135
This really didn't need a full post, but ngrok is so cool. Wish I'd played with it years ago...
5
33
137
I'm doing a thing. Don't have a good camera set up, so you don't have to look at my face, and you get to learn about my love for reversing phishing documents.
Don't miss on May 26th, 2 pm ET our amazing talk by
@0xdf_
! 😎 Learn all about Analyzing
#Phishing
Documents! Tools, best practices & LIVE
#hacking
demo. Where will you be? 🎣 Book your spot here:
#CyberSecurity
#InfoSec
#HTB
#HackTheBox
#SZCon2021
0
26
85
5
14
129
Delivery from
@hackthebox_eu
was an easy-rated box from
@ippsec
. It did a nice job of requiring some creative thinking without being technically complex. I'll use a helpdesk ticket to register and confirm a mattermost account, and hashcat rules for root.
1
16
136
The best part of Catch from
@hackthebox_eu
is poisoning a config such that the server uses my VM for Redis, and serving a serialized PHP object to get RCE. There's several paths, and lots of interesting exploitation.
2
34
134
Developer provided a chance to hack a CTF website. The reverse tab-nabbing exploit is one that was once reported on
@hackthebox_eu
's website. Then there's a serialization attack, some RE, and of course the mini challenges from the site. Very fun box!
4
28
135
There's a new(ish) technique for exploiting PHP LFI to get RCE without uploading a webshell. I showed it in Beyond Root on UpDown, but wanted to go into more detail. We'll look at LFI2RCE and how it uses PHP filters to generate executed PHP from nothing.
2
46
131
In the Ready post this weekend I used a POC that abused cgroups to escape a privileged docker container. I wanted to understand more, and it led to this post:
2
47
130
