As for the Introduction and Setup sections, they are quite verbose and should be read more then written-up.
I’m currently Using Kali on VMWare Workstation, crash-test distro for lab deployment (very rarely used) on ESXi. Obsidian serves as a Knowledge Base, note taking tool and write-ups. Openvpn is mentioned to connect to HTB environments for practicing, machines.
Takes input from user via keyboard and passes these commands to the operating system. Most common shell program are sh, (unix system original shell program) Bash, ZSH…
Getting a shell on the other hand is having a shell-level access to the machine we compromised. See shells for this topic.
What is a Port ?
Virtual connection points that can be opened or closed and linked to another machine’s port. Ports are tied to a protocol category such as TCP (Transmission Control Protocol). The other category is UDP (User Datagram Protocol). Some ports are assigned to specific protocols to facilitate connection such as :
Port(s)
Protocol
20/21 (TCP)
FTP
22 (TCP)
SSH
23 (TCP)
Telnet
25 (TCP)
SMTP
80 (TCP)
HTTP
161 (TCP/UDP)
SNMP
389 (TCP/UDP)
LDAP
443 (TCP)
SSL/TLS (HTTPS)
445 (TCP)
SMB
3389 (TCP)
RDP
What is a Web Server
Well. That is a huge question in the end and they simplified it as “application that runs the back-end server, which handles all of the HTTP traffic from the client-side browser, routes it to the request destination pages and finally responds to the client-side browser”. I think they did a pretty good job at summarizing so I’ll leave it at that, since practice is better in this case.
OWASP top ten is mentioned aswell (and will be updated in november 2025), which goes without a say anyone working in offensive security should take the time to read their publications.
Check Nmap for the first part of scanning. The version results might already be enough to detect vulnerabilities on old versions. Example is given by getting a nmap result like such
nmap -sV -sC -p- 10.129.42.253Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-25 16:18 ESTNmap scan report for 10.129.42.253Host is up (0.11s latency).Not shown: 65530 closed portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.3| ftp-anon: Anonymous FTP login allowed (FTP code 230)|_drwxr-xr-x 2 ftp ftp 4096 Feb 25 19:25 pub| ftp-syst:| STAT:| FTP server status:| Connected to ::ffff:10.10.14.2| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 2| vsFTPd 3.0.3 - secure, fast, stable|_End of status22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)80/tcp open http Apache httpd 2.4.41 ((Ubuntu))|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-title: PHP 7.4.3 - phpinfo()139/tcp open netbios-ssn Samba smbd 4.6.2445/tcp open netbios-ssn Samba smbd 4.6.2Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_nbstat: NetBIOS name: GS-SVCSCAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)| smb2-security-mode:| 2.02:|_ Message signing enabled but not required| smb2-time:| date: 2021-02-25T21:21:51|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 233.68 seconds
Which leads us to look up for each port services, checking their version and up-to-date status for easy vulnerabilities (including PHP 7.4.3 version).
Nmap scripts
Though -sC covers many general scripts, we should leverage the nmap script folder when a specific technology is used. The citrix example given is pretty relevant to highlight the idea :
The nmap scan should return enough information for us to start working with respective SMB, SNMP, and FTP notes. Many more common services exists, but these are the most basic to be covered.
Automating most checks possible can be done with classic LinEnum, LinPeas and WinPeas etc… Though it’s important to consider the active security measures that could get triggered by running these noisy scripts.
Kernel Exploits
Checking OS version is precisely useful to leverage potential Kernel exploits. Here DirtyCow was mentionned but many other are available and might be flagged when running enumeration scripts.
Vulnerable Software
This is pretty much self explanatory. It also happen to be something you can see in HTB machines with software’s configuration that are insecure.
User Privileges
This is mentionned directly in privilege escalation notes. If we can take control of a user posessing specifics privileges, we might be able to take advantage of that to PrivEsc to Administrator/Root level.
Scheduled Tasks
Looking for cronjobs, recurring scripts. If these are writable and executed with privileges, it might be exploitable.
Exposed Credentials
Checking history can prove to be very useful, as seen in cypher. The same methods apply for logs, configuration files etc… These are usually covered by enum scripts.
SSH Keys
Write access to ssh directory allow for persistence by generating a ssh key pair, and add the public key to the remote machine. HTB gives a simple example :
On our session :
ssh-keygen -f keyGenerating public/private rsa key pair.Enter passphrase (empty for no passphrase): *******Enter same passphrase again: *******Your identification has been saved in keyYour public key has been saved in key.pubThe key fingerprint is:SHA256:...SNIP... user@parrotThe key's randomart image is:+---[RSA 3072]----+| ..o.++.+ |...SNIP...| . ..oo+. |+----[SHA256]-----+
This is a quick recap before publishing File Transfers module.
Using wget
Useful to send payload from an initial compromission. Set up a python server on attacking machine and wget or cURL the served files from the remote host.
Using SCP
Leverage a ssh access to transfer through it.
scp linenum.sh user@remotehost:/tmp/linenum.sh
Verify parameters position
For scp you want to specify the local file, then the ssh target followed by : and the directory + file name if you want to rename.
Using Base64
If no transfer is possible, Base64 encoding can be used to copy paste. Every machine has built-in encoding and decoding base64 tools.
Example of base64 encoding from shell terminal
base64 {your file} -w 0<output>
Piping base64 string to decode and storing it in file
echo {previous base64 output} | base64 -d > shell
Validating File Transfers
Just check file signature to make sure sent/received transfer are matching without losing integrity.
Compare signature output from each md5sum (remote and local)
Not going too much into the verbose stuff, here’s the most important content :
Resources
Deploying a OWASP Juice Shop homelab can be very interesting if you want to practice outside or websecurity academy courses. DVWA is also a good option to consider in the matter.
Metasploitable VM can be a good shot if you want more practicing, though I’ve never tried them.
IppSec is absolutely great for covering HTB box and includes a solid methodology. Should be used to review validated boxes, and has a dedicated list of machines to practice on for CPTS. Some recommendation are not up to date (STOK channel is no longer active, similar for VbScrub and LiveOverFlow lost it’s frequency).
If write-ups are more your vibe than videos, 0xdf is an incredible box walkthrough website. On the other hand, HTB recommends Under and Over the Wire website. These are particularly suited for privilege escalation and getting used to work with OS terminals.
They also recommend doing the following machines :
I will skip over challenges. They’re mentionning Dante Pro Lab which I intend to do only once I’m finished with every modules, before passing the CPTS.
Started using FoxyProxy, but PwnFox adds the containers options that can be used in junction with Burpsuite, and visually separating session etc… I recommend using the latter.