HTB Cheat Sheet

Key resources

• PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings
• HackTricks: https://book.hacktricks.xyz book.hacktricks.xyz
• Exploit-DB: https://www.exploit-db.com Exploit Database
• GTFOBins: https://gtfobins.github.io gtfobins.github.io
• LOLBAS (Living-Off-The-Land Binaries & Scripts): https://lolbas-project.github.io LOLBAS
• PEASS-ng (LinPEAS / WinPEAS): https://github.com/peass-ng/PEASS-ng GitHub
• SecLists: https://github.com/danielmiessler/SecLists GitHub
• revshells.com (Reverse-shell generator): https://www.revshells.com Revshells
• Pentestmonkey Reverse Shell Cheat-Sheet: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet pentestmonkey.net

Enumeration

Nmap scans

• nmap -A <target> -oN scan.initial (quick service & version scan)
• nmap -p- -A <target> -T4 -oN scan.full (full-port TCP)
• nmap -p- -sU --top-ports 200 <target> -oN scan.udp (top UDP)

Service fingerprinting

Banner-grab

• nc -nv <target> 80 (then type HEAD / HTTP/1.0)
• curl -sv http://<target>/ -o /dev/null
• openssl s_client -connect <target>:443 -servername <target> | head

Searchsploit / Google versions

• searchsploit "Apache Tomcat 7.0.88"
• searchsploit --nmap scan.initial
• Google-fu – "<service> <version> exploit"

Web recon

Web stack & technologies

• whatweb -a 3 http://<target>
• httpx -tech-detect -title -status -ip -o tech.txt
• Browser add-on: Wappalyzer

Sub-domains

• ffuf -u http://<target> -H "Host: FUZZ.<target>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 4242
• feroxbuster --vhost -u http://<target> -w subdomains.txt

Endpoints / directories

• ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -mc 200,204,301,302,307,401,403
• dirsearch -u http://<target> -e php,txt,bak

Parameters

• arjun -u http://<target>/search.php
• paramspider -d <target-domain>

Injection points

• Manual probe in Burp Repeater: test' "$IFS$(id) etc.
• wfuzz -u http://<target>/page.php?id=FUZZ -w /usr/share/wordlists/others/sql.txt --hc 404

Framework / CMS versions

• WordPress: wpscan --url http://<target> --enumerate ap,at,tt,u --api-token <token>
• Drupal: droopescan scan drupal -u http://<target>
• Joomla: joomscan --url http://<target>

Search for known exploits

• searchsploit -m 49283 (download exploit)
• msfconsole -q → search CVE-2021-41773 → use exploit/multi/http/apache_path_traversal

Credential attacks

• Password reuse / spray: crackmapexec smb <target> -u users.txt -p "Summer2024"
• Brute-force: hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://<target>
• Hash-crack: john --wordlist=rockyou.txt hash.txt

Privilege Escalation

Quick recon

whoami          # Windows: whoami /all
id              # Linux
sudo -l         # Linux
systeminfo      # Windows OS & patch level
uname -a        # Linux kernel

Users / groups / env

• cat /etc/passwd | net user /domain
• groups | whoami /groups
• env / printenv | set

Files & directories (pick & mix)

find / -perm -4000 -type f 2>/dev/null      # SUIDs
grep -Ri "password" /home /opt 2>/dev/null  # creds
ls -la /root /home/*/.*_history            # histories

• SSH keys → cat ~/.ssh/id_rsa
• SAM & SYSTEM → reg save HKLM\\\\SAM sam + reg save HKLM\\\\SYSTEM system

Automated enum

• ./linpeas.sh -a | winpeas.exe cmd > winpeas.txt
• ./pspy64 (watch cron / processes)

Suspicious services

• systemctl list-units --type=service (Linux)
• sc queryex type=service / wmic service get name,pathname,startmode (Windows)

Kernel exploits

• uname -r → if < 4.8 consider DirtyCow (searchsploit dirtycow)
• windows-exploit-suggester.py --systeminfo systeminfo.txt (classic)

If you spot sudo NOPASSWD, consult GTFOBins.

If you find SeImpersonatePrivilege, drop PrintSpoofer/Incognito/JuicyPotato.

Just copied from: https://www.notion.so/HackTheBox-Beginner-Cheat-Sheet-1f4463c9990c80f58aa0f00dfbff0b16