This template is for:
- Beginners looking to start HackTheBox
- Players looking to solve easy boxes
- Players who want to have a more organised methodology
How to use this template:
- Make a copy
- Delete these sections that you don’t need (like this one)
- As you learn more techniques, checks and tools, add it to your version of the list
- For each box you do, check items off as you go
- If you want to follow me or contribute, you can find me here https://linktr.ee/appsecexplained
- Good luck!
Simple Methodology Checklist
Below is all of the basic steps and checks that we should work through as a minimum when looking at a target. A lot of the time one of these steps will reveal or solve the current step you’re on.
Enumeration
- [ ] Nmap scans
- [ ] Service fingerprinting
- [ ] Banner-grab
- [ ] Searchsploit and google versions
- [ ] Web recon
- [ ] Web stack & technologies
- [ ] Subdomains
- [ ] Endpoints
- [ ] Parameters
- [ ] Injection points
- [ ] Framework/CMS versions
- [ ] Additional enumeration
- [ ] SNMP
- [ ] NFS shares
- [ ] SMB
- [ ] FTP
- [ ] DNS zone transfer
- [ ] SMTP
- [ ] LDAP
Foothold
- [ ] Low-hanging fruit
- [ ] Anonymous FTP
- [ ] SMB shares
- [ ] Default logins
- [ ] Search for known exploits
- [ ] Credential attacks
- [ ] Password reuse in different services
- [ ] Brute force
- [ ] Web attacks
- [ ] Command injection
- [ ] File uploads
- [ ] SQLi
- [ ] Other common attacks
- [ ] Known exploit against framework/CMS
PrivEsc
- [ ] Whoami
- [ ]
sudo -l
- [ ] Host system and version
- [ ] What users exist
- [ ] Groups and privileges
- [ ] Environment variables
- [ ] Files and directories
- [ ] SSH keys
- [ ] Creds in logs
- [ ] Suspicious binaries
- [ ] Backups
- [ ] History
- [ ] Home drives
- [ ]
/opt
- [ ] DB creds in config files
- [ ] World-readable or writeable sensitive files
- [ ] SAM & SYSTEM
- [ ] Linpeas & Winpeas
- [ ] Suspicious or unusual services
- [ ] pspy
- [ ] Kernel exploits
Key resources