ØxOPOSɆC
2026 Events
Jan 27, 2026[0x3433312D6C333374] - The Meet
Hello 2026!
The new year is here, and we’re kicking it off with our first meetup of the year, ready to push limits, explore the unknown, and dive straight into hack mode. Calendars may roll over, but our appetite for learning, sharing knowledge, and challenging ourselves is still fully armed and running hot.
To kick things off, João Marono (@r0n0) will explore how modern tooling and infrastructure, while powerful and convenient, can sometimes hide surprising trust assumptions beneath the surface. You’ll see how internal DNS, certificate trust, and Git integrations interact in complex ways, and how attackers can exploit them. By the end of the session, you will not want to miss practical takeaways on reducing risk and why thinking beyond the “intended” use of technology is so important.
And if you still need more, Rafael Castilho (@castilho) will guide us through the unexpected ways systems behave when pushed to their limits. You’ll see how seemingly “small” or harmless quirks can snowball into real-world security issues. Rafael will showcase research revealing how server size limits or unexpected error behavior can turn a simple XSS flaw into something far more serious. To close, you’ll understand the underlying web mechanisms and how different components interact to create real edge-case behaviors.
Just a friendly reminder, this is an in-person event. Before RSVPing, please double-check that you can attend and be there in person. Good logistics rely on it!
In the meantime, you can join our Slack chat (https://bit.ly/3XbyGQu) to discuss all kinds of hackish stuff and, of course, interact with other members.
Don’t miss out. Your FOMO will be justified if you are looking to level up your security game.
[Goals]
Learn something new, get to know other g33ks, and, the most important thing, have fun.
[Agenda]
- “Stealing the keys from the octopus: Exfiltrate Git Credentials in Argocd” (PT/EN) by João Marono (@r0n0)
- “Scream at It Until It Escalates” (PT/EN) by Rafael Castilho (@castilho)
[Challenge]
What goes around comes around!
URL: https://crimson.0x90.zone/
Have fun and drop the flag to (@)darkcookie
Feb 26, 2026
[0x526F756E64313021] - The Meet
After a vigorous start, it’s time to celebrate 10 years of 0xOPOSEC, a full decade of knowledge sharing and community building. What began as a small group of security enthusiasts has grown into a space where ideas are challenged, experiences are exchanged, and skills are sharpened together. Let’s celebrate the people, the conversations, and the collective effort that kept the community alive and thriving over the past ten years.
As usual, we’ve lined up a strong set of talks to kick things off. First up is Afonso Vitório (@g4uss), who will take us through the origins of the CVE program, from its early days to its current state, and where it’s likely headed next. He’ll also showcase a platform he’s been developing to improve CVE education, aggregate vulnerability information, and support validation workflows. Whether you’re on the red, blue, or any shade in between, this talk offers valuable insights for any security practitioner.
But wait, if you’re looking to sharpen your offensive skills, Gustavo Pinto (@ArmySick) is back. Mostly known for his epic paths all the way to Domain Admin, Gustavo will this time shed light on a fundamental building block of modern offensive engagements. This talk will dive into Beacon Object Files (BOFs), what they are, why they’ve become state-of-the-art in C2 operations, and how to build, debug, and deploy your own. You’ll also learn how to integrate BOFs with your favorite C2 framework or agent. If red team tooling and tradecraft are your thing, this is a session you won’t want to miss.
Just a friendly reminder, this is an in-person event. Before RSVPing, please double-check that you can attend and be there in person. Good logistics rely on it!
In the meantime, you can join our Slack chat to discuss all kinds of hackish stuff and, of course, interact with other members.
Don’t miss out. Your FOMO will be justified if you are looking to level up your security game.
[Goals]
Learn something new, get to know other g33ks, and, the most important thing, have fun.
[Agenda]
- “Celebrating 10 years of sharing!” (PT/EN) by Renato Rodrigues (@SiMpS0N)
- “CVEs: Past and Present and the future of CVE learning” (PT/EN) by Afonso Vitório (@g4uss)
- “regaBOF - Developing your stealthy Red Team tradecraft” (PT/EN) by Gustavo Pinto (@ArmySick)
[Challenge]
On my latest adventures, I’ve started learning C, so naturally I decided to build a better Nginx! To prove how fast and secure it is, I’ve hidden a secret value inside the server that no one should ever be able to uncover… or so I claim 😈 For the extra cautious, there’s also a hardened version waiting for you.
You can test both versions here:
- Safe → https://0xoposec-http.challenges.apl3b.com/
- Extra Safe → https://0xoposec-http-hardened.challenges.apl3b.com/
Find the flag, ping @apl3b, and most importantly, have fun hacking!
Mar 24, 2026
[0x6D6F76206561782C20] - The Meet
The last meetup was a fantastic celebration! A decade of community is something memorable, and once again, the spirit and energy in the room made it clear why this journey has lasted so long. Thank you all for being part of it. But the story continues with new chapters to be written. With the spring mood in the air, we’re bringing a fresh selection of great content.
To kick things off, Gustavo Silva (@gsilvapt), a familiar face among us, will take us into the world of Detection Engineering. After a year working on a next-gen SIEM writing detections and collaborating with customers, he’ll share practical insights on what detection engineering really means in the field, how to reduce alert fatigue, and how AI can help blue teams scale their defensive capabilities. Whether you’re in the field or just curious, these practical lessons are a must, and you won’t want to miss them!
And if that’s not enough, a community veteran is back on the main stage. Ricardo Almeida (@vibrio) will guide us through an epic Red Team adventure. From a clever local privilege escalation involving LAPS to a BYOVD technique that keeps Defender ATP, Sysmon, and Tanium out of your way, the journey continues all the way to domain compromise through an AD CS ESC1 misconfiguration. And if you think the story ends there, it doesn’t. The adventure continues with credential harvesting, deeper explorations, and unexpected turns that open new paths to pwnage. To wrap it all up, Ricardo will show that sometimes the simplest tools are the most effective to “finish the job” or for successfully exfiltrating data. Whether you want to level up your game or just sit back and enjoy a proper security engagement story, you want to be on this comeback.
Just a friendly reminder, this is an in-person event. Before RSVPing, please double-check that you can attend and be there in person. Good logistics rely on it!
In the meantime, you can join our Slack chat to discuss all kinds of hackish stuff and, of course, interact with other members.
Don’t miss out. Your FOMO will be justified if you are looking to level up your security game.
[Goals]
Learn something new, get to know other g33ks, and, the most important thing, have fun.
[Agenda]
- “Detection Engineering in the AI Era” (PT/EN) by Gustavo Silva (@gsilvapt)
- “A Red Team Tale” (PT/EN) by Ricardo Almeida (@vibrio)
[Challenge]
A classic is back… and no one will catch me!
URL: madlabs.pw:1337
Have Fun!