Solving HTB machines isn’t really about knowing one magic command or having hundreds of tricks memorized. Beginners often assume that fast solvers are just “better at hacking.” They’re not. Most of them follow a repeatable mindset: observe, form a hypothesis, test it, avoid rabbit holes, and connect small clues together.
A CTF box is designed as a path. Your job is to find it, piece by piece.
Stop Asking “What Tool Should I Use?” Start Asking “What Do I Need to Know?”
The biggest beginner mistake is tool-first thinking.
You see a target and immediately think:
nmapgobusterniktosqlmaplinpeasTools are essential, but if you don’t understand why you’re running them, the output becomes noise. The better approach is question-first thinking.
Instead of: Which command should I run? Ask: What do I need to know about this machine?
| Question | Tool/Technique |
|---|---|
| What ports are open? | Nmap |
| What services are running? | Service enumeration |
| Is there a website? | Browser, curl, whatweb |
| Are there hidden directories? | Gobuster, ffuf |
| Is there a login page? | Manual testing, default creds, SQLi |
| Can I upload files? | File upload testing |
| Can I execute commands? | RCE testing |
| Can I reuse credentials? | SSH, SMB, FTP, database login |
| How do I become root/admin? | Privilege escalation enumeration |
Tools answer questions. Don’t reverse that order.
Understand the Basic Flow of Most HTB Machines
Most beginner and intermediate HTB boxes follow a broad structure:
Reconnaissance → Enumeration → Foothold → User Access → Privilege Escalation → Root/AdminNot every box is easy or linear, but the logic usually holds.
Reconnaissance
You figure out what’s exposed.
nmap -sC -sV -oN nmap.txt <target-ip>Look for open ports, service versions, hostnames, web servers, SMB shares, FTP access, SSH, databases, or anything unusual.
Enumeration
You dig into what you found.
Port 80 open? Browse the site. SMB open? List shares. FTP open? Check anonymous login. Domain name shows up? Add it to /etc/hosts. Web app has login functionality? Poke at how it behaves.
Enumeration is where most boxes actually get solved.
Foothold
You find a way in — execute code, steal credentials, upload a shell, abuse a misconfiguration, or log in as a low-privileged user.
Common footholds:
Weak credentialsSQL injectionFile upload vulnerabilityCommand injectionLFI/RFIPublic exploitExposed backup fileLeaked SSH keyMisconfigured serviceCMS vulnerabilityDefault credentialsUser Access
Once you have a shell or credentials, stabilize and understand your context.
Ask:
Who am I?What groups am I in?What files can I read?What services are running locally?Are there credentials in config files?Is there another user?Privilege Escalation
This is where you move from low-privileged user to root or administrator.
Common Linux paths:
sudo misconfigurationSUID binarieswritable scriptscron jobsPATH hijackingcapabilitieskernel exploitsDocker/LXD group abusepassword reuseSSH keysbackup filesmisconfigured servicesCommon Windows paths:
Service misconfigurationAlwaysInstallElevatedUnquoted service pathsWeak permissionsStored credentialsSeImpersonatePrivilegeScheduled tasksRegistry secretsCredential reuseAD misconfigurationTreat privilege escalation as another enumeration problem, not a guessing game.
Box: Pilgrimage (Easy Linux) — The foothold comes from a hidden .git directory exposed on port 80. Dumping the repo leaks the full PHP source, which shows ImageMagick is called directly on user uploads with no version pin. Running identify –version confirms 7.1.0-49, vulnerable to CVE-2022-44268. Crafting a PNG with a malicious tEXt chunk set to /etc/passwd causes the resized output to embed the file contents as raw hex in the EXIF data. Decode it, grab the emily hash, crack it offline with rockyou in under 90 seconds, SSH in as emily. Privesc from there involves a root-owned Bash script in /usr/sbin/malwarescan.sh calling binwalk on every file in the uploads folder — and binwalk 2.3.2 is exploitable via CVE-2022-4510. Drop a crafted PFS file into uploads, wait for the cron, get a root shell back on your listener…
The rest of this post is for members.
Join to unlock the full post.
Unlock This Post and Much more – from $5/mo
If you want to say thanks and follow along more closely, membership is the best way to do it. You’ll get exclusive series posts, a spot on the Supporters Page, and a shout-out when you join.
Unlock Member-only Exclusive Post – $5/mo // what’s inside- Exclusive access to more posts like this
- Name mention on the Supporters Page
- Exclusive series access & messages for members
- Shout-out for all new members
- Support the project & keep it going
- Cancel anytime, no contracts
Already a member? Sign in to read the full post →
