> For the complete documentation index, see [llms.txt](https://notebook.aesirsec.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notebook.aesirsec.io/boxes-write-ups/template.md).

# Template

## IP:

## Enumeration

Nmap scan

```
// Some code
```

## **Service Enumeration**

### **TCP/00**

Document here:

* Screenshots (web browser, terminal screen)
* Service version numbers
* Document your findings when interacting with the service at various stages

### **UDP/00**

Document here:

* Screenshots (web browser, terminal screen)
* Service version numbers
* Document your findings when interacting with the service at various stages

## **Exploit**

Document here:

* Exploit used (link to exploit)
* Explain how the exploit works against the service
* Any modified code (and why you modified it)
* Proof of exploit (screenshot of reverse shell with target IP address output)

## **Post-Exploit Enumeration**

### **Current User**

<details>

<summary>Click to expand</summary>

```
Document here:
 
- Windows
  - "whoami /all" output
  
- *nix
  - "id" output
  - "sudo -l" output
```

</details>

### **OS & Kernel**

<details>

<summary>Click to expand</summary>

```
Document here:
  
- Windows
  - "systeminfo" or "Get-ComputerInfo" output
  
- *nix
  - "uname -a" output
  - "cat /etc/os-release" (or similar) output
```

</details>

### **Users**

<details>

<summary>Click to expand</summary>

```
Document here any interesting username after running the below commands:
  
- Windows
  - Domain:
  	- "net user /domain" or "Get-ADUser -Filter *" output
  
  - Workgroup:
  	- "net user" or "Get-LocalUser" output
  
- *nix
  - "cat /etc/passwd" output
```

</details>

### **Groups**

<details>

<summary>Click to expand</summary>

```
Document here any interesting groups after running the below commands:
  
- Windows
  - Domain:
  	- "net group /domain" or "Get-ADGroup -Filter *" output
  
  - Workgroup:
  	- "net localgroup" or "Get-LocalGroup" output
  
- *nix
  - "cat /etc/group" output
```

</details>

### **Network**

<details>

<summary>Interfaces</summary>

```
Document here any interesting / additional interfaces:
  
- Windows
  - "ipconfig" or "Get-NetAdapter" output
  
- *nix
  - "ip address" or "ifconfig" output
```

</details>

<details>

<summary>ARP Table</summary>

```
If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "arp -a" or "Get-NetNeighbor" output
  
- *nix
  - "ip neigh" or "arp -a" output
```

</details>

<details>

<summary>Routes</summary>

```
If targeting a network and enumerating additional hosts...
Document here:
  
- Windows
  - "route print" or "Get-NetRoute" output
  
- *nix
  - "ip route" or "route" output
```

</details>

<details>

<summary>Open Ports</summary>

```
Document here any ports listening on loopback or not available to the outside:
  
- Windows
  - "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output
  
- *nix
  - "netstat -tanup | grep -i listen" output
```

</details>

<details>

<summary>Ping Sweep</summary>

```
If the host has access to additional routes / interfaces:

  - Look at the IP address space and network mask
  - Find a ping sweep script that will work for the target network
  - Or you could try:
  	- Transfering "nmap" or some other host discover tool to the host
  	- Set up a SOCKS proxy and try a port scan through the foothold
```

</details>

### **Processes**

<details>

<summary>Click to expand</summary>

```
First...
Enumerate processes:
  
- Windows
  - "tasklist"
  - "Get-Process"
  - "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List"
  
- *nix
  - "ps auxf"
  
Then...
Document here:
  - Any interesting processes run by users/administrators
  - Any vulnerable applications
  - Any intersting command line arguments visible
```

</details>

### **Services**

<details>

<summary>Click to expand</summary>

```
- Windows
  - First...
    Enumerate services:
  	  - "sc.exe query"
  	  	- Then "sc.exe qc <service-name>"
          - List the configuration for any interesting services
  	  - "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List"
  - Then...
  	Check for things like:
  	  - Vulnerable service versions
      - Unquoted service path
      - Service path permissions too open?
  
- *nix
  - First...
  	Enumerate services:
      - "service --status-all" or "systemctl list-units"
  - Then...
    Check for things like:
      - Vulnerable service versions
      - Configuration files
      - Writable unit files
  	  - Writable service binaries  
  
Then...
Document here:
  - Any interesting services or vulnerabilities
  - Any vulnerable service versions
  - Any intersting configuration files
```

</details>

### **Scheduled Tasks**

<details>

<summary>Click to expand</summary>

```
First...
Enumerate scheduled tasks:
  
- Windows
  - "schtasks /QUERY /FO LIST /V | findstr /i /c:'taskname' /c:'run as user' /c:'task to run'"
  - "Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List"
  
- *nix
  - "crontab -l"
  - "cat /etc/cron* 2>/dev/null"
  - "cat /var/spool/cron/crontabs/* 2>/dev/null"
  
Then...
Document here:
  - Any interesting scheduled tasks
  - Any writable paths in the scheduled task
  - Any intersting command line arguments visible
```

</details>

### **Interesting Files**

<details>

<summary>File 1</summary>

```
File contents
```

</details>

## **Privilege Escalation**

Document here:

* Exploit used (link to exploit)
* Explain how the exploit works
* Any modified code (and why you modified it)
* Proof of privilege escalation (screenshot showing ip address and privileged username)\\

## **Persistence**

Document here how you set up persistence on the target

## **Flags**

<details>

<summary>User</summary>

```
Flag here
```

</details>

<details>

<summary>Root</summary>

```
Flag here
```

</details>

## Shell

## Root

\
\
Template partially courtesy of 0xC0FFEE <https://notes.benheater.com>
