Share
## https://sploitus.com/exploit?id=7F4E6EDA-022A-52A1-8737-C5673F0AECB6
# HackTheBox Penetration Testing Methodology

**by 9mmpterodactyl**

How I approach compromising HTB machines. Enumerate, exploit, escalate.

**Current Stats:**
- Global Rank: #707 (Top 0.03%)
- Season 9 Rank: Ruby #1681
- Machines Solved: 21 (55 flags captured)

---

## The Process

### Reconnaissance

Scan everything, find what's running, identify versions.

```bash
nmap -sV -sC -p- -Pn --min-rate 5000 
```

Full port scan, service enumeration, default scripts. No rate limiting concerns here - HTB machines can handle it.

**Subdomain enumeration** if there's DNS involved. **Directory enumeration** on any web services - ffuf or gobuster.

Find version numbers. Check for known CVEs. Look for anything unusual.

### Initial Access

Figure out the entry point and exploit it.

Common vectors: web vulnerabilities (SQLi, command injection, file upload, LFI/RFI, template injection), service exploits for specific versions, default credentials, misconfigurations.

Get a reverse shell, stabilize it:
```bash
python -c 'import pty; pty.spawn("/bin/bash")'
```

### Privilege Escalation

Once in as low-privilege user, enumerate the system.

**Linux:**
- LinPEAS for automated enumeration
- Check SUID binaries, sudo privileges, cron jobs
- Search for credentials in config files, bash history, databases

**Windows:**
- WinPEAS for enumeration
- Token impersonation (very common)
- Service misconfigurations, scheduled tasks
- Credential hunting in registry and config files

**Active Directory:**
- BloodHound for attack path mapping
- Kerberoasting, AS-REP roasting
- Credential dumping with Mimikatz
- Look for weak ACLs, delegation issues
- Pass-the-hash when needed

### When Stuck

Go back and enumerate more. Check what you missed. Try the simple things - default credentials, obvious misconfigurations, checking sudo -l right after getting a shell.

Most solutions are simpler than they seem at first.

---

## Tools

**Scanning & Enumeration:**
Nmap, Gobuster, ffuf, Nuclei, various subdomain/DNS tools

**Web Testing:**
Burp Suite, SQLmap, custom Python scripts

**Exploitation:**
Metasploit, Searchsploit/ExploitDB, custom exploits from GitHub, Netcat

**Post-Exploitation:**
LinPEAS, WinPEAS, BloodHound, Mimikatz, enumeration scripts

**Credential Attacks:**
Hashcat, John the Ripper, Hydra, Kerbrute

**Custom Tools:**
Python scripts for specific vulnerabilities, automation, niche exploits that don't have existing tools. Built or modified as needed.

---

## Difficulty Breakdown

**Easy:** Straightforward vulnerabilities, clear exploitation paths

**Medium:** Chain multiple vulnerabilities, deeper enumeration required

**Hard:** Obscure techniques, multiple privilege escalation steps, sometimes custom exploits

**Insane:** All of the above plus additional complexity, deep understanding of specific technologies

---

## What I've Learned

Enumeration is everything. When stuck, enumerate more.

Version numbers matter - specific versions have known exploits.

Check the simple stuff first - default credentials, sudo -l immediately after shell access, obvious misconfigurations.

Take notes. Easy to forget what you already tried.

Stabilize shells immediately.

---

## Resources

- HackTricks (comprehensive techniques)
- PayloadsAllTheThings (exploit payloads)
- RevShells (reverse shell generator)
- ExploitDB (public exploits)

---

Detailed machine writeups with problem-solving process: My-HTB-Writeups

---

**Note:** For authorized testing only. HTB and similar platforms where you have explicit permission.