# Template ## IP: ## Enumeration Nmap scan ``` // Some code ``` ## **Service Enumeration** ### **TCP/00** Document here: * Screenshots (web browser, terminal screen) * Service version numbers * Document your findings when interacting with the service at various stages ### **UDP/00** Document here: * Screenshots (web browser, terminal screen) * Service version numbers * Document your findings when interacting with the service at various stages ## **Exploit** Document here: * Exploit used (link to exploit) * Explain how the exploit works against the service * Any modified code (and why you modified it) * Proof of exploit (screenshot of reverse shell with target IP address output) ## **Post-Exploit Enumeration** ### **Current User**
Click to expand ``` Document here: - Windows - "whoami /all" output - *nix - "id" output - "sudo -l" output ```
### **OS & Kernel**
Click to expand ``` Document here: - Windows - "systeminfo" or "Get-ComputerInfo" output - *nix - "uname -a" output - "cat /etc/os-release" (or similar) output ```
### **Users**
Click to expand ``` Document here any interesting username after running the below commands: - Windows - Domain: - "net user /domain" or "Get-ADUser -Filter *" output - Workgroup: - "net user" or "Get-LocalUser" output - *nix - "cat /etc/passwd" output ```
### **Groups**
Click to expand ``` Document here any interesting groups after running the below commands: - Windows - Domain: - "net group /domain" or "Get-ADGroup -Filter *" output - Workgroup: - "net localgroup" or "Get-LocalGroup" output - *nix - "cat /etc/group" output ```
### **Network**
Interfaces ``` Document here any interesting / additional interfaces: - Windows - "ipconfig" or "Get-NetAdapter" output - *nix - "ip address" or "ifconfig" output ```
ARP Table ``` If targeting a network and enumerating additional hosts... Document here: - Windows - "arp -a" or "Get-NetNeighbor" output - *nix - "ip neigh" or "arp -a" output ```
Routes ``` If targeting a network and enumerating additional hosts... Document here: - Windows - "route print" or "Get-NetRoute" output - *nix - "ip route" or "route" output ```
Open Ports ``` Document here any ports listening on loopback or not available to the outside: - Windows - "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output - *nix - "netstat -tanup | grep -i listen" output ```
Ping Sweep ``` If the host has access to additional routes / interfaces: - Look at the IP address space and network mask - Find a ping sweep script that will work for the target network - Or you could try: - Transfering "nmap" or some other host discover tool to the host - Set up a SOCKS proxy and try a port scan through the foothold ```
### **Processes**
Click to expand ``` First... Enumerate processes: - Windows - "tasklist" - "Get-Process" - "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List" - *nix - "ps auxf" Then... Document here: - Any interesting processes run by users/administrators - Any vulnerable applications - Any intersting command line arguments visible ```
### **Services**
Click to expand ``` - Windows - First... Enumerate services: - "sc.exe query" - Then "sc.exe qc " - List the configuration for any interesting services - "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List" - Then... Check for things like: - Vulnerable service versions - Unquoted service path - Service path permissions too open? - *nix - First... Enumerate services: - "service --status-all" or "systemctl list-units" - Then... Check for things like: - Vulnerable service versions - Configuration files - Writable unit files - Writable service binaries Then... Document here: - Any interesting services or vulnerabilities - Any vulnerable service versions - Any intersting configuration files ```
### **Scheduled Tasks**
Click to expand ``` First... Enumerate scheduled tasks: - Windows - "schtasks /QUERY /FO LIST /V | findstr /i /c:'taskname' /c:'run as user' /c:'task to run'" - "Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List" - *nix - "crontab -l" - "cat /etc/cron* 2>/dev/null" - "cat /var/spool/cron/crontabs/* 2>/dev/null" Then... Document here: - Any interesting scheduled tasks - Any writable paths in the scheduled task - Any intersting command line arguments visible ```
### **Interesting Files**
File 1 ``` File contents ```
## **Privilege Escalation** Document here: * Exploit used (link to exploit) * Explain how the exploit works * Any modified code (and why you modified it) * Proof of privilege escalation (screenshot showing ip address and privileged username)\\ ## **Persistence** Document here how you set up persistence on the target ## **Flags**
User ``` Flag here ```
Root ``` Flag here ```
## Shell ## Root \ \ Template partially courtesy of 0xC0FFEE --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notebook.aesirsec.io/boxes-write-ups/template.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.