> For the complete documentation index, see [llms.txt](https://h3ll-ka1ser.gitbook.io/boot2root/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://h3ll-ka1ser.gitbook.io/boot2root/readme.md).

# B00t2R00t

> A comprehensive offensive security knowledge base — from initial foothold to full domain compromise.

**B00t2R00t** is a curated encyclopedia of penetration testing and red teaming techniques, methodologies, tools, and ready-to-use scripts. Spanning **Active Directory, Cloud, Web, Network, Wireless, and Red Team operations**, it's organized around the real attacker kill chain: **Enumerate → Exploit → Escalate → Persist.**

> ⚠️ **Disclaimer:** This material is provided strictly for **authorized security testing, research, and education**. Only use these techniques on systems you own or have **explicit written permission** to test. The author assumes no liability for misuse. Unauthorized access to computer systems is illegal.

<div align="center"><img src="https://img.shields.io/badge/Focus-Offensive%20Security-red" alt="Focus"> <img src="https://img.shields.io/badge/Files-1800%2B-blue" alt="Files"> <img src="https://img.shields.io/badge/Topics-AD%20%7C%20Cloud%20%7C%20Web%20%7C%20Red%20Team-purple" alt="Topics"> <img src="https://img.shields.io/badge/PRs-Welcome-brightgreen" alt="PRs"></div>

***

## 🧭 How to Use This Repo

* **New to a target type?** Start in [`Methodology/`](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Methodology/README.md) — it's the high-level playbook for *what to do and in what order*.
* **Need a specific technique?** Jump straight to the relevant domain folder below.
* **Looking for a tool's syntax?** Head to [`Tools/`](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/README.md) — usage docs are separated from techniques on purpose.
* **On an engagement?** Use the methodology as your checklist, then drill into the technique pages as needed.

***

## 📚 Table of Contents

| Section                                                       | What's Inside                                                  |
| ------------------------------------------------------------- | -------------------------------------------------------------- |
| 🗺️ [Methodology](#️-methodology)                             | Step-by-step playbooks for each target type                    |
| 🏰 [Active Directory](#-active-directory-penetration-testing) | Enumeration, exploitation, Kerberos, ADCS, trusts, persistence |
| ☁️ [Cloud](#️-cloud-penetration-testing)                      | AWS, Azure, GCP, Kubernetes                                    |
| 🌐 [Web Applications](#-web-application-penetration-testing)  | OWASP-style attacks, injection, auth bypasses, WAF evasion     |
| 🔌 [Network Services](#-network-penetration-testing)          | Protocol-by-protocol attack references                         |
| 📡 [Wireless](#-wireless-penetration-testing)                 | WEP/WPA/WPS attacks, sniffing, MITM                            |
| 🎭 [Red Teaming](#-red-teaming)                               | Evasion, C2, payloads, phishing, exfiltration                  |
| ⬆️ [Privilege Escalation](#️-privilege-escalation)            | Linux, Windows, and Docker escapes                             |
| 🔀 [Pivoting](#-pivoting)                                     | Tunneling, port forwarding, lateral movement                   |
| 🐛 [CVEs](#-cves)                                             | Notable exploits and write-ups                                 |
| 🤖 [AI Pentesting](#-other-domains)                           | Prompt injection, jailbreaks, model attacks                    |
| 🛠️ [Tools](#️-tools)                                         | Usage docs for the offensive toolkit                           |
| 🧩 [Miscellaneous](#-miscellaneous)                           | File transfers, shells, wordlists, neat tricks                 |

***

## 🗺️ Methodology

The **playbook layer** — start here to understand the *flow* of an engagement before diving into specific techniques.

* [**Reconnaissance**](/boot2root/methodology/reconnaissance.md) · [**Enumeration**](/boot2root/methodology/enumeration.md) · [**Public Exploit Search**](/boot2root/methodology/public-exploit-search.md)
* [**Active Directory**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Methodology/Active%20Directory/README.md) — No Creds / One Credential / Valid Credentials paths
* [**Cloud**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Methodology/Cloud/README.md) — AWS, Azure, GCP, Containers
* [**Privilege Escalation**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Methodology/Privilege%20Escalation/README.md) — Linux & Windows
* [**Web Applications**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Methodology/Web%20Applications/README.md) — full web attack workflow
* [**Protocols**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Methodology/Protocols/README.md) — per-service approach (DNS, SMB, SSH, SQL, etc.)
* [**Lateral Movement**](/boot2root/methodology/lateral-movement.md) · [**Network Pivoting**](/boot2root/methodology/network-pivoting.md) · [**Password Cracking**](/boot2root/methodology/password-cracking.md)

***

## 🏰 Active Directory Penetration Testing

The most extensive section — a complete AD attack lifecycle.

| Phase                    | Topics                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Enumeration**          | [No Credentials](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Enumeration/No%20Credentials/README.md) · [Valid Credentials](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Enumeration/Valid%20Credentials/README.md) · [Username Only](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Enumeration/Valid%20Username%20Only/README.md)                                                                                               |
| **Exploitation**         | [Kerberos](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Exploitation/Kerberos/README.md) · [GPO](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Exploitation/GPO/README.md) · [Known Vulns](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Exploitation/Known%20Vulnerabilities/README.md) · [ACL/ACE](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Exploitation/ACL/ACE/README.md) |
| **ADCS**                 | [Certificate Services attacks](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Active%20Directory%20Certificate%20Services%20\(ADCS\)/README.md) — ESC1–ESC10, theft, persistence, [mindmaps](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Active%20Directory%20Certificate%20Services%20\(ADCS\)/Mindmaps/README.md)                                                                                                                                                              |
| **Kerberos Delegation**  | [Unconstrained / Constrained / RBCD](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Kerberos%20Delegation/README.md)                                                                                                                                                                                                                                                                                                                                                                                                              |
| **Lateral Movement**     | [PtH, PtT, Pass-the-Cert, WinRM, WMI, more](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Lateral%20Movement/README.md)                                                                                                                                                                                                                                                                                                                                                                                                          |
| **MITM & Relay**         | [NTLM Relay, Responder, coercion attacks](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/MITM%20Listen%20and%20Relay/README.md)                                                                                                                                                                                                                                                                                                                                                                                                   |
| **Privilege Escalation** | [DACL attacks, dangerous groups, LAPS, more](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Privilege%20Escalation/README.md)                                                                                                                                                                                                                                                                                                                                                                                                     |
| **Persistence**          | [Golden/Silver/Diamond tickets, DCShadow, Skeleton Key, more](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Persistence/README.md)                                                                                                                                                                                                                                                                                                                                                                                               |
| **Trust Relationships**  | [Cross-domain & cross-forest compromise](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Trust%20Relationship/README.md)                                                                                                                                                                                                                                                                                                                                                                                                           |
| **Domain Admin Access**  | [NTDS dumping, DPAPI backup keys](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Domain%20Admin%20Access/README.md)                                                                                                                                                                                                                                                                                                                                                                                                               |
| **Mitigations**          | [Defensive guidance & Event IDs](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Active%20Directory%20Penetration%20Testing/Mitigations/README.md)                                                                                                                                                                                                                                                                                                                                                                                                                            |

***

## ☁️ Cloud Penetration Testing

Provider-by-provider attack references, each following enum → exploit → privesc → persistence.

* [**AWS**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Cloud%20Penetration%20Testing/AWS%20\(Amazon%20Web%20Services\)/README.md) — IAM, EC2, S3, Lambda, EKS, RDS, Secrets Manager, and more
* [**Azure**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Cloud%20Penetration%20Testing/Microsoft%20%20Azure/README.md) — Entra ID, managed identities, Key Vaults, app services, abuse paths
* [**Google Cloud (GCP)**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Cloud%20Penetration%20Testing/Google%20Cloud%20Platform%20\(GCP\)/README.md) — IAM fuzzing, metadata SSRF, privilege escalation
* [**Kubernetes**](/boot2root/cloud-penetration-testing/kubernetes.md) — cluster recon, node escapes, secrets
* [**Cross-Platform**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Cloud%20Penetration%20Testing/Cross-Platform/README.md) — Cloudfox, Trufflehog, and multi-cloud tooling

***

## 🌐 Web Application Penetration Testing

Comprehensive coverage of [web attacks](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Web%20Application%20Penetration%20Testing/README.md):

* **Injection:** [SQLi](/boot2root/web-application-penetration-testing/sql-injection-sqli.md) · [Command Injection](/boot2root/web-application-penetration-testing/command-injection.md) · [SSTI](/boot2root/web-application-penetration-testing/server-side-template-injection-ssti.md) · [XXE](/boot2root/web-application-penetration-testing/xml-external-entity-xxe-injection.md) · NoSQL/LDAP/XPath/ORM
* **Client-side:** [XSS](/boot2root/web-application-penetration-testing/cross-site-scripting-xss.md) · [CSRF](/boot2root/web-application-penetration-testing/cross-site-request-forgery-csrf.md) · [Prototype Pollution](/boot2root/web-application-penetration-testing/prototype-pollution.md)
* **Server-side:** [SSRF](/boot2root/web-application-penetration-testing/server-side-request-forgery-ssrf.md) · [LFI/RFI](/boot2root/web-application-penetration-testing/local-file-inclusion-lfi.md) · [RCE](/boot2root/web-application-penetration-testing/remote-code-execution-rce.md) · [Deserialization](/boot2root/web-application-penetration-testing/insecure-deserialization.md)
* **Auth & Tokens:** [JWT](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Web%20Application%20Penetration%20Testing/Authentication%20Tokens/README.md) · OAuth · MFA bypass
* **Bypasses:** [WAF evasion](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Web%20Application%20Penetration%20Testing/Bypass%20Techniques/WAF/README.md) · filter bypasses · [403 bypass](/boot2root/web-application-penetration-testing/http-code-403-forbidden-bypass.md)
* **Modern:** [HTTP Request Smuggling](/boot2root/web-application-penetration-testing/http-2-request-tunneling.md) · [GraphQL](/boot2root/web-application-penetration-testing/graphql-pentesting.md) · [Browser Desync](/boot2root/web-application-penetration-testing/browser-desync.md)

***

## 🔌 Network Penetration Testing

A [protocol-by-protocol attack library](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Network%20Penetration%20Testing/README.md) covering: **SMB, LDAP, SSH, FTP, RDP, SNMP, SMTP, MSSQL, MySQL, PostgreSQL, MongoDB, Redis, NFS, RPC, IPMI, VNC, VoIP, Java RMI/JDWP, gRPC, WebDAV**, and more — plus [CI/CD tooling](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Network%20Penetration%20Testing/CI/CD%20Tools/README.md) and [database navigation](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Network%20Penetration%20Testing/Databases/README.md).

***

## 📡 Wireless Penetration Testing

[Full wireless attack coverage](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Wireless%20Penetration%20Testing/README.md): WEP cracking, WPA2-PSK, PMKID, WPS PIN/Pixie Dust, deauth & fake-auth, packet injection/sniffing, MITM, DNS spoofing, and traffic decryption.

***

## 🎭 Red Teaming

End-to-end [adversary simulation tradecraft](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/README.md):

* [**Evasion Techniques**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Evasion%20Techniques/README.md) — AMSI bypass, AV/EDR evasion, and a deep [AV/EDR Architecture](/boot2root/red-teaming/evasion-techniques/av-edr-architecture.md) breakdown
* [**Command & Control**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Command%20And%20Control/README.md) · [**Data Exfiltration**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Data%20Exfiltration/README.md) (DNS / ICMP / HTTPS / TCP)
* [**Advanced Techniques**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Advanced%20Techniques/README.md) — process injection, hollowing, HTA/JScript
* [**Payloads**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Payloads/README.md) · [**Stagers**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Stagers/README.md) · [**Shellcode Runners**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Shellcode%20Runners/README.md)
* [**Spearphishing**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Spearfishing%20Attacks/README.md) — macros, OLE/LNK, XLL, device-code phishing
* [**LOLBins**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Living%20of%20the%20Land%20Binaries%20\(LOLBINs\)/README.md) · [**Offensive PowerShell**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Offensive%20Powershell/README.md) · [**Password Attacks**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Red%20Teaming/Password%20Attacks/README.md)

***

## ⬆️ Privilege Escalation

* [**Linux**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Privilege%20Escalation/Linux/README.md) — SUID, capabilities, cron, kernel exploits, sudo abuse, and dozens more
* [**Windows**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Privilege%20Escalation/Windows/README.md) — service misconfigs, potato exploits, DLL hijacking, token abuse, UAC bypass
* [**Docker Escapes**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Privilege%20Escalation/Docker%20Escapes/README.md) — privileged containers, exposed daemons, namespace abuse

***

## 🔀 Pivoting

[Tunneling and lateral movement](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Pivoting/README.md): Chisel, Ligolo-ng, SSH tunneling, Proxychains, DNS/HTTP/ICMP tunneling, double pivots, and [ready-to-go scripts](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Pivoting/Scripts%20on%20the%20Go/README.md).

***

## 🐛 CVEs

[Curated exploit write-ups](https://github.com/H3llKa1ser/B00t2R00t/blob/main/CVE/README.md): Zerologon, noPAC, PrintNightmare, ProxyShell, Certifried, PetitPotam, Log4j, and more.

***

## 🤖 Other Domains

* [**AI Penetration Testing**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Artificial%20Intelligence%20\(AI\)%20Penetration%20Testing/README.md) — prompt injection, jailbreaking, model inversion, guardrail bypass
* [**Exploit Development**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Exploit%20Development/README.md) — buffer overflows, race conditions, reverse engineering
* [**Data Lake Pentesting**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Data%20Lake%20Penetration%20Testing/README.md) — Hadoop, HDFS, Kerberos keytabs
* [**Bug Bounty Hunting**](/boot2root/bug-bounty-hunting.md) — recon automation & workflow

***

## 🛠️ Tools

Usage references for the offensive toolkit, grouped by purpose:

* [**Active Directory**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Active%20Directory/README.md) — Impacket, NetExec, BloodHound, Mimikatz, Rubeus, Responder, Certipy, and more
* [**C2 Frameworks**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/C2%20Frameworks/README.md) — Cobalt Strike (in depth), Sliver, PowerShell Empire
* [**Enumeration**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Enumeration/README.md) · [**Network Scanners**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Network%20Scanners/README.md) · [**Fuzzers**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Fuzzers/README.md)
* [**Password Crackers**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Password%20Crackers/README.md) — Hashcat, John, Hydra, Medusa
* [**Phishing Campaigns**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Phishing%20Campaigns/README.md) — Evilginx + phishlets
* [**Web Applications**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Web%20Applications/README.md) · [**Exploitation Frameworks**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Exploitation%20Frameworks/README.md) · [**Wireless**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/Wireless/README.md) · [**AV Evasion**](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Tools/AV%20Evasion/README.md)

***

## 🧩 Miscellaneous

[Handy operational references](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Miscellaneous/README.md): [file transfer methods](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Miscellaneous/File%20Transfer/README.md) (Linux & Windows), [reverse shells](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Miscellaneous/Reverse%20Shells/README.md), [shell stabilization](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Miscellaneous/Shell%20Stabilization/README.md), [credential harvesting](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Miscellaneous/Credential%20Harvesting/README.md), [wordlist creation](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Miscellaneous/Wordlist%20Creation/README.md), and a big bag of [neat tricks](https://github.com/H3llKa1ser/B00t2R00t/blob/main/Miscellaneous/Neat%20Tricks/README.md).

***

## 🤝 Contributing

Contributions, corrections, and additions are welcome! Feel free to open an issue or submit a pull request.

## 📄 License

See [LICENSE.md](/boot2root/license.md) for details.

***

⭐ **If you find this useful, consider starring the repo!** ⭐

*Built and maintained by* [*H3llKa1ser*](https://github.com/H3llKa1ser)

*For educational and authorized testing purposes only.*


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://h3ll-ka1ser.gitbook.io/boot2root/readme.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
