Template

IP:

Enumeration

Nmap scan

// Some code

Service Enumeration

TCP/00

Document here:

Screenshots (web browser, terminal screen)
Service version numbers
Document your findings when interacting with the service at various stages

UDP/00

Document here:

Screenshots (web browser, terminal screen)
Service version numbers
Document your findings when interacting with the service at various stages

Exploit

Document here:

Exploit used (link to exploit)
Explain how the exploit works against the service
Any modified code (and why you modified it)
Proof of exploit (screenshot of reverse shell with target IP address output)

Post-Exploit Enumeration

Current User

Click to expand

Document here:
 
- Windows
  - "whoami /all" output
  
- *nix
  - "id" output
  - "sudo -l" output

OS & Kernel

Click to expand

Document here:
  
- Windows
  - "systeminfo" or "Get-ComputerInfo" output
  
- *nix
  - "uname -a" output
  - "cat /etc/os-release" (or similar) output

Users

Click to expand

Document here any interesting username after running the below commands:
  
- Windows
  - Domain:
  	- "net user /domain" or "Get-ADUser -Filter *" output
  
  - Workgroup:
  	- "net user" or "Get-LocalUser" output
  
- *nix
  - "cat /etc/passwd" output

Groups

Click to expand

Document here any interesting groups after running the below commands:
  
- Windows
  - Domain:
  	- "net group /domain" or "Get-ADGroup -Filter *" output
  
  - Workgroup:
  	- "net localgroup" or "Get-LocalGroup" output
  
- *nix
  - "cat /etc/group" output

Network

Interfaces

Document here any interesting / additional interfaces:
  
- Windows
  - "ipconfig" or "Get-NetAdapter" output
  
- *nix
  - "ip address" or "ifconfig" output

ARP Table

If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "arp -a" or "Get-NetNeighbor" output
  
- *nix
  - "ip neigh" or "arp -a" output

Routes

If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "route print" or "Get-NetRoute" output
  
- *nix
  - "ip route" or "route" output

Open Ports

Document here any ports listening on loopback or not available to the outside:
  
- Windows
  - "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output
  
- *nix
  - "netstat -tanup | grep -i listen" output

Ping Sweep

If the host has access to additional routes / interfaces:

  - Look at the IP address space and network mask
  - Find a ping sweep script that will work for the target network
  - Or you could try:
  	- Transfering "nmap" or some other host discover tool to the host
  	- Set up a SOCKS proxy and try a port scan through the foothold

Processes

Click to expand

First...
Enumerate processes:
  
- Windows
  - "tasklist"
  - "Get-Process"
  - "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List"
  
- *nix
  - "ps auxf"
  
Then...
Document here:
  - Any interesting processes run by users/administrators
  - Any vulnerable applications
  - Any intersting command line arguments visible

Services

Click to expand

- Windows
  - First...
    Enumerate services:
  	  - "sc.exe query"
  	  	- Then "sc.exe qc <service-name>"
          - List the configuration for any interesting services
  	  - "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List"
  - Then...
  	Check for things like:
  	  - Vulnerable service versions
      - Unquoted service path
      - Service path permissions too open?
  
- *nix
  - First...
  	Enumerate services:
      - "service --status-all" or "systemctl list-units"
  - Then...
    Check for things like:
      - Vulnerable service versions
      - Configuration files
      - Writable unit files
  	  - Writable service binaries  
  
Then...
Document here:
  - Any interesting services or vulnerabilities
  - Any vulnerable service versions
  - Any intersting configuration files

Scheduled Tasks

Click to expand

First...
Enumerate scheduled tasks:
  
- Windows
  - "schtasks /QUERY /FO LIST /V | findstr /i /c:'taskname' /c:'run as user' /c:'task to run'"
  - "Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List"
  
- *nix
  - "crontab -l"
  - "cat /etc/cron* 2>/dev/null"
  - "cat /var/spool/cron/crontabs/* 2>/dev/null"
  
Then...
Document here:
  - Any interesting scheduled tasks
  - Any writable paths in the scheduled task
  - Any intersting command line arguments visible

Interesting Files

File 1

File contents

Privilege Escalation

Document here:

Exploit used (link to exploit)
Explain how the exploit works
Any modified code (and why you modified it)
Proof of privilege escalation (screenshot showing ip address and privileged username)\

Persistence

Document here how you set up persistence on the target

Flags

User

Flag here

Root

Flag here

Shell

Root

Template partially courtesy of 0xC0FFEE https://notes.benheater.com

PreviousBoxes/Write Ups NextGame Of Active Directory v2 - Day 1

Last updated 2 years ago

Was this helpful?