Document here any interesting username after running the below commands:
- Windows
- Domain:
- "net user /domain" or "Get-ADUser -Filter *" output
- Workgroup:
- "net user" or "Get-LocalUser" output
- *nix
- "cat /etc/passwd" output
Groups
Click to expand
Document here any interesting groups after running the below commands:
- Windows
- Domain:
- "net group /domain" or "Get-ADGroup -Filter *" output
- Workgroup:
- "net localgroup" or "Get-LocalGroup" output
- *nix
- "cat /etc/group" output
Network
Interfaces
Document here any interesting / additional interfaces:
- Windows
- "ipconfig" or "Get-NetAdapter" output
- *nix
- "ip address" or "ifconfig" output
ARP Table
If targeting a network and enumerating additional hosts...
Document here:
- Windows
- "arp -a" or "Get-NetNeighbor" output
- *nix
- "ip neigh" or "arp -a" output
Routes
If targeting a network and enumerating additional hosts...
Document here:
- Windows
- "route print" or "Get-NetRoute" output
- *nix
- "ip route" or "route" output
Open Ports
Document here any ports listening on loopback or not available to the outside:
- Windows
- "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output
- *nix
- "netstat -tanup | grep -i listen" output
Ping Sweep
If the host has access to additional routes / interfaces:
- Look at the IP address space and network mask
- Find a ping sweep script that will work for the target network
- Or you could try:
- Transfering "nmap" or some other host discover tool to the host
- Set up a SOCKS proxy and try a port scan through the foothold
Processes
Click to expand
First...
Enumerate processes:
- Windows
- "tasklist"
- "Get-Process"
- "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List"
- *nix
- "ps auxf"
Then...
Document here:
- Any interesting processes run by users/administrators
- Any vulnerable applications
- Any intersting command line arguments visible
Services
Click to expand
- Windows
- First...
Enumerate services:
- "sc.exe query"
- Then "sc.exe qc <service-name>"
- List the configuration for any interesting services
- "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List"
- Then...
Check for things like:
- Vulnerable service versions
- Unquoted service path
- Service path permissions too open?
- *nix
- First...
Enumerate services:
- "service --status-all" or "systemctl list-units"
- Then...
Check for things like:
- Vulnerable service versions
- Configuration files
- Writable unit files
- Writable service binaries
Then...
Document here:
- Any interesting services or vulnerabilities
- Any vulnerable service versions
- Any intersting configuration files
Scheduled Tasks
Click to expand
First...
Enumerate scheduled tasks:
- Windows
- "schtasks /QUERY /FO LIST /V | findstr /i /c:'taskname' /c:'run as user' /c:'task to run'"
- "Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List"
- *nix
- "crontab -l"
- "cat /etc/cron* 2>/dev/null"
- "cat /var/spool/cron/crontabs/* 2>/dev/null"
Then...
Document here:
- Any interesting scheduled tasks
- Any writable paths in the scheduled task
- Any intersting command line arguments visible
Interesting Files
File 1
File contents
Privilege Escalation
Document here:
Exploit used (link to exploit)
Explain how the exploit works
Any modified code (and why you modified it)
Proof of privilege escalation (screenshot showing ip address and privileged username)\
Persistence
Document here how you set up persistence on the target
Flags
User
Flag here
Root
Flag here
Shell
Root
Template partially courtesy of 0xC0FFEE https://notes.benheater.com
