Frequent Terminology and Acronyms

Welcome to the forum and to HackTheBox!

This field is absolutely massive and can contain a multitude of words all meaning one thing. Box, machine, target, client, victim, all meaning the dedicated vulnerable appliance that you are attempting to exploit. Sometimes the wealth of info can create a major sense of being lost all the time and occasionally you need help deciphering what someone is meaning. This can be especially true whenever someone is telling you to throw rocks at the login page admin and you are about to cry because you are a decent human who doesn’t throw rocks… We hope… This page is meant as a public document to be altered (or removed if no one decides to add much of anything to it :pleading_face: ) in the hopes that it will help familiarize you with commonly used terms, phrases, and sayings that are used when discussing CyberSec and Pentesting.


  • Must Be Directly Related to the Platform:
    Don’t use something like “Leeroy Jenkins!” unless you try really hard to get that one to stick with something…which is encouraged.

  • Be Respectful:
    Remain conscious that the internet is forever and everyone else behind the keyboards are humans also.

  • Be Kind:
    This area of interest is too small (and challenging to learn) to be elitists about it. If you have knowledge and wish to share it, please do so, you may be the one thing someone is missing.

  • Be Clear and Concise:
    Your Language is not native for everyone, be clear with what you post and please proofread it to the best of your ability.

  • Spam, Offensive Posts, Or Off Topic Posts Will Be Removed:
    We want to keep this as clean as possible in every aspect!

Hopefully everyone will contribute a small piece of info to this and help us grow a massive searchable post that everyone can use!


Attacker Box/Machine = The computer you are using or initiating from.
Service = Could be a particular app or program found on a port.
Pentesting = Penetration testing, Professional term for Hacking.
Box = Machine
Rocks = Most of the time, referring to using the rockyou wordlist.
Map it = Multiple meanings, most commonly Nmap, Sqlmap.
Enumerate = info gathering, look around in files, see what services are running, services and ports they run on, user list, passwords, check ID, what services run as root.
Root = top level user, impersonate this and you have unfettered access to the machine.
peas= most commonly referring to linpeas, a linux enumeration program.
db = database, some sort of backend method of information handling. Mysql, sqlite, etc.
Brute-force = Attempting to use an up front one by one method of attack. I.E. using rockyou wordlist on a login page.
man page= manual pages that you can use for reference, I.E. man Nmap.
noob = well… you know.

1 Like

Some I particularly use, mostly attack vectors which are hard to repeat, I hope they will be useful

XSS = cross-site scripting, basically injecting code on a webpage by an input
CSRF = cross-site request forgery, makes a user or server fetch something they didnt ask to
IDOR = insecure direct object reference, when you are able to read or edit files you shouldnt because the server doesnt really care for who is making the calls
LFI = local file inclusion, when you can fetch files from the target
Server side = when the server executes your script, it is desirable above a simple client side vuln
Middleware = a script which translates communications, mostly to be used with sqlmap

Vuln, enum, recon, are simply short terms for vulnerability, enumeration and reconnaissance

And the ones I love :heart:
Ace = arbitrary code execution, the ace up in your sleeve
Daskidzz = kr4d scr1pt kiddie!!!1111 :crazy_face:

1 Like

CVE = Common Vulnerabilities and Exposures, Usually the details of what vulnerability exists, try searching the cve in github, exploitdb, and if you are lucky, metasploit may have a module that will work!

RCE = Remote Code Execution: in our context, one of the top tier exploit paths, allows for attackers to issue code commands (or scripts, shells, and such) to a machine from their attacking machine.

Tea = not very common but can refer to a gitea page.

Listener = a listening port on a machine that is actively “listening” for anything trying to reach it ,
for example: nc -lnvp 4444

Shell = a semi interactive presence that can be leveraged into a full command terminal through escalation or “breaking out”.

POC- Proof of Concept: A methodology or set of steps to accomplish a proposed flaw (a guide on how to test if the vulnerability exists and how to exploit it, in cybersec terms)
VM- virtual machine: a machine that exists in a virtual space and not as a physical piece of hardware.
IOC- Indicator of Compromise: The trails that attackers leave behind. Blue teamers use IOC’s to track if they have been attacked and how. Could be an IP of a remote server, could be a string of code executed in a system that is patterned to a known threat actor, a set of artifacts that lines up with other known attacks.
IOA- Indicator of Attack: Similar to IOC’s but happening in real time. Most blue teamers search for these to get an idea of what the attackers are going after and how to shut them out.

heisenbug: a software bug that doesn’t show up under debugging (see Heisenberg’s Uncertainty Principal)

rainbow table: a huge table of previously used passwords and their pre-computed hashes used for password cracking.

nonce: a number used one time in cryptography (word not derived from ‘n once’ according to Wikipedia). Be very wary using this in Britain, it means pedophile or at least ■■■ offender here.

smurf attack: a DoS (Denial of Service) using a flood of spoofed ping messages.