Pentest Learning Roadmap

Started 19 Mar 2026
Target 17 May 2026
Pace 4 days / unit
Units 12

After every box β€” fill in Box-Template.md including "what took me longest"

Stuck 45+ mins β€” write down everything tried, then take one hint

Watch IppSec walkthrough after solving, never before

If the rotation opens up β€” drop HTB, do the real work, come back in the gaps

Overall progress 0 / 12 units

Already complete

βœ“ Getting Started βœ“ Pen Test Process βœ“ Starting Point Tier 0 βœ“ Starting Point Tier 1 βœ“ Starting Point Tier 2 βœ“ Box β€” CCTV βœ“ Box β€” Facts
Phase 1 β€” Units 1–3 Enumeration and web basics Goal: foothold on Easy box without hints
Unit 1
19–22 Mar
same
Network Enumeration with Nmap
The module you hit the paywall on β€” now unlocked. All-port scanning, version detection, script scanning, OS detection.
Lame Linux
nmap reveals Samba version β†’ searchsploit β†’ exploit. Cleanest possible test of that loop with no web complexity.
Unit 2
23–26 Mar
same
Web Requests + Intro to Web Applications
HTTP methods, headers, cookies. Reading source code and a web app as an attacker.
Nibbles Linux
Web enum β†’ login β†’ file upload foothold β†’ sudo privesc. No pre-built exploit β€” find the upload vector yourself.
Unit 3
27–30 Mar
same
Using Web Proxies (Burp Suite)
Intercept, Repeater, Decoder β€” deliberate Burp use. Re-document your Facts password reset step by step in your own words.
Shocker Linux
ShellShock via CGI. Read HTTP headers carefully and craft a manual payload β€” forces you to understand what you're sending.
Milestone 1: Can enumerate fully and get a foothold on an Easy box without hints
Phase 2 β€” Units 4–6 Foothold depth + AD foundations in parallel Goal: exploit manually before reaching for a script
Unit 4
31 Mar–3 Apr
same
File Inclusion + Command Injections
LFI/RFI and command injection. Vulnerability classes that often have no CVE number.
Beep Linux
Multiple foothold paths β€” deliberately take the LFI path to reinforce the module.
Unit 5
4–7 Apr
AD early
Intro to Active Directory + SQLi Fundamentals
Read AD conceptually now so it's not foreign if the rotation opens up. SQLi alongside β€” you've used sqlmap, now understand what it's actually doing.
Jerry Windows
First real Windows box. Default creds β†’ WAR file upload β†’ shell. WAR deployment appears constantly in enterprise Java environments.
Unit 6
8–11 Apr
same
Password Attacks + Metasploit Framework
Hashcat modes in depth. Metasploit as a deliberate tool, not a crutch.
Blue Windows β†’ Legacy Windows
Blue with Metasploit. Legacy without. Same vuln family β€” second box shows what Metasploit was hiding.
Milestone 2: Can exploit a web vulnerability manually before reaching for a script. Comfortable on Windows.
Phase 3 β€” Units 7–9 Privilege escalation Goal: root/SYSTEM unassisted on Linux or Windows
Unit 7
12–15 Apr
same
Linux Privilege Escalation
sudo, SUID, cron, writable PATH, capabilities. Map to your Facts and CCTV notes.
Bashed Linux
Enumerate manually before LinPEAS. The privesc is subtle β€” sudo scriptmanager abuse.
Unit 8
16–19 Apr
same
Windows Fundamentals + Windows PrivEsc
Filesystem, registry, services, token impersonation, UAC bypass.
Devel Windows
FTP write β†’ IIS shell β†’ token impersonation. Appears on almost every Windows engagement.
Unit 9
20–23 Apr
same
Shells and Payloads + Pivoting
msfvenom, bind vs reverse, shell stabilisation, port forwarding properly.
Optimum Windows + Valentine Linux
Optimum: craft payload manually. Valentine: tmux session hijack β€” high value for enterprise work.
Milestone 3: Can get root/SYSTEM on an Easy box unassisted, Linux or Windows, without automated tools as a crutch
Phase 4 β€” Units 10–12 Active Directory Goal: chain to Domain Admin β€” associate level
Unit 10
24–27 Apr
AD early
AD Enumeration and Attacks (start)
Kerberoasting, AS-REP roasting, BloodHound. You already read the conceptual module in Unit 5 so this lands faster.
Forest Easy AD
Best introductory AD box on the platform. Teaches BloodHound β€” a tool you'll use on every AD engagement for the rest of your career.
Unit 11
28 Apr–1 May
same
AD Enumeration and Attacks (finish)
Pass-the-Ticket, ACL abuse, DCSync, lateral movement.
Active Easy AD
GPP creds β†’ Kerberoast Administrator. Still appears in legacy enterprise environments. Two-stage chain.
Unit 12
2–5 May
same
Documentation and Reporting
Enterprise report structure, evidence capture, severity ratings, executive summaries. Formalises what you're already doing well.
Sauna Easy AD
Full AD chain end to end. Then write a professional report for Forest or Sauna β€” this is portfolio material for interviews.
Milestone 4: Can enumerate an AD environment, use BloodHound, and chain to Domain Admin β€” associate level

Key references

GTFOBins
gtfobins.github.io
RevShells
revshells.com
IppSec β€” box walkthroughs
youtube.com/@ippsec
PoC aggregator
github.com/nomi-sec/PoC-in-GitHub
Hash identifier
hashes.com
Hashcat modes reference
hashcat.net

Claude-Pentest-Guide folder