✅CPTS - Completed

Overview

This folder contains comprehensive notes and resources for preparing for the CPTS (Certified Penetration Testing Professional) certification from HTB Academy. The materials are organized to follow the HTB Academy CPTS path structure.

Current Structure

CPTS-PREP/
├── README.md                           # This overview file
├── footprinting.md                     # Infrastructure Based Enumeration (Domain + Cloud + DNS)
├── firewall-evasion.md                 # Firewall and IDS/IPS Evasion techniques
├── vulnerability-assessment.md         # Nessus vulnerability scanning and credentialed assessment
├── web-enumeration/                    # Web application enumeration guides
│   ├── web-information-gathering.md    # Web application information gathering overview
│   ├── subdomain-enumeration.md        # DNS enumeration and subdomain discovery
│   └── web-application-enumeration.md  # Directory enumeration and virtual hosts
├── databases/                          # Database enumeration guides
│   ├── mysql-enumeration.md            # MySQL service enumeration
│   ├── mssql-enumeration.md            # Microsoft SQL Server enumeration
│   └── oracle-enumeration.md           # Oracle TNS enumeration
├── services/                           # Network service enumeration
│   ├── ftp-enumeration.md              # FTP service enumeration
│   ├── smb-enumeration.md              # SMB share and authentication testing
│   ├── nfs-enumeration.md              # Network File System enumeration
│   ├── smtp-enumeration.md             # SMTP enumeration and testing
│   ├── email-enumeration.md            # IMAP/POP3 enumeration
│   ├── snmp-enumeration.md             # SNMP network management testing
│   └── ipmi-enumeration.md             # Hardware management interface testing
├── passwords-attacks/                  # Password attacks and lateral movement
│   ├── pass-the-hash.md               # Pass the Hash (PtH) attacks
│   ├── pass-the-ticket.md             # Pass the Ticket (PtT) attacks
│   ├── pass-the-certificate.md        # Pass the Certificate (ESC8 & ADCS attacks)
│   ├── active-directory-ntds-attacks.md # NTDS.dit extraction and analysis
│   └── [other password attack techniques]
├── pivoting-tunneling-port-forwarding/ # Network pivoting and tunneling techniques
│   ├── pivoting-overview.md           # Module overview and network segmentation concepts
│   ├── dynamic-port-forwarding.md     # SSH SOCKS tunneling
│   ├── remote-port-forwarding.md      # Reverse shells and Meterpreter pivoting
│   ├── ssh-tunneling.md               # Complete SSH forwarding guide (Local, Remote, Dynamic)
│   ├── chisel-socks5-tunneling.md     # Modern HTTP/SOCKS5 tunneling with Chisel
│   ├── sshuttle-pivoting.md           # VPN-like tunneling over SSH
│   ├── meterpreter-tunneling.md       # Metasploit autoroute and pivoting modules
│   ├── socat-redirection.md           # Socat for port forwarding and redirection
│   ├── plink-windows-pivoting.md      # Windows SSH client for tunneling
│   ├── netsh-windows-portforward.md   # Native Windows port forwarding
│   ├── socksoverrdp-windows-pivoting.md # RDP-based SOCKS tunneling
│   ├── rpivot-web-pivoting.md         # HTTP/HTTPS tunneling with rpivot
│   ├── dnscat2-dns-tunneling.md       # DNS tunneling techniques
│   ├── ptunnel-ng-icmp-tunneling.md   # ICMP tunneling with ptunnel-ng
│   └── skills-assessment-complete-walkthrough.md # Complete HTB Academy skills assessment (All 7 questions)
├── attacking-common-services/          # Protocol exploitation techniques
│   ├── ftp-attacks.md                 # FTP exploitation and abuse
│   ├── smb-attacks.md                 # SMB protocol attacks and RCE
│   ├── sql-attacks.md                 # MySQL/MSSQL database exploitation
│   └── [other service exploitation]
├── attacking-common-applications/      # Application-specific exploitation
│   ├── README.md                      # Module overview and methodology
│   ├── wordpress-discovery-enumeration.md # WordPress scanning and enumeration
│   ├── wordpress-attacks.md           # WordPress exploitation techniques
│   ├── joomla-discovery-enumeration.md # Joomla scanning and enumeration
│   ├── joomla-attacks.md              # Joomla exploitation techniques
│   ├── drupal-discovery-enumeration.md # Drupal scanning and enumeration
│   ├── drupal-attacks.md              # Drupal exploitation techniques
│   ├── tomcat-discovery-enumeration.md # Tomcat enumeration and analysis
│   ├── tomcat-attacks.md              # Tomcat exploitation and privilege escalation
│   ├── jenkins-discovery-enumeration.md # Jenkins scanning and enumeration
│   ├── jenkins-attacks.md             # Jenkins exploitation and credential extraction
│   ├── splunk-discovery-enumeration.md # Splunk enumeration and analysis
│   ├── splunk-attacks.md              # Splunk exploitation and privilege escalation
│   └── [other application attacks]    # CGI, IIS, ColdFusion, LDAP, etc.
├── active-directory-enumeration-attacks/ # Active Directory penetration testing
│   ├── initial-enumeration-domain.md     # Initial domain enumeration
│   ├── llmnr-nbt-ns-poisoning-linux.md   # LLMNR/NBT-NS poisoning with Responder
│   └── [additional AD attack modules]    # More AD techniques to be added
├── linux-priv-esc/                    # Linux privilege escalation techniques
│   ├── README.md                      # Module overview and methodology
│   ├── environment-enumeration.md     # System reconnaissance and information gathering
│   ├── services-internals-enumeration.md # Deep system analysis and service enumeration
│   ├── credential-hunting.md          # Systematic credential discovery across file system
│   ├── path-abuse.md                  # PATH variable manipulation and command hijacking
│   ├── wildcard-abuse.md              # Wildcard character exploitation for privilege escalation
│   ├── escaping-restricted-shells.md  # Techniques for breaking out of restricted shells
│   ├── special-permissions.md         # SUID/SGID binary exploitation and GTFOBins
│   ├── sudo-rights-abuse.md           # Sudo privilege misconfigurations and GTFOBins exploitation
│   ├── privileged-groups.md           # LXD, Docker, Disk, ADM group privilege escalation
│   ├── capabilities.md                # Linux capabilities privilege escalation exploitation
│   ├── vulnerable-services.md         # Known service vulnerabilities and exploitation
│   ├── cron-job-abuse.md              # Cron job misconfiguration exploitation
│   ├── lxd-container-escape.md        # LXD container privilege escalation exploitation
│   ├── docker-container-escape.md     # Docker container privilege escalation exploitation
│   ├── logrotate-exploitation.md      # Logrotate vulnerability exploitation and race conditions
│   ├── miscellaneous-techniques.md    # Additional techniques (traffic capture, NFS, tmux hijacking)
│   ├── shared-libraries.md            # LD_PRELOAD shared library hijacking exploitation
│   ├── shared-object-hijacking.md     # Custom library RUNPATH hijacking exploitation
│   ├── python-library-hijacking.md    # Python module import hijacking exploitation
│   ├── sudo-cve-exploits.md           # Sudo CVE exploitation (Baron Samedit, Policy Bypass)
│   ├── polkit-pwnkit.md               # Polkit CVE-2021-4034 Pwnkit privilege escalation
│   ├── dirty-pipe.md                  # Dirty Pipe CVE-2022-0847 kernel vulnerability exploitation
│   ├── netfilter-kernel-exploits.md   # Netfilter kernel module CVE exploits (advanced)
│   ├── linux-hardening.md             # Defensive measures and system hardening practices
│   ├── permissions-based-privesc.md   # File permissions, SUID/SGID exploitation
│   ├── service-based-privesc.md      # Running services and process exploitation
│   ├── configuration-based-privesc.md # Misconfigurations and weak settings
│   ├── kernel-exploitation.md        # Operating system vulnerabilities
│   ├── application-specific-privesc.md # Vulnerable installed software
│   ├── automated-tools.md            # LinPEAS, LinEnum, and enumeration scripts
│   ├── persistence-techniques.md     # Maintaining elevated access
│   └── skills-assessment.md          # Practical exercises and challenges
└── remote-management/                  # Remote access protocols
    ├── remote-management.md            # Overview of remote management protocols
    ├── linux-remote-protocols.md      # SSH, Rsync, R-Services
    └── windows-remote-protocols.md    # RDP, WinRM, WMI

Study Materials

📋 Phase 1: Information Gathering

🔍 Host-Based Enumeration

Complete service enumeration methodology organized by categories

🗄️ Database Services:

MySQL Enumeration - MySQL service testing, authentication, and exploitation
MSSQL Enumeration - Microsoft SQL Server enumeration and attacks
Oracle TNS Enumeration - Oracle database service testing

📁 Network Services:

FTP Enumeration - File Transfer Protocol testing and exploitation
SMB Enumeration - SMB share enumeration, authentication testing, and CVE exploitation
NFS Enumeration - Network File System testing and security assessment
SMTP Enumeration - Mail server testing and user enumeration
Email Services - IMAP/POP3 enumeration and certificate analysis
SNMP Enumeration - Network management protocol testing and information gathering
IPMI Enumeration - Hardware management interface testing and hash extraction

⚔️ Attacking Common Services:

FTP Attacks - FTP exploitation techniques, brute forcing, bounce attacks, and file transfer abuse
SMB Attacks - SMB protocol exploitation, Pass-the-Hash, RCE, forced authentication, and NTLM relay
SQL Database Attacks - MySQL/MSSQL exploitation, command execution, hash stealing, privilege escalation, and lateral movement
DNS Attacks - DNS zone transfers, subdomain enumeration, domain takeover, and DNS-based attacks
RDP Attacks - RDP exploitation, password spraying, session hijacking, and Pass-the-Hash attacks
Email Services Attacks - SMTP/IMAP/POP3 exploitation, user enumeration, mail relay abuse, and credential harvesting
Skills Assessment - Complete attack chain scenarios (Easy/Medium/Hard) with HTB Academy solutions

🌐 Attacking Common Applications:

Module Overview - Comprehensive methodologies for attacking prevalent applications in penetration testing
CMS Attacks - WordPress, Joomla, Drupal discovery, enumeration, and exploitation
- WordPress Discovery & Enumeration - WPScan, plugin enumeration, and version detection
- WordPress Attacks & Exploitation - Theme manipulation, plugin vulnerabilities, Metasploit integration
- Joomla Discovery & Enumeration - JoomScan, version detection, component analysis
- Joomla Attacks & Exploitation - Template RCE, CVE-2019-10945 directory traversal, core vulnerabilities
- Drupal Discovery & Enumeration - DroopeScan, CHANGELOG analysis, module discovery
- Drupal Attacks & Exploitation - PHP Filter abuse, Drupalgeddon series, backdoored modules
Development Tools - Tomcat, Jenkins discovery and exploitation
- Tomcat Discovery & Enumeration - Servlet container fingerprinting, manager interface discovery
- Tomcat Attacks & Exploitation - Manager brute force, WAR uploads, JSP shells, CVE-2020-1938
- Jenkins Discovery & Enumeration - CI/CD automation server reconnaissance, plugin analysis
- Jenkins Attacks & Exploitation - Script Console abuse, Groovy RCE, pipeline manipulation
Infrastructure Monitoring - Splunk, PRTG, GitLab attacks
- Splunk Discovery & Enumeration - SIEM log analytics reconnaissance, license analysis
- Splunk Attacks & Exploitation - Custom app RCE, scripted inputs, Universal Forwarder compromise
- GitLab Discovery & Enumeration - Repository mining, user enumeration, CVE exploitation
- PRTG Network Monitor Attacks - Command injection via notification parameters
Specialized Applications - CGI, IIS, ColdFusion, LDAP, Binary Analysis
- CGI Shellshock Attacks - CVE-2014-6271 exploitation via HTTP headers
- IIS Tilde Enumeration - Short filename discovery using 8.3 format
- ColdFusion Discovery & Enumeration - CFML application testing, port 5500 protocols
- LDAP Injection Attacks - Authentication bypass via environment variables
- Binary Reverse Engineering - Connection string extraction from compiled applications
- osTicket System Exploitation - Support system credential harvesting
- Other Notable Applications - WebLogic, Axis2, WebSphere, Zabbix, Nagios

🔀 Pivoting, Tunneling & Port Forwarding:

Module Overview - Concepts, network segmentation, and methodology
SSH Tunneling Complete Guide - Local, Remote, and Dynamic port forwarding
Dynamic Port Forwarding - SSH SOCKS tunneling and proxychains
Remote Port Forwarding - Reverse shells and Meterpreter pivoting
Chisel SOCKS5 Tunneling - Modern HTTP/SOCKS5 tunneling
SSHuttle Pivoting - VPN-like tunneling over SSH
Meterpreter Tunneling - Metasploit autoroute and framework integration
Socat Redirection - Advanced port forwarding and redirection
Plink Windows Pivoting - Windows SSH client for tunneling
Netsh Port Forwarding - Native Windows port forwarding
SocksOverRDP - RDP-based SOCKS tunneling
Rpivot Web Pivoting - HTTP/HTTPS tunneling techniques
DNS Tunneling with dnscat2 - DNS-based covert channels
ICMP Tunneling with ptunnel-ng - ICMP-based tunneling

🏰 Active Directory Enumeration & Attacks:

Initial Domain Enumeration - Network discovery, service enumeration, and user enumeration with Kerbrute
LLMNR/NBT-NS Poisoning from Linux - Responder attacks, hash capture, and credential harvesting
LLMNR/NBT-NS Poisoning from Windows - Inveigh attacks, hash capture, and credential extraction
Password Policy Enumeration - Domain password policy discovery and analysis
Password Spraying User List Creation - Username enumeration for password spraying attacks
Password Spraying from Linux - rpcclient, Kerbrute, and CrackMapExec spraying techniques
Password Spraying from Windows - DomainPasswordSpray.ps1 and Windows-based credential discovery
Security Controls Enumeration - Windows Defender, AppLocker, LAPS, and Constrained Language Mode assessment
Credentialed Enumeration from Linux - CrackMapExec, SMBMap, rpcclient, Impacket, Windapsearch, and BloodHound.py
Credentialed Enumeration from Windows - ActiveDirectory PowerShell, PowerView, SharpView, Snaffler, and BloodHound
Living Off the Land - Native Windows tools, PowerShell techniques, WMI, net commands, and dsquery
Kerberoasting from Linux - Impacket GetUserSPNs.py, TGS ticket extraction, and offline cracking with Hashcat
Kerberoasting from Windows - setspn.exe, PowerShell, Mimikatz, PowerView, Rubeus, and encryption type analysis
ACL Enumeration - PowerView ACL analysis, attack path discovery, BloodHound visualization, and privilege escalation chains
ACL Abuse Tactics - Practical ACL attack execution, password manipulation, group membership abuse, targeted Kerberoasting, cleanup procedures, and detection evasion
DCSync Attack - Ultimate domain compromise technique using Directory Replication Service, secretsdump.py and Mimikatz execution, reversible encryption exploitation, and complete domain credential extraction
Privileged Access - Lateral movement and privilege expansion using BloodHound enumeration, WinRM/PSRemote exploitation, SQL Server administrative access, and multi-service attack chaining
Kerberos "Double Hop" Problem - Overcoming Kerberos authentication limitations in multi-hop scenarios, PSCredential object workarounds, PSSession configuration methods, and advanced lateral movement techniques
Bleeding Edge Vulnerabilities - Latest critical AD attack vectors including NoPac (SamAccountName Spoofing), PrintNightmare, and PetitPotam (MS-EFSRPC) for rapid domain compromise
Miscellaneous Misconfigurations - Diverse AD vulnerabilities including Exchange attacks, GPP passwords, ASREPRoasting, DNS enumeration, Printer Bug, and various administrative oversights
Domain Trusts Primer - Foundation of AD trust relationships, enumeration techniques (PowerView, netdom, BloodHound), and trust-based attack path identification
Child → Parent Trust Attacks - SID History exploitation, ExtraSids attacks with Mimikatz/Rubeus, Golden Ticket creation for forest privilege escalation
Child → Parent Trust Attacks - from Linux - Cross-platform ExtraSids attacks using Impacket toolkit (secretsdump, lookupsid, ticketer, psexec, raiseChild)
Cross-Forest Trust Abuse - from Windows - Cross-forest Kerberoasting, admin password reuse, foreign group membership enumeration, and SID History abuse across forest boundaries
Cross-Forest Trust Abuse - from Linux - Cross-platform cross-forest attacks using Impacket GetUserSPNs, bloodhound-python multi-domain collection, and foreign group membership discovery

🎯 Skills Assessment:

Skills Assessment Part I - Complete Walkthrough - Comprehensive 8-question practical assessment covering web shells, Kerberoasting, pivoting, credential dumping, DCSync attacks, and domain takeover with working commands and troubleshooting
Skills Assessment Part II - Advanced Professional Methodology - 12-question advanced assessment demonstrating superior SSH dynamic port forwarding + proxychains methodology, LLMNR poisoning, SQL exploitation, privilege escalation, and complete domain compromise with professional-grade techniques

🖥️ Remote Management:

Remote Management Overview - Overview of remote access protocols
Linux Remote Protocols - SSH, Rsync, R-Services enumeration
Windows Remote Protocols - RDP, WinRM, WMI testing

🪟 Windows Privilege Escalation:

Module Overview - Comprehensive Windows privilege escalation methodology
Situational Awareness - Network enumeration, security protections, system context assessment
Initial Enumeration - System information, processes, users, groups, and services enumeration
Communication with Processes - Network services and named pipes analysis for privilege escalation
SeImpersonate & SeAssignPrimaryToken - Token impersonation attacks using JuicyPotato, PrintSpoofer, and RoguePotato
SeDebugPrivilege - LSASS memory dumping, credential extraction, and SYSTEM privilege escalation
SeTakeOwnershipPrivilege - File ownership takeover, ACL manipulation, and sensitive data access
Windows Built-in Groups - Backup Operators exploitation, SeBackupPrivilege abuse, and Domain Controller NTDS.dit extraction
Event Log Readers - Event log analysis, process creation auditing, and credential extraction from command-line history
DnsAdmins - DNS service manipulation, custom DLL injection, and Domain Controller privilege escalation attacks
Hyper-V Administrators - Virtual machine cloning attacks and hard link exploitation techniques
Print Operators - SeLoadDriverPrivilege exploitation and malicious driver loading attacks
Server Operators - Service control, binary path modification, and Domain Controller compromise techniques
UAC Bypass - User Account Control bypass via DLL hijacking, auto-elevating binaries, and UACME techniques
Weak Permissions - File system ACLs, service permissions, unquoted service paths, registry ACLs, and autorun binary exploitation
Kernel Exploits - Historical and modern Windows kernel vulnerabilities including HiveNightmare, PrintNightmare, and legacy exploits
Vulnerable Services - Third-party application vulnerabilities, service enumeration, and exploitation techniques including Druva inSync command injection
Credential Hunting - File system credential discovery, PowerShell history analysis, browser dictionaries, unattended installation files, and DPAPI credential decryption
Other Files - Advanced credential hunting in StickyNotes databases, system backup files, network shares, and application-specific storage locations
Further Credential Theft - Browser credential extraction, password manager cracking, LaZagne automation, SessionGopher, registry-stored credentials, and WiFi password retrieval
Citrix Breakout - Escaping restricted virtualization environments using dialog boxes, UNC paths, alternate tools, and privilege escalation chains
Interacting with Users - Social engineering attacks including traffic capture, SCF/LNK file hash capture, process monitoring, and credential harvesting
Pillaging - Post-exploitation data extraction from applications, browsers, clipboard, backup systems, and configuration files
Miscellaneous Techniques - LOLBAS exploitation, AlwaysInstallElevated, CVE-2019-1388, scheduled tasks, and virtual disk mounting
Windows Server 2008 - Legacy system exploitation using Sherlock, missing patches, and Metasploit privilege escalation
Windows 7 Exploitation - End-of-life desktop exploitation using Windows-Exploit-Suggester and MS16-032 PowerShell attacks

📋 Documentation & Reporting:

Notetaking & Organization - Comprehensive notetaking structure, Tmux logging setup, evidence collection, and artifact tracking for professional penetration testing assessments
Types of Reports - Assessment methodologies, report categories, specialized testing types, and professional deliverable standards
Components of a Report - Executive summary best practices, attack chain documentation, findings structure, and appendix organization
How to Write Up a Finding - Professional finding structure, evidence presentation, remediation recommendations, and quality reference selection
Reporting Tips and Tricks - Professional workflow, MS Word techniques, automation strategies, client communication, and quality assurance processes
HTB Academy Example - Practical Obsidian notetaking structure demonstrating professional penetration test documentation for INLANEFREIGHT.LOCAL assessment

🌐 Attacking Enterprise Networks:

External Information Gathering - Systematic reconnaissance, Nmap enumeration, DNS zone transfers, vhost discovery, and attack surface mapping for enterprise network penetration testing
Service Enumeration & Exploitation - FTP, SSH, SMTP, email services testing, user enumeration, anonymous access validation, and vulnerability research
Web Enumeration & Exploitation - EyeWitness automation, HTTP verb tampering, file upload bypasses, WordPress exploitation, SQL injection, XSS, SSRF, XXE, and command injection with 11 comprehensive lab solutions
Initial Access - Socat reverse shell establishment, TTY upgrade techniques, audit log credential mining, privilege escalation, and DMZ to internal network pivot preparation
Post-Exploitation Persistence - SSH key extraction via GTFOBins, root privilege escalation, stable access establishment, and internal network pivot preparation
Internal Information Gathering - SSH/Metasploit pivoting setup, internal host discovery, NFS share exploitation, DotNetNuke credential harvesting, and Active Directory infrastructure mapping
Exploitation & Privilege Escalation - DotNetNuke administrative exploitation, xp_cmdshell enablement, PrintSpoofer SeImpersonate attacks, SAM database extraction, and domain credential discovery
Lateral Movement - BloodHound enumeration, ForceChangePassword privilege abuse, file share credential hunting, Kerberoasting attacks, password spraying, and Sysax Automation privilege escalation
Active Directory Compromise - GenericWrite ACL abuse, targeted Kerberoasting attacks, Server Admins group escalation, DCSync privilege exploitation, and complete domain administrator access
Post-Exploitation - Domain password analysis, double pivoting techniques, protected network access, DirtyPipe kernel exploitation, and comprehensive enterprise impact demonstration

🐧 Linux Privilege Escalation:

Module Overview - Comprehensive Linux privilege escalation methodology
Environment Enumeration - System reconnaissance and information gathering techniques
- System Information Gathering - OS version, kernel, hardware details and security controls
- User and Group Analysis - Account enumeration, permission mapping, and group membership
- Network Configuration - Interface analysis, routing tables, and internal network discovery
- File System Analysis - Mounted drives, hidden files, temporary directories, and block devices
- Manual Enumeration Checklist - Systematic approach to Linux system reconnaissance
Services & Internals Enumeration - Deep system analysis for privilege escalation vectors
- Running Services Analysis - Process enumeration, service identification, and root process targeting
- User Activity Investigation - Login history, active sessions, and command history analysis
- Scheduled Tasks Discovery - Cron jobs, systemd timers, and automation script analysis
- Configuration Discovery - System configs, application settings, and credential harvesting
Credential Hunting - Systematic credential discovery and extraction techniques
- File System Credential Search - Configuration files, scripts, backups containing stored secrets
- SSH Key Discovery - Private key enumeration, known_hosts analysis, lateral movement prep
- Database Credential Extraction - WordPress, MySQL, PostgreSQL, application database passwords
- Advanced Discovery Methods - Memory analysis, environment variables, process inspection
PATH Abuse - PATH variable manipulation for privilege escalation
- PATH Variable Exploitation - Directory precedence manipulation and command execution hijacking
- Writable Directory Detection - PATH enumeration and write permission identification
- Script Hijacking Attacks - Sudo scripts, cron jobs, and relative command exploitation
- Binary Substitution Techniques - Malicious script creation and execution interception
Wildcard Abuse - Shell wildcard exploitation for argument injection
- Filename Expansion Attacks - Wildcard character abuse for command argument injection
- tar Command Exploitation - checkpoint-action parameter injection for code execution
- Cron Job Wildcard Targeting - Automated script exploitation through file creation
Escaping Restricted Shells - Breaking out of rbash, rksh, rzsh limitations
- SSH Bypass Techniques - Remote connection restriction circumvention
- Command Substitution Escapes - Backtick and variable expansion exploitation
- Built-in Command Abuse - Vi, less, man page escape sequences for shell access
Special Permissions - SUID/SGID binary exploitation for privilege escalation
- SUID/SGID Binary Discovery - Finding and enumerating special permission files
- GTFOBins Exploitation - Leveraging known privilege escalation binaries and techniques
- Common Binary Abuse - Text editors, interpreters, file utilities with elevated permissions
Sudo Rights Abuse - Sudo misconfiguration exploitation
- Sudo Permission Enumeration - sudo -l analysis and configuration file review
- GTFOBins Sudo Exploitation - Text editors, system tools, interpreter abuse via sudo
Privileged Groups - Dangerous group membership exploitation
- Container Group Abuse - LXD/LXC and Docker group privilege escalation techniques
- System Group Exploitation - Disk, ADM, shadow group access for privilege vectors
Capabilities - Linux capabilities privilege escalation
- Capability Enumeration - Finding binaries with dangerous capability assignments
- File Permission Bypass - cap_dac_override exploitation for system file modification
Vulnerable Services - Service vulnerability exploitation
- Service Version Enumeration - Identifying outdated software with known CVEs
- Screen 4.5.0 Exploitation - CVE-2017-5618 ld.so.preload overwrite privilege escalation
Cron Job Abuse - Scheduled task misconfiguration exploitation
- Cron Job Discovery - Finding writable scripts in scheduled tasks
- Process Monitoring - pspy usage for automated task pattern detection
LXD Container Escape - Container manager privilege escalation
- LXD Group Exploitation - Privileged container creation and host filesystem mounting
- Container Image Management - Importing, configuring, and exploiting container images
Docker Container Escape - Docker runtime privilege escalation
- Docker Group Exploitation - Container runtime privilege escalation via host mounting
- Privileged Container Execution - Bypassing isolation through privileged containers
Logrotate Exploitation - Log management vulnerability exploitation
- Logrotate Vulnerability Assessment - Version identification and vulnerable configuration detection
- Logrotten Race Condition Exploit - Race condition exploitation via log rotation hijacking
Miscellaneous Techniques - Additional privilege escalation vectors
- Passive Traffic Capture - Network sniffing for credential extraction using tcpdump
- Weak NFS Privileges - no_root_squash exploitation for SUID binary upload and system access
Shared Libraries - LD_PRELOAD exploitation for privilege escalation
- LD_PRELOAD Environment Abuse - Shared library injection through environment variable manipulation
- Malicious Library Deployment - Custom shared object creation and sudo command hijacking
Shared Object Hijacking - RUNPATH library hijacking exploitation
- RUNPATH Directory Exploitation - Writable library path abuse in SUID binaries
- Custom Library Injection - Missing function implementation for privilege escalation
Python Library Hijacking - Python module import system exploitation
- Python Module Import Hijacking - sys.path manipulation and module precedence abuse
- PYTHONPATH Environment Manipulation - Environment variable abuse for import redirection
Sudo CVE Exploits - Critical sudo vulnerability exploitation
- CVE-2021-3156 Baron Samedit - Heap buffer overflow for immediate root shell access
- CVE-2019-14287 Policy Bypass - Negative user ID exploitation for privilege escalation
Polkit/Pwnkit - Universal privilege escalation via polkit vulnerability
- CVE-2021-4034 Pwnkit Exploitation - Memory corruption in pkexec for universal root access
- Zero-Prerequisite Escalation - Any local user exploitation without authentication
Dirty Pipe - Kernel vulnerability exploitation for file modification
- CVE-2022-0847 Kernel Exploitation - Pipe mechanism abuse for arbitrary root file writes
- File Modification Attacks - /etc/passwd modification and SUID binary hijacking via kernel exploit
Netfilter Kernel Exploits - ⚠️ Advanced kernel exploits (high risk)
- Multiple Kernel CVEs - CVE-2021-22555, CVE-2022-25636, CVE-2023-32233 targeting kernels 2.6-6.3.1
- High-Risk Kernel Exploitation - Direct kernel attacks with significant system stability risks
Linux Hardening - Defensive security measures and system hardening
- Update Management - Kernel and package update strategies for vulnerability mitigation
- Configuration Hardening - File system, service, and user management security practices

🕷️ Web Enumeration:

Web Information Gathering - Overview and quick start guide for web reconnaissance
Subdomain Enumeration - DNS enumeration and subdomain discovery techniques
Web Application Enumeration - Directory enumeration, virtual hosts, and web application testing

🌐 Web Application Attacks:

Cross-Site Scripting (XSS) - Complete XSS guide covering Stored, Reflected, and DOM-based XSS with HTB Academy techniques
File Inclusion - Comprehensive LFI/RFI module with 9 specialized guides covering Basic Techniques, Advanced Bypasses, PHP Wrappers RCE, Remote File Inclusion, File Upload + LFI, Log Poisoning, Automated Scanning, Prevention & Hardening, and complete HTB Academy Skills Assessment
File Upload Attacks - Complete file upload exploitation guide covering web shells, reverse shells, bypass techniques, and HTB Academy lab solutions
Command Injection Attacks - 🏆 COMPLETE MODULE (10 comprehensive sections: Detection + Exploitation + Filter Bypasses + Advanced Obfuscation + Skills Assessment) - OS Command Execution with direct and blind injection techniques, filter bypass methods, advanced evasion and automated tools, complete methodology with HTB Academy lab solutions

🔐 Password Attacks & Lateral Movement:

Skills Assessment Workflow - Complete password attacks methodology from foothold to domain compromise
Pass the Hash Attacks - NTLM hash relay and authentication bypass
Pass the Ticket Attacks - Kerberos ticket manipulation and Golden Ticket attacks
Pass the Certificate Attacks - ESC8 ADCS attacks and PKINIT exploitation
NTDS.dit Attacks - Domain controller credential extraction

🌐 Infrastructure Enumeration

Domain and cloud infrastructure reconnaissance

Topics Covered:

Domain Information Gathering
DNS Enumeration and Zone Transfers
Cloud Service Identification
Certificate Transparency Analysis
Subdomain Discovery

🛡️ Firewall Evasion

Techniques for bypassing security controls

Techniques Covered:

Firewall Detection and Fingerprinting
IDS/IPS Evasion Methods
Port Scanning Evasion
Protocol Manipulation

Practical Application:

Complete Skills Assessment - All 7 HTB Academy questions with full solutions and troubleshooting
Skills Assessment - Hands-on lab scenarios and HTB Academy exercises

Key Features

🎯 Comprehensive Coverage

30+ Service Types - Complete enumeration guides for all major services
Complete Attack Modules - Full HTB Academy "Attacking Common Services" (4,262 lines) + "Attacking Common Applications" (22 documents)
Web Application Attacks - XSS (Cross-Site Scripting), File Inclusion module (9 specialized guides), File Upload Attacks (9 comprehensive sections), Command Injection (10 comprehensive sections), and Web Attacks (HTTP Verb Tampering, IDOR, XXE)
Application-Specific Exploitation - WordPress, Joomla, Drupal, Tomcat, Jenkins, Splunk, and specialized applications
Windows Privilege Escalation - Comprehensive module covering situational awareness, initial enumeration, privilege exploitation (SeImpersonate, SeDebugPrivilege, SeTakeOwnershipPrivilege), Windows Built-in Groups abuse (Backup Operators, Event Log Readers, DnsAdmins, Hyper-V Administrators, Print Operators, Server Operators), UAC bypass techniques, weak permissions exploitation, kernel exploits (HiveNightmare, PrintNightmare, legacy vulnerabilities), vulnerable third-party services, credential hunting techniques, advanced file system searches, further credential theft (browsers, password managers, automated tools), and systematic escalation techniques
Linux Privilege Escalation - Complete module with 24 techniques covering environment enumeration, permissions-based attacks, service exploitation, container escapes, kernel exploits, and defensive hardening
Skills Assessment Coverage - Multiple complete walkthroughs for different difficulty levels
Web Application Focus - Dedicated web reconnaissance and enumeration
CVE References - Known vulnerabilities with exploitation examples
HTB Academy Style - Lab questions and practical examples
Real-World Scenarios - Practical penetration testing methodologies

📚 Practical Focus

Step-by-step Commands - Copy-paste ready enumeration commands
Tool Comparisons - Multiple tools for each enumeration task
Security Assessment - Vulnerability identification and exploitation
Defensive Measures - Hardening and protection recommendations

Study Resources

📖 Essential Reading

HTB Academy CPTS Path - Official certification curriculum
PTES Standard - Penetration Testing Execution Standard
NIST Guidelines - Cybersecurity framework references
OWASP Top 10 - Web application security fundamentals

🛠️ Required Tools

Nmap - Network discovery and security auditing
Burp Suite - Web application security testing
Metasploit - Penetration testing framework
Bloodhound - Active Directory environment analysis
Custom Scripts - Automation and efficiency tools

🏆 Certification Path

Study Phase - Review all enumeration guides systematically
Lab Practice - Complete HTB Academy lab exercises
Exam Preparation - Review methodologies and checklists
Certification Exam - Apply knowledge in simulated environment

This CPTS preparation guide is designed to provide comprehensive coverage of penetration testing methodologies while maintaining practical applicability for real-world security assessments.

Previous/home/kabaneridev/.pt-notes NextInfrastructure Enumeration

Last updated 5 months ago

hashtagOverview

hashtagCurrent Structure

hashtagStudy Materials

hashtag📋 Phase 1: Information Gathering

hashtag🔍 Host-Based Enumeration

hashtag🌐 Infrastructure Enumeration

hashtag🛡️ Firewall Evasion

hashtagKey Features

hashtag🎯 Comprehensive Coverage

hashtag📚 Practical Focus

hashtagStudy Resources

hashtag📖 Essential Reading

hashtag🛠️ Required Tools

hashtag🏆 Certification Path