Skip to content

Certified Penetration Testing Specialist

Number Title Module My notes Machines Lab resolution
01 Penetration Testing Process and Getting Started Penetration Testing Process 6 hours Getting started
02 Network Enumeration with Nmap (Almost) all about nmap Machines
Lame E
Legacy E
Devel E
Popcorn M
Beep E
Optimum E
Bastard M
Tenten M
Arctic E
Cronos M
Grandpa E
Granny E
October M
Brainfuck I		 Network Enumeration with nmap
03 Footprinting Introduction to footprinting
Infrastructure and web enumeration
Some services: FTP, SMB, NFS, DNS, SMTP, IMAP/POP3,SNMP, MySQL, Oracle TNS, IPMI, SSH, RSYNC, R Services, RDP, WinRM, WMI		 2 days Footprinting
04 Information Gathering - Web Edition Information Gathering - Web Edition. With tools such as Gobuster, ffuf, Burpsuite, Wfuzz, feroxbuster, OWASP WSTG-INFO-02, OWASP WSTG-INFO-02, Google Dorks More tools for recon: finalrecon 7 hours Information Gathering
05 Vulnerability Assessment Vulnerability Assessment:
Nessus, Openvas		 2 hours Vulnerability assessment
06 File Transfer techniques File Transfer Techniques:
Linux, Windows, Code- netcat python php and others, Bypassing file upload restrictions, File encryption, Evading techniques when transferring files, LOLbas Living off the land binaries		 3 hours File Transfers
07 Shells & Payloads Bind shells, Reverse shells, Spawn a shell, Web shells (Laudanum and nishang), Windows footprinting, 2 days Shell & Payloads
08 Using the Metasploit Framework Metasploit, Msfvenom 5 hours Using the Metasploit Framework
09 Password Attacks Password attacks
Linux
Lateral movements in Active Directory from Linux
Crack sensitive files: Linux
 8 hours Password attacks
10 Attacking Common Services Common services: FTP
SMB (tools: smbclient, smbmap, rpcclient, Samba Suite, crackmapexec, impacket-smbexec, impacket-psexec), Databases (MySQL and Attacking MySQL, MSSQL and Atacking MSSQL, log4j, RDP, DNS, SMTP, IMAP/POP protocols, postfix, swaks
 Exploitation & Lateral Movement.
Machines:
- Rabbit
-  SneakyMailer
- Reel		 Attacking Common Services
11 Pivoting, Tunneling, and Port Forwarding Pivoting, Tunneling, and Port Forwarding Exploitation & Lateral Movement.
Machines:
- Enterprise IPPSec Walkthrough
- Inception IPPSec Walkthrough
- Reddish IPPSec Walkthrough		 Pivoting, Tunneling, and Port Forwarding
12 Active Directory Enumeration & Attacks Active Directory
From Linux:
- Enumeration,
- Attacks,
- Lateral Movements,
- Privilege Escalation.
From Windows:
- Enumeration,
- Attacks,
- Privilege Escalation.
Tools:
- Powershell,
- Active Directory powershell Module,
- Enumeration with LDAP queries
- PowerView.ps1 from PowerSploit project (powershell).
- The ActiveDirectory PowerShell module (powershell).
- BloodHound (C# and PowerShell Collectors).
- SharpView (C#).
- kerbrute.
- Crackmapexec.
- enum4linux.		 Machines
Mantis H
Fulcrum I
Rabbit I
Reel H
Active E
Sizzle I
Luke M
Heist E
Forest E
Resolute M
Monteverde M
Sauna E
Multimaster I
Cascade M
ServMon E
Blackfield H
Fuse M
Worker M
Reel2 H
APT I
Tentacle H
PivotAPI I
Intelligence M
Bolt M
Return E		 Active Directory Enumeration & Attacks
13 Using Web Proxies Proxies: burpsuite, zap-proxy, proxychains 8 hours Using Web proxies
14 Attacking Web Applications with Ffuf ffuf 5 hours Attacking Web Applications with Ffuf
15 Login Brute Forcing Brute forcing
Hydra
Medusa
Username-anarchy
CUPP
 6 hours Login Brute Forcing
16 SQL Injection Fundamentals - Detailed SQLi Cheat sheet for manual attack.
- SQL injection
- NoSQL injection
- SQLite injections		 8 hours SQL Injection Fundamentals
17 SQLMap Essentials 8 hours SQLMap Essentials
18 Cross-Site Scripting (XSS) XSS 6 hours Cross-Site Scripting (XSS)
19 File Inclusion File inclusion:
- Local File Inclusion
- Remote File Inclusion
-Log poisoning
 8 hours File Inclusion
20 File Upload Attacks Arbitrary File uploads 8 hours File Upload Attacks
21 Command Injections Command injections 6 hours Command injections
22 Web Attacks Web exploitation:
- HTTP Verb Tampering
- IDOR
- XEE XML External Entity attacks		 2 days Web attacks
23 Attacking Common Applications Common applications:
- Wordpress
- Joomla
-
4 days Web Exploitation
24 Linux Privilege Escalation 8 hours Post-Exploitation
25 Windows Privilege Escalation 4 days Post-Exploitation
26 Documentation & Reporting 2 days Reporting & Capstone
27 Attacking Enterprise Networks 2 days Reporting & Capstone

Practicing Steps

Starting point:

  • 3x Retired Machines: we recommend choosing two easy and one medium machines. At the end of each module, you will find recommended retired machines to consider that will help you practice the specific tools and topics covered in the module. These hosts will share one or more attack vectors tied to the module.
  • 5x Active Machines: After building a good foundation with the modules and the retired machines, we can venture to two easytwo medium, and one hard active machine. We can also take these from the corresponding module recommendations at the end of each module in Academy.
  • 1x Pro Lab / Endgame: These labs are large multi-host environments that often simulate enterprise networks of varying sizes similar to those we could run into during actual penetration tests for our clients.

After finishing all of the above, there are still many other checkboxes that we need to complete to keep learning, and Hack The Box is full of learning opportunities. Here are some ideas:

  •  Root a Retired Easy Box
  •  Root a Retired Medium Box

Once we have completed 5-10 Easy/Medium retired boxes, you should be able to complete your first Easy box without following a full walkthrough.

  •  Root an Active Box

  •  Complete an Easy Challenge

  •  Share a Walkthrough of a Retired Box
  •  Complete Offensive Academy Modules

  •  Root Live Medium/Hard Boxes

  •  Complete A Track

  •  Win a Hack The Box Battlegrounds Battle

  •  Complete A Pro Lab

Last update: 2025-02-02
Created: November 27, 2023 14:56:56