HTB Methodology
Disclaimer: much of the current information is straight from hacktricks as i'm building my personal network of methodologies
0 - Provided Credentials/Information
Sometimes the first step is given to you in HTB CTF machines/labs/fortresses.
Don't waste even a minute on something you already have: Organize, Prioritize, and Absorb. In that order
1 - Port Scan
On Machines, and Fortresses everything begins with a basic port scan with service detection.
I organize every new machine or fortress into their own named folders, therefore my initial nmap command is as follows:
nmap -Pn -sC -sV -oA nmap/$(basename $PWD) $(basename $PWD).htb
Note that you must add the proper /etc/hosts entry, or use the provided IP
Additional Resources
2 - Version Checking
The first step when obtaining new service names, and versions is to do an extensive search for known vulnerabilities. Perhaps there's an existing CVE, or GitHub repo with relevant discussions on whatever it is you're finding.
3 - Pentesting Services
If there isn't any fancy exploit for any running service, you should look for common misconfigurations in each service running.
A special mention is to be made for Pentesting Web It's easily the most extensive methodology currently Also, a small guide on how to find known vulnerabilities in software can be found here.
If you can't find anything in Google, perform your own blind pentesting, you could start by connecting to the service, fuzzing it and reading the responses (if any).
4 - Brute-Forcing Services
In some scenarios a Brute-Force attack could be useful to compromise a service. Find here a CheatSheet of different services brute forcing.
5 - Phishing
If at this point you haven't found any interesting vulnerability you may need to try some phishing in order to get inside the network. You can read HackTricks Phishing Methodology
6 - Getting Shell
Somehow you should have found some way to execute code in the victim. Then, a list of possible tools inside the system that you can use to get a reverse shell would be very useful.
Specially in Windows you could need some help to avoid antiviruses: Check this page.
7- Inside
If you have troubles with the shell, you can find here a small compilation of the most useful commands for pentesters:
8- Exfiltration
You will probably need to extract some data from the victim or even introduce something (like privilege escalation scripts). Here you have a post about common tools that you can use with these purposes.
9- Privilege Escalation
9.1- Local Privesc
If you are not root/Administrator inside the box, you should find a way to escalate privileges.
Here you can find a guide to escalate privileges locally in Linux and in Windows.
You should also check this pages about how does Windows work:
- Authentication, Credentials, Token privileges and UAC
- How does NTLM works
- How to steal credentials in Windows
- Some tricks about Active Directory
Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths: Suite PEAS
9.2- Domain Privesc
Here you can find a methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory. Even if this is just a subsection of a section, this process could be extremely delicate on a Pentesting/Red Team assignment.
10 - POST
10.1 - Looting
Check if you can find more passwords inside the host or if you have access to other machines with the privileges of your user.
Find here different ways to dump passwords in Windows.
10.2 - Persistence
Use 2 or 3 different types of persistence mechanism so you won't need to exploit the system again.
Here you can find some persistence tricks on active directory.
TODO: Complete persistence Post in Windows & Linux
11 - Pivoting
With the gathered credentials you could have access to other machines, or maybe you need to discover and scan new hosts (start the Pentesting Methodology again) inside new networks where your victim is connected.
In this case tunnelling could be necessary. Here you can find a post talking about tunnelling.
You definitely should also check the post about Active Directory pentesting Methodology. There you will find cool tricks to move laterally, escalate privileges and dump credentials.
Check also the page about NTLM, it could be very useful to pivot on Windows environments..