My HackTheBox CTF Methodology - From fresh box to root!

For nmap, I usually use the -sV (service scan) instead of -sS and if need be, I run a FIN scan (-sF), but that is unreliable because the nature of how the packets are sent and received. Of course there is also the X-mas and NULL scans. I think that sV is the same as sS packet wise, but whatever.

I should note that MOST CTF’s that I have seen aren’t that realistic especially when we are talking the real world threats that are actually problematic.

That’s a great resource, thanks pry! The links you’ve shared are as invaluable as the rest of your content. This post boosted my motivation to boot up my Linux machine and work on some HTB machines.

1 Like

I really have no idea what you’re talking about.

There are some really realistic boxes on HTB. Even ctfy boxes teach you a lot about enumeration.

Boxes like Querier & Access are hella realistic. But then again, I guess it’s never going to be as easy as “hacking” a printer that’s completely open with a web GUI :stuck_out_tongue:

With regards to realistic threats, the actual realistic threats are unpatched eternalblue and open FTP shares. It’s the stupid stuff that causes stuff like Mirai, not some 1337 0day.

I’m glad man! I cannot wait for you to get back into HTB! It’s so much fun and getting that root is the best feeling ever.

Don’t put too much pressure on yourself, go slow and enjoy the ride. Get lost in the rabbit holes and don’t be too hard on yourself. It’s like a muscle, you gotta go easy when you’ve not flexed it for a while.

I disagree, but I doubt you and I both have the experience to back our claims up. Mirai for one thing infected IoT devices and last I checked, IoT devices are now being secured via a key encryption thing… Eternalblue was a joke in my opinion. Only reason why it was effective was because it was easy to re-arm. My suspicions are more toward HVAC and SCADA as the next ‘disaster in the making’. The ICS devices in general are vulnerable as far as I can tell and also, controls the infrastructure of a country which is a necessity of a country to function.

I do suggest you take a couple of hours or so and read Hacker’s Playbook Volume 3. There are a lot of stuff in there that I feel can better explain what I am trying to well… explain.

I’d agree with @pry0cc on this one. While HVAC and SCADA hacking does happen, there is a reason why MITRE ATT&CK and the OWASP Top 10 exist - these things are far more common, and those vulnerabilities appear on many HTB boxes.


The Hacker’s Playbook 3 shows you how to re-create real attacks for red teaming. It was written with that objective in mind, so it goes into far more detail than a post like this to enable you to explain to your client what you are doing and how they can improve their defenses.


Thanks for this amazing guide, I’m keeping this pinned for later, I currently haven’t pwn’d any boxes yet but I’ve been making work of it by reading writeups and watching walkthroughs and trying it myself and failing.

However I think there might be a little error in your guide:

The “this” shows up as if it was a link but it’s unclickable.
I’d love to know where it leads to so therefore the little remark :stuck_out_tongue:


Gobuster is excellent and is my go-to tool for HTTP enumeration as well. It’s important to keep in mind that it is not recursive though, and that adding 401 to the list of status codes to report is useful. And bump the threads, -t 50 has worked nicely on HTB so far.

As you’ve said, enumerating is a crucial step. The “enumerate, enumerate, enumerate” mantra that gets thrown around can’t be overstated: comprehensive information gathering can save many headaches.

Good shout about extracting subdomains from the certificate, too.


Hey man! I’m glad you got some value from this.

I completely agree, enumeration is the name of the game. If you can’t pop it, you’ve not enumerated enough - generally.


Nice one. More of this texts please.
Really informative!

Could you please tell me where the clickable “this” leads to? It doesn’t open any page when I click on it and I’m curious to what it leads.

Ugh! I thought I fixed it. I will fix this when I get a reliable internet connection.

It’s the DNS and web enumeration reference on

1 Like

Thanks for letting me know, and if there are no clicks on a link that probably means it’s broken somehow :stuck_out_tongue:

Great guide! A really good base on how to tackle these boxes. This approach might not suit everyone but I think it’s good to understand how others tackle various situations.

1 Like

Pretty awesome man, thanks for this. Hadn’t considered trying SSL cert domain enum for virtual hosts on HTB.


This topic was automatically closed after 30 days. New replies are no longer allowed.

Cheeky bump - does anybody have any questions regarding HTB and their methodology? Any suggestions? Now is the time to ask!

Not a question per se, but I think it would be cool if we put together guides on different “in roads”,

ie after you get admin access to the web app what are the common things to look for (eg, file upload and filter evasion, lfi, rfi, template editing etc.)

or the different things you can do if you have access to smb shares or anon ftp… there’s a lot more to do than the usual CTF “collect the files and follow the clues” type stuff.

(afterall, this is where it gets interesting imho :smiley:)

1 Like