A comprehensive, exam-ready methodology suite for HackTheBox CPTS certification and general penetration testing engagements.
Version Sync
- Last structural review: 2026-04-25
- If phase numbers or section numbers change in any methodology file, update this README workflow map and decision tables in the same edit.
Known Constraints
- Commands are operator templates. Replace placeholders, validate target-specific assumptions, and check
--helpfor tool/version-specific syntax when needed.
If you just landed on a fresh target or subnet, follow this exact order:
- Open enumeration-methodology.md and run Phase 0 for host discovery and DC identification.
- Run full TCP plus top UDP scans from enumeration-methodology.md Phase 1.
- If names, emails, or domains are in scope, build
users.txtand target-specific wordlists from enumeration-methodology.md Phase 2.1, Phase 2.6, and Phase 2.7. - Move to service-specific playbooks in enumeration-methodology.md Phase 3.
- Branch immediately based on findings:
- HTTP/HTTPS surface: web-methodology.md
- Kerberos/LDAP/DC indicators: active-directory-methodology.md
- Linux host or Linux shell: linux-methodology.md
- Windows host or Windows shell: windows-methodology.md
| File | Purpose | When to Use |
|---|---|---|
| enumeration-methodology.md | Master enumeration reference — host discovery, port scanning, service-specific enumeration per protocol | Always start here — first file you open on every engagement |
| pentest-process.md | End-to-end engagement workflow — scoping, rules of engagement, phase gates, deliverables | Read before kick-off; revisit at every phase boundary |
| vulnerability-assessment.md | Vulnerability scanning, triage, false-positive validation, CVSS prioritisation | After enumeration, before active exploitation — prioritise targets |
| linux-methodology.md | Linux foothold, local enum, privilege escalation, credential harvesting | After confirming the target is Linux |
| windows-methodology.md | Windows foothold, local privesc (token abuse, services, AMSI bypass), lateral movement | After confirming the target is Windows |
| active-directory-methodology.md | Full AD attack chain — unauthenticated to domain compromise, ADCS, delegation, trusts | When Kerberos (port 88) is found → AD environment |
| bloodhound-guide.md | BloodHound Cypher queries, path navigation, edge → action map | After importing BloodHound data — run alongside AD methodology |
| web-methodology.md | Web app testing — injection, file attacks, CMS exploits, API testing, NoSQL, race conditions | When HTTP/HTTPS services are found |
| shells-and-payloads.md | Reverse / bind / web shells, payload generation, encoding, staged vs stageless | When you need a shell or to generate a payload |
| metasploit-framework.md | Metasploit reference — modules, Meterpreter, post-exploitation, handlers, pivoting | When using msfconsole/msfvenom — module syntax + workflow |
| login-brute-forcing.md | Targeted brute-force / spraying — hydra, medusa, netexec, kerbrute, per-protocol templates | When you have a credential surface and need to spray/brute-force |
| av-evasion.md | AV/EDR evasion — AMSI/ETW bypass, in-memory loaders, signature break, encoder chains | When Defender/EDR is blocking your payload or PowerShell tooling |
| attacking-common-applications.md | App-specific attack chains — Tomcat, Jenkins, GitLab, Confluence, JBoss, Splunk, etc. | When you fingerprint a known web app and want a tailored playbook |
| tunneling-pivoting.md | SSH tunneling, Ligolo-ng, Chisel, socat, sshuttle, DNS tunneling, proxychains | When you need to reach internal networks through a pivot |
| password-cracking.md | Hash identification, hashcat/john usage, wordlist prep, per-hash cracking strategies | When you capture hashes and need to crack them offline |
| file-transfers.md | Download/upload methods for Linux and Windows, exfiltration techniques | When you need to transfer tools or data |
| reporting/ | CherryTree structure, screenshot guide, report template | Before you start + when writing the report |
flowchart TD
A[1. Network Discovery<br/>enumeration-methodology.md Phase 0] --> B[2. Full Port Scan<br/>enumeration-methodology.md Phase 1]
B --> C[3. Service Enumeration<br/>enumeration-methodology.md Phase 3]
C --> D{Branch by Findings}
D -->|HTTP/HTTPS| E[web-methodology.md]
D -->|AD Indicators 88/389/636/3268<br/>or 445 + domain artifacts| F[active-directory-methodology.md]
D -->|Linux indicators/shell| G[linux-methodology.md]
D -->|Windows indicators/shell| H[windows-methodology.md]
E --> I[Foothold Obtained]
F --> I
G --> I
H --> I
I --> J[Privilege Escalation<br/>linux/windows methodology]
J --> K[Post-Exploit Credential Reuse<br/>enumeration-methodology.md Phase 4.1-4.3]
K --> L{Domain-Joined Host?}
L -->|Yes| M[AD Attack Chain<br/>AD Phase 2.1 -> 3.x -> 4.x -> 5.x -> 6/7 -> 8 -> 9 -> 10 -> 11]
L -->|No| N[Continue Host Exploitation / Pivot]
M --> O[BloodHound Decision Engine<br/>bloodhound-guide.md]
O --> P[Domain Compromise / Reporting]
N --> Q[tunneling-pivoting.md]
Q --> A
Use these conditions to decide when to switch files:
| Condition | Primary File | Why |
|---|---|---|
| You only have IPs/subnets and no foothold | enumeration-methodology.md | Baseline discovery and service identification always comes first |
| Port 80/443/8080/8443 is exposed | web-methodology.md | Web attack surface needs dedicated testing beyond banner grabs |
| Port 88, 389, 636, or 3268 is present (or 445 plus clear domain artifacts) | active-directory-methodology.md | These signals strongly indicate domain infrastructure; AD attack paths diverge from standalone host privesc |
| You have a Linux shell or confirmed Linux host | linux-methodology.md | Linux privilege escalation and credential harvesting are host-specific |
| You have a Windows shell or confirmed Windows host | windows-methodology.md | Windows privesc, token abuse, and lateral movement are host-specific |
| You obtained domain credentials | bloodhound-guide.md and active-directory-methodology.md | BloodHound becomes the primary decision engine for escalation |
| You found dual-homed hosts or internal-only services | tunneling-pivoting.md | Pivoting becomes part of the core attack path |
| You captured hashes and need to crack them | password-cracking.md | Hash identification, wordlist prep, and per-hash cracking strategies |
| You need to move tooling, loot, or payloads | file-transfers.md | Transfer methods should be chosen deliberately based on target constraints |
| Port | → Do This First | → Then Reference |
|---|---|---|
| 21 | ftp <IP> (try anonymous) |
enumeration-methodology.md Phase 3.1 |
| 22 | nc -nv <IP> 22 (banner grab) + validate host role |
enumeration-methodology.md Phase 3.2 → if Linux confirmed, linux-methodology.md Phase 1-2 |
| 25 | smtp-user-enum |
enumeration-methodology.md Phase 3.3 |
| 53 | dig axfr @<IP> <DOMAIN> |
enumeration-methodology.md Phase 3.4 |
| 80/443 | whatweb + gobuster dir + ffuf vhost |
enumeration-methodology.md Phase 3.5 → web-methodology.md Phase 1 |
| 88 | kerbrute userenum → AD environment |
enumeration-methodology.md Phase 3.6 → active-directory-methodology.md Phase 1 |
| 135 | rpcclient -U "" -N |
enumeration-methodology.md Phase 3.9 |
| 139/445 | netexec smb --shares + --rid-brute |
enumeration-methodology.md Phase 3.8 → windows-methodology.md Phase 1.3 |
| 389/636 | ldapsearch -x |
enumeration-methodology.md Phase 3.10 → active-directory-methodology.md Phase 2 |
| 1433 | netexec mssql → try xp_cmdshell |
enumeration-methodology.md Phase 3.13 → windows-methodology.md Phase 2.4 |
| 3306 | mysql -h <IP> -u root |
enumeration-methodology.md Phase 3.14 → linux-methodology.md Phase 1.10 |
| 3389 | xfreerdp /v:<IP> |
enumeration-methodology.md Phase 3.15 → windows-methodology.md Phase 1.13 |
| 5432 | psql -h <IP> -U postgres |
enumeration-methodology.md Phase 3.22 |
| 5985 | evil-winrm |
enumeration-methodology.md Phase 3.16 → windows-methodology.md Phase 1.7 |
| 6379 | redis-cli -h <IP> |
enumeration-methodology.md Phase 3.17 → linux-methodology.md Phase 1.11 |
| 11211 | echo "stats" | nc <IP> 11211 |
enumeration-methodology.md Phase 3.24 |
- Test against ALL services:
netexec smb/winrm/rdp/mssql/ssh <SUBNET>/24 -u '<USER>' -p '<PASS>' - Check for admin access: Look for
(Pwn3d!)in netexec output - Run BloodHound:
bloodhound-python -c all --zip— then see bloodhound-guide.md for path queries - Check shares:
netexec smb <SUBNET>/24 --shares - Check password policy:
netexec smb <DC> --pass-pol(before further spraying) - Full checklist: enumeration-methodology.md → Phase 4.1-4.3
| OS | First Steps | Reference |
|---|---|---|
| Linux | sudo -l → GTFOBins, find / -perm -4000, getcap -r /, cat /etc/crontab |
linux-methodology.md Phase 4 |
| Windows | whoami /priv → Token abuse, winPEAS, check services |
windows-methodology.md Phase 4 |
| AD | BloodHound → Shortest path to DA, Kerberoast, ACL abuse | active-directory-methodology.md Phase 3-5 |
1. Stabilize shell (python3 pty, stty raw -echo)
2. whoami /all (Windows) or id (Linux)
3. Check OS: systeminfo or uname -a
4. Check network: ipconfig /all or ip a
└→ Multiple NICs? → PIVOT (tunneling-pivoting.md)
└→ Internal services on 127.0.0.1? → Port forward
5. Harvest creds from current host
└→ Linux: history, config files, SSH keys, /etc/shadow
└→ Windows: cmdkey /list, PowerShell history, SAM/SYSTEM, DPAPI
6. Test every found credential against every host
└→ enumeration-methodology.md → Phase 4.1-4.3
7. Escalate privileges
└→ linux-methodology.md Phase 4.1-4.15 or windows-methodology.md Phase 4.1-4.26
□ Re-run enumeration on ALL hosts (not just the one you're focused on)
□ Check UDP ports: sudo nmap -sU --top-ports 50 <IP>
□ Try harder password spraying (Season+Year!, Company+123)
□ Re-read gobuster/feroxbuster output — missed a directory?
□ Check for vhosts: ffuf -H "Host: FUZZ.<DOMAIN>"
□ Look at SNMP (UDP 161) — often leaks usernames and processes
□ Check NFS exports: showmount -e <IP>
□ Try default creds on every login panel
□ Re-read your notes — is there a credential you haven't reused?
□ Check for internal services (127.0.0.1) on compromised hosts
□ Run BloodHound again with new creds — new edges may appear
□ Check ADCS: certipy-ad find -vulnerable
□ Look at file shares again with new creds — new access?
Vulnerabilities discovered by the Qualys Threat Research Unit. Check these on every Linux target.
| CVE | Name | Affected | Check Command | Impact |
|---|---|---|---|---|
| CVE-2021-4034 | PwnKit | polkit pkexec (since 2009) | ls -la /usr/bin/pkexec |
Instant root (SUID) |
| CVE-2021-3156 | Baron Samedit | sudo 1.8.2–1.9.5p1 | sudo --version |
Root without password |
| CVE-2024-6387 | regreSSHion | OpenSSH 8.5p1–9.7p1 | ssh -V / nc <IP> 22 |
Remote RCE (complex) |
| CVE-2024-48990 | Needrestart | needrestart < 3.8 | dpkg -l needrestart |
Root via PYTHONPATH |
| CVE-2025-6018/19 | PAM+udisks | SUSE/most distros | dpkg -l udisks2 |
Chained root |
| CVE-2026-23268 | CrackArmor | AppArmor (kernel 4.11+) | aa-status |
Root + container escape |
| CVE-2026-3888 | Snap LPE | Ubuntu Desktop 24.04+ | snap version |
Root (timing attack) |
Full exploitation details in linux-methodology.md → Section 4.7
Use these as the source of truth when topics overlap across files:
| Topic | Canonical File |
|---|---|
| Network discovery, port scanning, and protocol triage | enumeration-methodology.md |
| Engagement workflow, scoping, rules of engagement, phase gating | pentest-process.md |
| Vulnerability scanning, triage, CVSS prioritisation, FP validation | vulnerability-assessment.md |
| Web app attack chains, injection testing, and API testing | web-methodology.md |
| App-specific attack playbooks (Tomcat, Jenkins, GitLab, Confluence, …) | attacking-common-applications.md |
| Linux privilege escalation and post-foothold host work | linux-methodology.md |
| Windows privilege escalation, token abuse, and lateral movement | windows-methodology.md |
| AD attack chain from first creds to domain compromise | active-directory-methodology.md |
| BloodHound query logic and edge-to-action mapping | bloodhound-guide.md |
| Reverse / bind / web shells and payload generation | shells-and-payloads.md |
| Metasploit modules, Meterpreter, handlers, post-ex modules | metasploit-framework.md |
| Targeted brute-force and password spraying per protocol | login-brute-forcing.md |
| AV/EDR evasion, AMSI/ETW bypass, in-memory loaders | av-evasion.md |
| Tunnels, pivots, SOCKS, route-based access | tunneling-pivoting.md |
| Upload, download, exfiltration, and living-off-the-land transfer methods | file-transfers.md |
| Hash identification, cracking strategies, wordlist preparation | password-cracking.md |
- Enumerate everything before exploiting — Don't tunnel-vision on the first port you see
- Keep notes — Document every credential, hash, hostname, and access level
- Credential re-use is king — Test EVERY cred against EVERY service on EVERY host
- Check sudo -l first — It's the most common Linux privesc vector
- AMSI bypass before PowerShell tools — Always bypass AMSI before importing scripts on Windows
- BloodHound early — Run BloodHound collection as soon as you get domain creds
- Don't forget UDP — SNMP (161) often leaks usernames, processes, and credentials
- Pivot aggressively — Check
ipconfig /allandip afor dual-homed hosts - Time management — You have 10 days. Spend Day 1-2 on enumeration, Day 3-7 on exploitation, Day 8-10 on report
- Transfer tools efficiently — Use file-transfers.md for quick reference
| Resource | URL | Use Case |
|---|---|---|
| RevShells | https://www.revshells.com | Generate reverse shells for any language/platform |
| GTFOBins | https://gtfobins.github.io | Unix binary exploitation, sudo/SUID shell escapes |
| LOLBAS | https://lolbas-project.github.io | Windows Living Off the Land binaries |
| HackTricks | https://book.hacktricks.wiki | Comprehensive pentesting reference |
| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | Payload lists for web attacks, injection, etc. |
| CyberChef | https://gchq.github.io/CyberChef | Encoding, decoding, crypto operations |
| CrackStation | https://crackstation.net | Online hash lookup (quick wins before cracking) |