Academy Modules Layout | Hack The Box Academy

Hack The Box was initially created to give technical professionals a safe place to practice and develop hacking skills and was not ideally suited for beginners starting their I.T/Security journeys. Hack The Box began as solely a competitive C.T.F platform with a mix of machines and challenges, each awarding varying amounts of points depending on the difficulty, to be solved from a "black box" approach, with no walkthrough, guidance, or even hints. As the platform evolved, we saw the need for more beginner-friendly content and a guided learning approach to supplement the competitive side of the platform. With that goal in mind, H.T.B Academy was born. We aim to provide beginner-friendly content while helping mid-level and advanced practitioners upskill in various areas. We also offer Starting Point on the main H.T.B platform, which aims to help users become more comfortable attacking individual targets using a guided approach and eventually transitioning to solving boxes independently and even playing the competitive boxes. Each person likely has their personal opinion of H.T.B, and it may not be for everyone. However, we would like to take the time to explain our point of view as experienced I.T specialists from various fields, with many years of combined experience and different journeys from beginners to where we are today.

I.T (Information Technology) is a major business function of most organizations that focuses on building, administering, and supporting the computer technology used by organizations to achieve their mission. I.T is a term often used to encompass many specialized sub-disciplines like Cybersecurity, Information Security, Software Development, Database Administration, Network Administration, and more. To become "good" in this field requires considerable practice and effort. Cybersecurity can be a very challenging discipline because it requires the basic knowledge necessary for a typical I.T specialist and a much deeper understanding of all areas (networking, Linux and Windows systems administration, scripting, databases, etcetera). We don't need to be experts in every single area of I.T. However, the more experience and knowledge we have, the easier our job as an I.T security specialist or penetration tester will become. We cannot work confidently as penetration testers if we don't have a deep understanding of the technologies we are assessing. For example, a web developer focuses only on developing web applications and websites. This generally requires knowledge of H.T.M.L, JavaScript, C.S.S, S.Q.L, and server-side programming languages, such as P.H.P. Even if the developer has over ten years of experience in his field, it only takes one mistake for the entire web server to be unusable or for data to be stolen. As an attacker, the trick is to find a way to identify and exploit these errors.

With this in mind, we have laid a foundation for our students because, in our experience, it is hard to know where to start. We have structured and built our learning material so that it may seem difficult at first, but with time you will realize that this is the easiest and most efficient way to teach such complex material efficiently. We want to make the learning process as easy and efficient as possible while emphasizing the core fundamentals and returning to them repeatedly. For example, many of our tasks are set up to get you to think in a certain way. We do this to help you develop the essential analytical skills that are imperative to be successful in a field that can have so much uncertainty. We want to help craft professionals who see things differently and question everything, which ultimately can help deliver more value to clients if you're able to find nuanced issues that other testers miss. We can't teach analytical skills and the ability to dig deeper and "question everything" in one single module or path. This can be compared to playing a musical instrument. We can't learn to play the guitar well without considerable practice. We can learn everything about a guitar, the history of guitars, the name of every component, etcetera, but if we pick one up without practice, we will not be able to produce music that is equivalent to our knowledge of guitars. This is the same in the field of penetration testing. We may know everything about the history of computers and be able to describe every component, but without deep hands-on experience, we won't be able to perform penetration testing at a high level.

Additional context

This document presents a structured approach to cybersecurity education, specifically tailored for penetration testing. It builds upon established methodologies in cybersecurity training, which increasingly recognize the need for hands-on, practical experience to complement theoretical knowledge. The framework described aligns with the cyclical nature of the penetration testing lifecycle, commonly understood as encompassing reconnaissance, scanning, gaining access, maintaining access, and covering tracks. By emphasizing foundational I.T skills in operating systems like Linux and Windows, it acknowledges prior work in I.T education that highlights the critical importance of understanding target systems before attempting to exploit them. The pedagogical approach, focusing on analytical skills and iterative learning, reflects broader trends in educational psychology advocating for active learning and problem-based instruction to foster critical thinking.

The remainder of this section will explain how we have structured the modules in the way that we did to give you insight into our thought process and teaching philosophy. Our primary focus is creating engaging and empowering training resources that benefit individuals at all skill levels.

Definition

Penetration testing process: A systematic approach to identifying and exploiting security vulnerabilities in a system or network to evaluate its security posture.

The module listing shown corresponds to the sequence we recommend for beginners or advanced users who are 'stuck' to follow, in order to improve in specific areas at each stage of the penetration testing process.

Image summary: A process diagram illustrating the Penetration Testing Process. The workflow begins with Pre-Engagement, leading into a central cycle of Information Gathering, Vulnerability Assessment, Exploitation, and Post-Exploitation. These four core stages are interconnected by bidirectional arrows, indicating an iterative process. From this cycle, the process moves through Lateral Movement to a Proof-of-Concept, and concludes with Post-Engagement.

Pre-Engagement

The pre-engagement stage is where the main commitments, tasks, scope, limitations, and related agreements are documented in writing. During this stage, contractual documents are drawn up, and essential information is exchanged that is relevant for penetration testers and the client, depending on the type of assessment.

Image summary: A flow diagram illustrating the Penetration Testing Process. The process begins with Pre-Engagement, which leads to Information Gathering. From there, the workflow enters a cyclical core consisting of four interconnected stages: Vulnerability Assessment, Post-Exploitation, Lateral Movement, and Exploitation. These four stages have bidirectional arrows between them, indicating an iterative process. Finally, these core stages lead to Proof-of-Concept, which concludes with Post-Engagement.

There is only one path we can take from here:

Table summary: The Information Gathering path involves identifying target systems to get an overview of the target web application or network before proceeding with examination and attacks, especially when the customer provides limited information such as only a domain name or a list of in-scope IP addresses and network ranges.

At this stage in the process, we should have a strong foundation that can be built through the following fundamental modules:

1. Learning Process

Image summary: A conceptual diagram depicting a dark, circuit-board-like surface with six glowing green outlined tiles, each representing a cybersecurity or IT category: Cloud, Wireless, Active Directory/AD, Databases, DDoS Attacks, and Infosec 101.

Table summary: The Tier of Fundamental General consists of 12 Sections and 10 additional components, requiring 3 hours to complete. This module focuses on understanding the human brain's learning process to increase learning efficiency and avoid common stumbling blocks.

In addition, we need fundamental knowledge about the world's most widely used operating systems. This includes Linux and Windows operating systems. Before we attack these systems, we first need to know how they work, so we can then learn how to best exploit them.

2. Linux Fundamentals

Linux is one of the most stable operating systems today, and ubiquitous in corporate networks. Linux Fundamentals is essential so we learn its structure and can take the appropriate steps to achieve our goals. Tier oFundamentalGeneral18 Sections plus 10 6 hours

3. Windows Fundamentals

On the other hand, Windows is one of the more user-friendly operating systems that most companies find in their I.T infrastructure. It is essential to understand Windows Fundamentals to be able to handle the operating system in the best possible way and achieve the desired results.

Tier oFundamentalGeneral14 Sections plus 10 6 hours

All connected systems communicate via different networks, routes, and protocols on the Internet or internal network. To understand how interconnected systems function and communicate, we must work through some theoretical components to understand key functionality and specific terms.

4. Introduction to Networking

Most of the information world is interconnected, and understanding how hosts communicate and find each other on the Internet and within internal networks is another fundamental building block that we must master. Without deep understanding of Networking, we will not be effective in assessing interconnected systems.

Tier 0 Fundamental General 12 Sections + 10 3 hours

Web applications represent a separate category. We are comfortable using a web browser and browsing websites. But what happens behind the scenes when we interact with a web application? Before attacking web applications, we must focus on how they function and the processes that occur on the backend when using a web application.

5. Introduction to Web Applications

Image summary: An isometric digital illustration depicting a stylized computer window displaying lines of code. The window is surrounded by floating 3D cubes in shades of green and blue, set against a dark background with faint circuit board patterns.

6. Web Requests

Image summary: An isometric digital illustration depicting a laptop displaying code and a data graph on its screen, surrounded by floating glowing cubes and circuit-like patterns on a dark background.

: Table summary: Computer networking on the Internet is standardized across various layers and protocols, with Web Applications being the most common type. The Fundamental General tier consists of 17 sections plus 10, with a duration of 3 hours.

Definition

Web Requests: A message sent from a client (like a web browser) to a server requesting a resource, such as a web page or data. These requests include methods (e.g., get, post) and headers that provide information about the client and the desired action.

The communication takes place through different types of Web Requests, which the web application processes with specific functions. We will cover various types of web requests and how web browsers use them in the background. Some web server misconfigurations may even grant us access to the system without having to even exploit a web application directly.

Tier of Fundamental General 8 Sections + 10 4 hours

7. JavaScript Deobfuscation

Image summary: A digital illustration of a white, featureless humanoid figure with two dark grey hands covering its eyes. The figure is set against a dark blue background featuring subtle geometric patterns resembling a circuit board.

Definition

Obfuscated: Intentionally made unclear or difficult to understand, often applied to code to obscure its original logic and intent, making reverse engineering or analysis more challenging.

Most web applications nowadays are dynamic and include JavaScript, which we must also be familiar with to handle the dynamics of the web page correctly. JavaScript is a very popular programming language and is often obfuscated to make it difficult for attackers (and defenders) to understand the exact functionality of the code.

Tier oFundamentalDefensive11 Sections plus 10 4 hours

As we know, large I.T networks need to be closely managed and secured. Most companies have a management structure, as managing hundreds or thousands of systems remotely or physically one by one would be unreasonable. For this reason, various technologies exist to facilitate and accelerate remote management of users, systems, and other resources.

8. Introduction to Active Directory

Image summary: A digital illustration featuring a dark book with the text HTB on the spine and HACK THE BOX on the cover, accompanied by a cube logo. A magnifying glass is positioned over the book, with green light streaks and digital particles emanating from the bottom of the book against a dark, circuit-patterned background.

9. Getting Started

Image summary: A blue-toned digital illustration of an astronaut in a spacesuit, waving with one hand. A small, green 3D cube is positioned centrally over the astronaut's helmet visor.

Definition

Active Directory: A directory service developed by Microsoft for Windows domain networks that provides a centralized mechanism for managing network resources, users, and security policies.

Nowadays, most companies use a structured way of managing hundreds or thousands of computers and users. Active Directory is used to simplify and speed up management for administrators. Tier of Fundamental General 16 Sections + 10 7 hours

What causes the most significant difficulty for most when starting out? The answer to this is much easier than most may imagine because all we have to do is Get Started. This module includes many tips and tricks for those just starting out, examples of what technologies we will see and what attack methods we will use, and a guided walkthrough of solving a vulnerable box, culminating in solving (for some of us) our first box without assistance.

Tier of Fundamental Offensive23 Sections + 10 8 hours

Information Gathering

Information gathering is an essential part of any assessment. Because information, the knowledge gained from it, the conclusions we draw, and the steps we take are based on the information available.

This information must be obtained from somewhere, so it is critical to know how to retrieve it and best leverage it based on our assessment goals.

Image summary: A flow diagram outlining the Penetration Testing Process. The process begins with Pre-Engagement, which leads to Information Gathering. From there, the process enters a cyclical core consisting of Vulnerability Assessment, Exploitation, Post-Exploitation, and Lateral Movement, with arrows indicating multi-directional movement between these four stages. This core then leads to Proof-of-Concept, and concludes with Post-Engagement.

From this stage, the next part of our path is clear:

Table summary: Vulnerability Assessment involves using gathered information to identify potential weaknesses through both vulnerability scanners for known issues and manual analysis to discover hidden vulnerabilities.

The information we gather in advance will influence the results of the Exploitation stage. From this, we can see if we have collected enough or dived deep enough. Time, patience, and personal commitment all play a significant role in information gathering. This is when many penetration testers tend to jump straight into exploiting a potential vulnerability.

This often fails and can lead, among other things, to a significant loss of time. Before attempting to exploit anything, we should have completed thorough information gathering, keeping detailed notes along the way, focusing on things to hone in on once we get to the exploitation stage. Most assessments are time-based, so we don't want to waste time bouncing around, which could lead to us missing something critical. Organization and patience are vital while being as thorough as possible.

10. Network Enumeration with Nmap

Image summary: A digital illustration of a glowing green eye centered against a dark background. The eye is composed of concentric circles of binary code and is surrounded by patterns of circuit board traces and floating strings of binary digits.

11. Footprinting

Definition

Network Enumeration: The process of actively querying a network to gather information about its hosts, services, and configurations, often as a precursor to identifying potential vulnerabilities.

Suppose we limit our scope to the corporate network infrastructure. In that case, we should know how to perform the Network Enumeration with Nmap, identify the potential targets, and bypass security measures like firewalls, intrusion prevention, and intrusion detection systems (I.P.S/I.D.S). Tier 1 EasyOffensive12 Sections + 10 7 hours

Definition

Footprint: In a network context, a footprint refers to the unique characteristics or traces left by a network service or application that can be identified and analyzed to understand its function and potential weaknesses.

Once we have identified the potential targets, we need to know how the individual services of these hosts can be examined. It is essential to understand what these services are used for, how they can be misconfigured, and how we, as attackers, can exploit them for our purposes. Because every service that communicates via the network leaves its own Footprint that we have to discover, knowing these footprints will give us a more accurate picture of what steps we can take next as we head into the exploitation phase.

Tier IIMediumOffensive20 Sections plus 20 2 days

12. Information Gathering - Web Edition

Image summary: An isometric digital illustration depicting a data analysis concept. A magnifying glass focuses on a blue, translucent data sheet resting on a platform, with stylized server blocks and glowing green accents in the background against a dark, gridded backdrop.

In most cases, web servers and web applications contain a great deal of information that can be used against them. Since web is a vast technical area in its own right, it will be treated separately. A web server can run many web applications, and some of these applications may be only intended for the developers and administrators.

Therefore, finding these is an essential part of our Information Gathering – Web Edition. We also want to discover as many web applications as possible and gather detailed information on their structure and function which will help inform our attacks. Tier 2 EasyOffensive10 Sections + 20 7 hours

Things can become quite complex when we want to find information about a target company on the Internet. After all, sifting through various sources and social media platforms is time-consuming and requires a great deal of attention and patience.

13. osint: Corporate Recon

Image summary: A digital illustration featuring a magnifying glass centered over a dark blue background with circuit-like patterns. Inside the lens of the magnifying glass, a futuristic cityscape with tall skyscrapers is visible, surrounded by scattered green glowing dots.

This type of research is called open-source intelligence (osint) and has many subcategories. In summary, this process involves gathering information from all publicly available sources. osint: Corporate Recon, gives us a clear and structured approach that will allow us to work through many different types of data and information sources. A simple example would be finding a private S.S.H key that allows us to log into the corporate network as an administrator. Tier 4 HardOffensive23 Sections + 2002 days

Vulnerability Assessment

The vulnerability assessment stage is divided into two areas. On the one hand, it is an approach to scan for known vulnerabilities using automated tools. On the other hand, it is analyzing for potential vulnerabilities through the information found. Many companies conduct regular vulnerability assessment audits to check their infrastructure for new known vulnerabilities and compare them with the latest entries in these tools' databases.

An analysis is more about thinking outside the box. We try to discover gaps and opportunities to trick the systems and applications to our advantage and gain unintended access or privileges. This requires creativity and a deep technical understanding. We must connect the various information points we obtain and understand its processes.

Image summary: A flow diagram titled Penetration Testing Process illustrating a non-linear workflow. The process begins with Pre-Engagement, leading to Information Gathering. From there, the flow moves to Vulnerability Assessment, which connects via bidirectional arrows to Information Gathering, Lateral Movement, and two vertical paths to Post-Exploitation and Exploitation. Lateral Movement then leads to Proof-of-Concept, which concludes with Post-Engagement.

Table summary: Four stages of a security assessment path and their descriptions. Exploitation occurs when no system access exists but a gap has been identified. Post-Exploitation involves escalating privileges once access to the target system is established. Lateral Movement occurs after initial exploitation, allowing movement through the network to attack other systems, sometimes requiring prior privilege escalation. Finally, Information Gathering is used to dig deeper and gain a more accurate view when current information is insufficient.

The ability to analyze comes with time and experience. However, it also needs to be trained because proper analysis makes connections between different points and information. Connecting this information about the target network or target system and our experience will often allow us to recognize specific patterns. We can compare this to reading. Once we have read certain words often enough, we will know that word at some point and understand what it means just by looking at the letters.

14. Vulnerability Assessment

:

15. File Transfers

Image summary: An isometric illustration depicting digital data transfer, showing green folder icons moving from a gray server block into a laptop computer against a dark blue background.

Table summary: An overview of a training module on File Transfers for Windows and Linux hosts, which is categorized as Tier oMediumOffensive, consists of 8 Sections, and takes approximately 3 hours to complete.

16. Shells & Payloads

Image summary: A digital illustration featuring a blue, wireframe 3D model of a Trojan horse enclosed within a green, spherical network of interconnected nodes and lines, set against a dark blue background with subtle geometric patterns.

We also need to know what files we need to transfer to gain initial or further access to the systems. For this, it is necessary to know what Shell & Payloads are. With the help of the transmitted payloads, we get access to the command line of the

: Table summary: A Tier I Medium Offensive stage consisting of 17 Sections plus 10, with a duration of 2 days, focused on adapting shells and payloads to the environment and the targeted system.

17. Using the Metasploit-Framework

Exploitation

In addition, there is a handy framework called Metasploit-Framework that covers many attacks, enumeration, and privilege escalation methods and makes it faster for us to configure and execute. It can help us speed up our processes and get into the target systems in a semi-automated way. However, before we can do this, we need to understand what this tool is capable of and its limitations. Tier oEasyOffensive15 Sections plus 10 5 hours

Exploitation is the attack performed against a system or application based on the potential vulnerability discovered during our information gathering and enumeration. We use the information from the Information Gathering stage, analyze it in the Vulnerability Assessment stage, and prepare the potential attacks. Often many companies and systems use the same applications but make different decisions about their configuration. This is because the same application can often be used for various purposes, and each organization will have different objectives.

Image summary: A flow diagram illustrating the Penetration Testing Process. The process begins with Pre-Engagement, leading to Information Gathering. From Information Gathering, the flow moves to Vulnerability Assessment, which then leads to Lateral Movement. Lateral Movement leads to Proof-of-Concept, which concludes with Post-Engagement. Additionally, the diagram shows cyclical and intersecting paths: Information Gathering can lead to Exploitation, which can lead back to Information Gathering, Vulnerability Assessment, or forward to Lateral Movement and Proof-of-Concept. Exploitation also leads to Post-Exploitation, which can loop back to Information Gathering, Vulnerability Assessment, or move forward to Proof-of-Concept.

Table summary: Two available paths following a specific stage. Information Gathering focuses on analyzing the local system to identify vulnerability assessments for privilege escalation, lateral movement, or data exfiltration. Post-Exploitation focuses on escalating privileges to the highest possible rights and encompasses internal stages of Information Gathering, Vulnerability Assessment, Exploitation, and Lateral Movement.

Table summary: Two potential paths for progression after initial access. Lateral Movement involves using a dual-homed system with highest privileges to enumerate previously unavailable hosts. The Proof-of-Concept path follows gaining highest privileges on an internal system, such as Domain Admin privileges in an Active Directory environment, to detail and automate network activities for the technical department.

This stage is so comprehensive that it has been divided into two distinct areas. The first category is general network protocols often used and present in almost every network. The actual exploitation of the potential and existing vulnerabilities is based on the adaptability and knowledge of the different network protocols we will be dealing with.

In addition, we need to be able to create an overview of the existing network to understand its individual components' purposes. In most cases, web servers and applications contain a great deal of information that can be used against them. As stated previously, since web is a vast technical area in its own right, it will be treated separately.

We are also interested in the remotely exposed services running on the target hosts, as these may have misconfigurations or known public vulnerabilities that we can leverage for initial access. Finally, existing users also play a significant role in the overall network.

18. Password Attacks

Image summary: A digital illustration depicting a large metal hammer poised to strike a small, futuristic, cube-shaped device. The device is white and lime green with mechanical components and wires, and it is encased within a translucent blue spherical energy field against a dark, circuit-patterned background.

Table summary: An Offensive module focused on Password Attacks for Windows and Linux systems, designed to use usernames and passwords found during information gathering to authenticate into systems and applications. This Tier I Medium level course consists of 18 sections and 10 labs, with an estimated completion time of 8 hours.

19. Attacking Common Services

Image summary: A digital illustration depicting a glowing blue globe of Earth cradled between two large, translucent blue hands against a dark, grid-patterned background. The globe is surrounded by concentric circular lines and small red nodes, suggesting a network or global connectivity.

Due to the variety of attacks that can be carried out, attacks on specific network services and web applications differ. Therefore, these are separated into different modules, as many specific attacks can only be carried out against web applications. However, there are many essential network services that can almost always be found in any corporate network. Therefore, knowing how to Attack Common Services is another major concept that needs to be covered in detail. Tier IIMediumOffensive19 Sections plus 20 8 hours

20. Pivoting, Tunneling & Port Forwarding

When Pivoting, the exploited system is used as a node between the external and internal networks or between different internal networks. This is used to communicate with the internal systems to which we can usually not establish a direct connection from the Internet or another host in the internal network. It does not matter whether these are hosted on-premise or in the cloud.

Network access and restrictions can be configured to and from specific hosts, even in the cloud. Tunnels must also be created to be able to transfer data securely. Port forwarding is often used to forward a local port to the port of an exploited system.

:

21. Active Directory Enumeration & Attacks

:

Web Exploitation

Web exploitation is the second part of the exploitation stage. Many different technologies, improvements, features, and enhancements have been developed in this area over the last few years, and things are constantly evolving. As a result, many different components come into play when dealing with web applications.

This includes many kinds of databases that require differing command syntax to interact with. Due to the diversity of web applications available to companies and their prevalence worldwide, we must deal with this area separately and focus intently on it. Web applications present a vast attack surface and are often the main accessible targets during external penetration testing engagements, so strong web enumeration and exploitation skills are paramount.

22. Using Web Proxies

Image summary: A digital illustration of four isometric server racks arranged in a cluster, with three floating data panels above them, all set against a dark blue background with circuit-like patterns.

Web servers and web applications work based on the H.T.T.P/HTTPS protocol. Like other protocols, this protocol has a fixed structure for requests and responses. We will focus on Using Web Proxies to analyze and manipulate these requests. The way these requests and their H.T.T.P headers can be manipulated plays a significant role in the results we can get from them. Even the absence of specific H.T.T.P headers or too many allowed H.T.T.P methods can be very dangerous for the webserver or web application quickly and easily.

Tier 2 Easy Offensive 15 Sections + 20 8 hours

23. Attacking Web Applications with Ffuf

Image summary: A digital illustration of a laptop on a dark background with a maze-like pattern. A bright green, translucent, three-dimensional shape emerges from the screen and keyboard, creating a folded, geometric effect.

After learning which attack methods these web applications can be subject to, we can use many of these attack methods and start Attacking Web Applications with Ffuf. Since every web server and application works with many different parameters due to its link with the database, these parameters can be discovered manually and automatically. For this purpose, there are procedures and different possibilities that allow us to find these parameters to exploit further possible vulnerabilities. Tier oEasyOffensive13 Sections plus 10 5 hours

24. Login Brute Forcing

Image summary: An isometric illustration depicting cybersecurity, featuring a laptop with a large, glowing green padlock positioned in front of the screen. The scene is set against a dark blue background with circuit board patterns and three glowing green spotlights illuminating the laptop.

Authentication mechanisms are a vital target. Using these, we can gain access to different user accounts with the help of specific vulnerabilities. One of the most effective ways of gaining access is through Login Brute Forcing. Almost all web applications that offer any kind of user-specific functions work with the help of some sort of authentication mechanisms.

Tier 2 EasyOffensive11 Sections + 20 6 hours

25. S.Q.L Injection Fundamentals

: Image summary: A digital illustration depicting a large, grey metallic cube being injected by a syringe. The cube has a glowing green screen on top and vertical green light bars on its side. A smaller, similar cube sits nearby, and both are positioned above glowing green rectangular outlines on a dark, circuit-patterned background.

Whether it manages products or users, most every web application works with at least one database. This database is linked to the web application in some way and may open up another attack category called S.Q.L Injection. With an understanding of S.Q.L Injection Fundamentals, we can manipulate or exploit the database for our purposes by abusing functionality contained within the web application. Tier oMediumOffensive17 Sections plus 10 8 hours

26. sqlmap Essentials

Many of the attacks against web application database are summarized in a tool called sqlmap and should therefore also be learned to speed up our process after manual inspection. sqlmap Essentials should be learned to apply the tool appropriately and adapt it to the web application. Tier 2 EasyOffensive11 Sections + 20 8 hours

Figure 26 summary: A conceptual illustration of a puzzle forming the word SQL. Three interlocking puzzle pieces are labeled with the letters S, Q, and L, while a fourth empty puzzle piece outline remains below them against a dark background featuring circuit-like patterns.

27. Cross-Site Scripting (X.S.S)

Image summary: An isometric illustration of a laptop on a dark background with circuit-like patterns. A floating digital window emerges from the screen, featuring a lime green 3D cube icon.

Cross-site Scripting (X.S.S) is another of the most common attack categories. These vulnerabilities can be leveraged to launch various attacks, such as phishing, session hijacking, and others. Among other things, we can also potentially take over web sessions from other users or even administrators. Tier 2 Easy Offensive 10 Sections + 20 6 hours

28. File Inclusion

Image summary: A digital illustration depicting a conceptual file directory structure on a dark, tilted plane. Several folder icons are connected by dotted white lines, suggesting a hierarchical path or data flow. The background is dark blue with subtle circuit-like patterns and floating spheres.

Depending on the webserver configuration and the web application, some vulnerabilities allow us some type of File Inclusion. For example, we may be able to access files on the target system or use our own to execute code without being provided access by the developers or administrators. Tier oMediumOffensive11 Sections plus 10 8 hours

29. Command Injections

Figure 29 summary: A digital illustration depicting three syringes and three small, cube-shaped electronic devices floating against a dark blue background with circuit-like patterns. The syringes are white with green accents and labels, while the cubes are grey with glowing green panels.

30. Web Attacks

We do not always need to attack the database using S.Q.L Injections or X.S.S. Often direct Command Injections can be used to execute system commands. Some command injections are easier to spot than others, which may require advanced knowledge of identifying and bypassing filters in place. Tier IIMediumOffensive12 Sections + 20 6 hours

Image summary: A digital illustration depicting a large red glowing spider centered against a dark background of binary code and circuit board patterns, with two smaller red glowing spiders positioned to the sides.

: Table summary: The other top 10 most critical vulnerabilities include HTTP Verb Tampering, IDOR, and XXE, which are described as advanced Web Attacks requiring the bypass of security filters and encodings. This is categorized as Tier II, Medium difficulty, and Offensive, covering 18 Sections with a time estimate of 2 days.

31. Attacking Common Applications

Image summary: A 3D illustration of a dark blue arcade machine featuring a glowing green cube on its screen and a green marquee at the top, set against a dark background with circuit-board patterns.

Post-Exploitation

Common web applications might be customized by administrators but are nevertheless used worldwide. Therefore, it is also essential to know how to Attack Common Applications.

Tier IIMediumOffensive22 Sections plus 20 2 days

In most cases, when we exploit certain services for our purposes to gain access to the system, we usually do not obtain the highest possible privileges. Because services are typically configured in a certain way "isolated" to stop potential attackers, bypassing these restrictions is the next step we take in this stage. However, it is not always easy to escalate the privileges. After gaining in-depth knowledge about how these operating systems function, we must adapt our techniques to the particular operating system and carefully study how Linux Privilege Escalation and Windows Privilege Escalation work.

Image summary: A process diagram illustrating the Penetration Testing Process. The workflow begins with Pre-Engagement, leading to Information Gathering. From Information Gathering, the process can move to Vulnerability Assessment, which then leads to either Exploitation or Lateral Movement. Exploitation can lead to Post-Exploitation or Lateral Movement. Post-Exploitation can loop back to Information Gathering or move forward to Proof-of-Concept. Lateral Movement also leads to Proof-of-Concept. The final stage is Post-Engagement.

Table summary: Three potential paths for escalating privileges and moving through a system. The essential first step is Information Gathering / Pillaging, which provides an overview of the system and leads to vulnerability assessment. From there, one can move to Exploitation, using sensitive information to execute commands via higher-privilege applications or services, or skip directly to Lateral Movement, such as using a dual-homed system to enumerate previously unavailable hosts.

Table summary: The Proof-of-Concept path involves using notes to detail and potentially automate the activities and paths used to gain the highest privileges, such as Domain Admin privileges in an Active Directory environment, to make them available to the technical department.

After we have gained access to a system, we must be able to take further steps from within the system. During a penetration test, customers often want to find out how far an attacker could go in their network. There are many different versions of operating systems.

For example, we may run into Windows X.P, Windows 7, 8, 10, 11, and Windows Server 2008, 2012, 2016, and 2019. There are also different distributions for Linux-based operating systems, such as Ubuntu, Debian, Parrot O.S, Arch, Deepin, Redhat, Pop! O.S, and many others. No matter which of these systems we get into, we have to find our way around it and understand the individual weak points that a system can have from within.

32. Linux Privilege Escalation

The vast majority of web servers that make up the World Wide Web run Linux. In addition, we will find many Linux-based servers hosting critical infrastructure services that individuals & organizations use to be more productive and efficient in their daily work. Because of this widespread use of Linux, we must understand the fundamentals. There are many ways to misconfigure Linux systems. Discovering these flaws and taking advantage of them to escalate privileges is covered in Linux Privilege Escalation.

Tier 2 Easy Offensive 28 Sections + 20 8 hours

33. Windows Privilege Escalation

:

Lateral Movement

Lateral movement is one of the essential components for moving through a corporate network. We can use it to overlap with other internal hosts and further escalate our privileges within the current subnet or another part of the network. However, just like Pillaging, the Lateral Movement stage requires access to at least one of the systems in the corporate network. In the Exploitation stage, the privileges gained do not play a critical role in the first instance since we can also move through the network without administrator rights.

Image summary: A flow diagram illustrating the Penetration Testing Process. The process begins with Pre-Engagement, leading to Information Gathering, which then feeds into Vulnerability Assessment. From Vulnerability Assessment, the path leads to Post-Exploitation, which can then lead to Lateral Movement. Lateral Movement can feed back into Post-Exploitation or move forward to Proof-of-Concept. Finally, Proof-of-Concept leads to Post-Engagement. Bi-directional arrows also exist between Information Gathering and Vulnerability Assessment, and between Vulnerability Assessment and Lateral Movement.

: Image summary: A diagram showing a central circle labeled Exploitation, with several arrows pointing toward it from other elements above, and a dotted arrow pointing away from it toward the upper right.

Table summary: Three potential paths to take from the current stage of a penetration test. These include moving to Vulnerability Assessment to analyze obtained information for exploitable authentication mechanisms, returning to Information Gathering / Pillaging for local data collection on a newly accessed system after lateral movement, or proceeding to Proof-of-Concept to summarize findings and automate demonstrations of the vulnerabilities discovered.

Since both Lateral Movement and Pillaging require access to an already exploited system, these techniques and methods are covered in different modules, such as Getting Started, Linux Privilege Escalation, and Windows Privilege Escalation, and many others.

Proof-of-Concept

The Proof-Of-Concept (P.O.C) is merely proof that a vulnerability found exists. As soon as the administrators receive our report, they will try to confirm the vulnerabilities found by reproducing them. After all, no administrator will change business-critical processes without confirming the existence of a given vulnerability.

A large network may have many interoperating systems and dependencies that must be checked after making a change, which can take a considerable amount of time and money. Just because a pentester found a given flaw, it doesn't mean that the organization can easily remediate it by just changing one system, as this could negatively affect the business. Administrators must carefully test fixes to ensure no other system is negatively impacted when a change is introduced. PoCs are sent along with the documentation as part of a high-quality penetration test, allowing administrators to use them to confirm the issues themselves.

Image summary: A flow diagram illustrating the Penetration Testing Process. The process begins with Pre-Engagement, leading to Information Gathering. From Information Gathering, the flow moves to Vulnerability Assessment. The process then enters a cyclical core consisting of Vulnerability Assessment, Post-Exploitation, Lateral Movement, and Exploitation, with bidirectional arrows connecting these four stages. Finally, the process flows from Post-Exploitation, Lateral Movement, and Exploitation toward Proof-of-Concept, which concludes with Post-Engagement.

Table summary: The Post-Engagement path involves optimizing and improving documentation through an intensive review before sending it to the customer.

When we already have all the information we have collected and have used the vulnerability to our advantage, it does not take much effort to automate the individual steps for this.

34. Introduction to Python 3

Table summary: Introduction to Python 3 is recommended for automation and vulnerability exploitation due to the language's power and ease of learning. The course is categorized as Tier I Easy General, consisting of 14 Sections plus 10 additional components, with a total duration of 5 hours.

Post-Engagement

The Post-Engagement stage also includes cleaning up the systems we exploit so that none of these systems can be exploited using our tools. For example, leaving a bind shell on a web server that does not require authentication and is easy to find will do the opposite of what we are trying to do. In this way, we endanger the network through our carelessness. Therefore, it is essential to remove all content that we have transferred to the systems during our penetration test so that the corporate network is left in the same state as before our penetration test. We also should note down any system changes, successful exploitation attempts, captured credentials, and uploaded files in the appendices of our report so our clients can cross-check this against any alerts they receive to prove that they were a result of our testing actions and not an actual attacker in the network.

In addition, we have to reconcile all our notes with the documentation we have written in the meantime to make sure we have not skipped any steps and can provide a comprehensive, well-formatted and neat report to our clients.

35. Documentation & Reporting

Image summary: An isometric digital illustration depicting a data analysis workspace. The scene features various floating data visualization elements, including a bar chart, a line graph on a screen, a dashboard with colored tiles, a document with text, and a magnifying glass, all set against a dark background with a subtle circuit board pattern.

We need to understand proper Documentation and Reporting, how to stay organized and take detailed notes, and how to write effectively and deliver high quality client deliverables. Practice in this area will simplify preparation of our reports and save us considerable time. This module also helps us optimize our notetaking and organization, which we must adapt to our needs to work as efficiently as possible.

Tier 2 Easy General 8 Sections + 20 2 days

36. Attacking Enterprise Networks

Image summary: A digital illustration of a stylized skyscraper surrounded by a network of red dots and connecting lines, set against a dark blue background with circuit-like patterns. The building is centered and sits atop a swirling, circular base of blue lines, suggesting a conceptual representation of a smart city or connected infrastructure.

It is essential to get and keep an overall view of all these stages, their contents, and possible challenges. Attacking Enterprise Networks can be a daunting task, and we can get lost in the diversity of our options and overlook some of the essentials. So instead, we need to familiarize ourselves with how to attack such large networks and what vulnerabilities may exist with a large number of systems in a network. Tier IIMediumOffensive14 Sections plus 20 2 days Now that we've covered the general layout of Academy modules regarding the penetration testing process, we'll briefly discuss how exercises and questions are presented in H.T.B Academy.

You have reached the end of the document.