Penetration Testing Notes

This page groups my penetration testing notes into one route: reconnaissance, enumeration, exploitation, privilege escalation, Active Directory, tunneling, and attack-chain development.

The goal is not to define penetration testing in abstract terms.
The goal is to connect the notes and labs that I actually use while studying and practicing offensive security.

Penetration Testing Workflow

My notes follow a simple sequence:

1. Reconnaissance and service discovery.
2. Enumeration and attack surface validation.
3. Exploitation and foothold.
4. Privilege escalation.
5. Pivoting, tunneling, and post-exploitation.
6. Active Directory and multi-host attack chains.

Core Study Notes

The main body of my penetration testing notes is the OSCP PEN-200 series:

• OSCP PEN-200 Part 1 for recon, enumeration, vulnerability scanning, web attacks, and client-side exploits.
• OSCP PEN-200 Part 2 for exploit development, antivirus evasion, password attacks, and NTLM abuse.
• OSCP PEN-200 Part 3 for Windows privilege escalation and credential attacks.
• OSCP PEN-200 Part 4 for Linux privilege escalation, port redirection, and tunneling.
• OSCP PEN-200 Part 5 for SSH tunneling, DNS/HTTP tunneling, and Metasploit usage.
• OSCP PEN-200 Part 6 for Active Directory enumeration, PowerView, object permissions, and NTLM/Kerberos attacks.
• OSCP PEN-200 Part 7 for lateral movement, PtH/PtT/PtK, AD persistence, and AWS reconnaissance.
• OSCP PEN-200 Part 8 for cloud infrastructure attacks, Gitea, Jenkins, and simulated penetration testing flow.

If you want a compact operational reference, use the OSCP PEN-200 Cheat Sheet.

Lab Writeups That Support the Method

Practical penetration testing requires more than note-taking. These lab writeups show how the workflow looks on real targets:

• HackTheBox: Sau
• HackTheBox: Heal
• HackTheBox: Titanic
• HackTheBox: UnderPass
• HackTheBox: Pilgrimage
• HackTheBox: LinkVortex
• HackTheBox: Dog
• HackTheBox: Code
• HackTheBox: Codify

Each writeup captures a slightly different penetration testing pattern: web entry, service abuse, local privilege escalation, or a longer attack chain.

Active Directory and Multi-Host Work

For AD-focused penetration testing, these are the most relevant pages:

• OSCP PEN-200 Part 6
• OSCP PEN-200 Part 7
• HackTheBox: EscapeTwo [Active Directory]
• HackTheBox: Puppy [Active Directory]
• HackTheBox: TheFrizz [Active Directory]

This is where the site starts moving away from basic single-host exploitation and into more realistic operator workflow.

Web Security Inside Penetration Testing

A large part of penetration testing is still web application work.
For that branch, continue with Web Security Notes: Web Recon, XSS, SSTI, SSRF, IDOR, and Exploitation Cases.

Binary and Supporting Notes

Some supporting articles are not pure pentest methodology pages, but they are still useful during study and exploitation work:

• GDB & Binary Exploitation
• Git 介紹 & 常用操作
• LNMP (Linux + Nginx + MySQL + PHP) 架設伺服器

Recommended Reading Path

If you want the shortest useful path through these penetration testing notes:

1. OSCP PEN-200 Part 1
2. OSCP PEN-200 Part 3
3. OSCP PEN-200 Part 4
4. OSCP PEN-200 Part 6
5. OSCP PEN-200 Cheat Sheet

Author Context

These penetration testing notes are maintained by CHW, with offensive security study spanning OSWA, OSCP+, lab work, CTFs, and security engineering experience.
For profile details, see About.

If you want the operator-focused subset of this material, continue with Red Team Notes: OPSEC, Lateral Movement, AD Persistence, and Operator Workflow.