diff --git a/template.md b/template.md
new file mode 100644
index 0000000..db516f6
--- /dev/null
+++ b/template.md
@@ -0,0 +1,555 @@
+# **Nmap Results**
+```text
+Nmap output here
+```
+
+
+
+
+
+
+# **Service Enumeration**
+
+## **TCP/00**
+Document here:
+* Screenshots (web browser, terminal screen)
+* Service version numbers
+* Document your findings when interacting with the service at various stages
+
+
+
+
+## **UDP/00**
+Document here:
+* Screenshots (web browser, terminal screen)
+* Service version numbers
+* Document your findings when interacting with the service at various stages
+
+
+
+
+
+
+# **Exploit**
+Document
+here:
+* Exploit used (link to exploit)
+* Explain how the exploit works against the service
+* Any modified code (and why you modified it)
+* Proof of exploit (screenshot of reverse shell with target IP address output)
+
+
+
+
+
+
+# **Post-Exploit Enumeration**
+## **Operating Environment**
+
+ OS & Kernel
+
+```text
+Document here:
+
+- Windows
+ - "systeminfo" or "Get-ComputerInfo" output
+
+- *nix
+ - "uname -a" output
+ - "cat /etc/os-release" (or similar) output
+```
+
+
+
+
+
+
+
+ Current User
+
+```text
+Document here:
+
+- Windows
+ - "whoami /all" output
+
+- *nix
+ - "id" output
+ - "sudo -l" output
+```
+
+
+
+
+
+
+## **Users and Groups**
+
+
+ Local Users
+
+```text
+Document here any interesting username(s) after running the below commands:
+
+- Windows
+ - "net user" or "Get-LocalUser" output
+ - "net user " or "Get-LocalUser | Select-Object *" to enumerate details about specific users
+ - Can you dump and pass/crack hashes from SAM using your current access?
+
+- *nix
+ - "cat /etc/passwd" output
+```
+
+
+
+
+
+
+
+ Local Groups
+
+```text
+Document here any interesting group(s) after running the below commands:
+
+- Windows
+ - "net localgroup" or "Get-LocalGroup" output
+ - "net localgroup " or "Get-LocalGroupMember | Select-Object *" to enumerate users of specific groups
+
+- *nix
+ - "cat /etc/group" output
+ - "cat /etc/group | grep " to check group memberships of specific users
+```
+
+
+
+
+
+
+
+ Domain Users
+
+```text
+Document here any interesting username(s) after running the below commands:
+
+- Windows
+ - "net user /domain" or "Get-ADUser -Filter * -Properties *" output
+ - "net user /domain" or "Get-ADUser -Identity -Properties *" to enumerate details about specific domain users
+ - Not a local administrator and can't run PowerShell AD cmdlets?
+ - See here: https://notes.benheater.com/books/active-directory/page/powershell-ad-module-on-any-domain-host-as-any-user
+ - Can you dump and pass/crack local user / admin hashes from the SAM using your current access?
+ - Can you dump and pass/crack hashes from LSA using your current access?
+
+- *nix
+ - Check if joined to a domain
+ - /usr/sbin/realm list -a
+ - /usr/sbin/adcli info
+
+ - No credential:
+
+ - Check for log entries containing possible usernames
+
+ - "find /var/log -type f -readable -exec grep -ail '' {} \; 2>/dev/null"
+ - Then, grep through each log file and remove any garbage from potential binary files:
+
+ - Using strings: "strings /var/log/filename | grep -i ''"
+ - If strings not available, try using od: "od -An -S 1 /var/log/filename | grep -i ''"
+ - If od not available, try grep standalone: "grep -iao '.*.*' /var/log/filename"
+
+ - Validate findings:
+ - Check if discovered usernames are valid: "getent passwd "
+ - If valid, check user group memberships: List "id "
+ - Check domain password and lockout policy for password spray feasibility
+
+ - See "Domain Groups", as certain commands there can reveal some additional usernames
+
+ - With a domain credential:
+
+ - If you have a valid domain user credential, you can try "ldapsearch"
+ - Dump all objects from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=*'"
+ - Dump all users from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=account'"
+
+
+ - If you're root on the domain-joined host:
+
+ - You can try best-effort dumping the SSSD cache:
+
+ - Using strings: "strings /var/lib/sss/db/cache_.ldb | grep -iE '[ou|cn]=.*user.*'" | grep -iv 'disabled' | sort -u
+ - If strings not available, try using od: "od -An -S 1 /var/lib/sss/db/cache_.ldb | grep -iE '[ou|cn]=.*user.*'" | grep -iv 'disabled' | sort -u
+ - If od not available, try grep standalone: "grep -iao '.*.*' /var/lib/sss/db/cache_.ldb | sed 's/[^[:print:]\r\t]/\n/g' | grep -iE '[ou|cn]=.*user.*' | grep -iv disabled"
+
+ - You can transfer the SSSD TDB cache for local parsing
+
+ - Default file path: /var/lib/sss/db/cache_.tdb
+ - You can dump this file with tools such as "tdbtool" or "tdbdump"
+```
+
+
+
+
+
+
+
+ Domain Groups
+
+```text
+Document here any interesting group(s) after running the below commands:
+
+- Windows
+ - "net group /domain" or "Get-ADGroup -Filter * -Properties *" output
+ - "net group /domain" or "Get-ADGroup -Identity | Get-ADGroupMember -Recursive" to enumerate members of specific domain groups
+ - Not a local administrator and can't run PowerShell AD cmdlets?
+ - See here: https://notes.benheater.com/books/active-directory/page/powershell-ad-module-on-any-domain-host-as-any-user
+
+- *nix
+
+ - Check if joined to a domain
+ - /usr/sbin/realm list -a
+ - /usr/sbin/adcli info
+
+ - No credential:
+
+ - Enumerate default Active Directory security groups: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#default-active-directory-security-groups
+
+ - "getent group 'Domain Admins@'"
+ - "getent group 'Domain Users@'"
+ - NOTE: "getent" will only return domain group members that have been cached on the local system, not all group members in the domain
+ - This can still build a substantial user list for password spraying (check domain password and lockout policy)
+
+ - With a domain credential:
+
+ - If you have a valid domain user credential, you can try "ldapsearch"
+ - Dump all objects from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=*'"
+ - Dump all groups from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=group'"
+
+ - If you're root on the domain-joined host:
+
+ - You can try dumping the SSSD cache:
+
+ - Using strings: "strings /var/lib/sss/db/cache_.ldb | grep -i ''"
+ - If strings not available, try using od: "od -An -S 1 /var/lib/sss/db/cache_.ldb | grep -i ''"
+ - If od not available, try grep standalone: "grep -iao '.*.*' /var/lib/sss/db/cache_.ldb | sed 's/[^[:print:]\r\t]/\n/g' | grep -iE '[ou|cn]=.*group.*' | grep -i '^CN='"
+
+ - You can transfer the SSSD TDB cache for local parsing
+
+ - Default file path: /var/lib/sss/db/cache_.tdb
+ - You can dump this file with tools such as "tdbtool" or "tdbdump"
+```
+
+
+
+
+
+
+## **Network Configurations**
+
+
+ Network Interfaces
+
+```text
+Document here any interesting / additional interfaces:
+
+- Windows
+ - "ipconfig" or "Get-NetAdapter" output
+
+- *nix
+ - "ip address" or "ifconfig" output
+```
+
+
+
+
+
+
+ Open Ports
+
+```text
+Document here any ports listening on loopback or not available to the outside:
+
+- Windows
+ - "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output
+
+- *nix
+ - "netstat -tanup | grep -i listen" or "ss -tanup | grep -i listen" output
+```
+
+
+
+
+
+
+ ARP Table
+
+```text
+If targeting a network and enumerating additional hosts...
+Document here:
+
+- Windows
+ - "arp -a" or "Get-NetNeighbor" output
+
+- *nix
+ - "ip neigh" or "arp -a" output
+```
+
+
+
+
+
+
+ Routes
+
+```text
+If targeting a network and enumerating additional hosts...
+Document here:
+
+- Windows
+ - "route print" or "Get-NetRoute" output
+
+- *nix
+ - "ip route" or "route" output
+```
+
+
+
+
+
+
+ Ping Sweep
+
+```text
+If the host has access to additional routes / interfaces:
+
+ - Look at the IP address space and network mask
+ - Find a ping sweep script that will work for the target network
+ - Or you could try:
+ - Transfering "nmap" or some other host discover tool to the host
+ - Set up a SOCKS proxy and try a port scan through the foothold
+```
+
+
+
+
+
+
+## **Processes and Services**
+
+
+ Interesting Processes
+
+```text
+First...
+Enumerate processes:
+
+- Windows
+ - "tasklist"
+ - "Get-Process"
+ - "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List"
+
+- *nix
+ - "ps aux --sort user"
+
+Then...
+Document here:
+ - Any interesting processes run by users/administrators
+ - Any vulnerable applications
+ - Any intersting command line arguments visible
+```
+
+
+
+
+
+
+
+ Interesting Services
+
+```text
+- Windows
+ - First...
+ Enumerate services:
+ - "sc.exe query"
+ - Then "sc.exe qc "
+ - List the configuration for any interesting services
+ - "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List"
+ - Then...
+ Check for things like:
+ - Vulnerable service versions
+ - Unquoted service path
+ - Service path permissions too open?
+ - Can you overwrite the service binary?
+ - DLL injection?
+
+- *nix
+ - First...
+ Enumerate services:
+ - "service --status-all" or "systemctl list-units --type=service --state=running"
+ - Then...
+ Check for things like:
+ - Vulnerable service versions
+ - Configuration files with passwords or other information
+ - Writable unit files
+ - One-liner to check for writable service unit files: `systemctl list-units --state=running --type=service | grep '\.service' | awk -v FS=' ' '{print $1}' | xargs -I % systemctl status % | grep 'Loaded:' | cut -d '(' -f 2 | cut -d ';' -f 1 | xargs -I % find % -writable 2>/dev/null`
+ - Writable service binaries
+
+Then...
+Document here:
+ - Any interesting services or vulnerabilities
+ - Any vulnerable service versions
+ - Any intersting configuration files
+```
+
+
+
+
+
+
+## **Scheduled Tasks**
+
+
+ Interesting Scheduled Tasks
+
+```text
+First...
+Enumerate scheduled tasks:
+
+- Windows
+ - schtasks /QUERY /FO LIST /V | findstr /i /c:"taskname" /c:"run as user" /c:"task to run"
+ - Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List
+
+- *nix
+ - "crontab -l"
+ - "cat /etc/cron* 2>/dev/null"
+ - "cat /var/spool/cron/crontabs/* 2>/dev/null"
+
+Then...
+Document here:
+ - Any interesting scheduled tasks
+ - Any writable paths in the scheduled task
+ - Any intersting command line arguments visible
+```
+
+
+
+
+
+
+## **Interesting Files**
+
+ C:\InterestingDir\Interesting-File1.txt
+
+```text
+- Windows
+ - Check for writable scripts, writable directories
+ - Check for configuration files with passwords and other interesting info
+ - Check for scripts with external dependencies that can be overwritten or changed
+ - Some interesting places to check
+ - Check PATH variable for current user for possible interesting locations
+ - Also check for hidden items
+ - I reference %SYSTEMDRIVE%, as C: is not always the system volume
+ - %SYSTEMDRIVE%\interesting_folder
+ - %SYSTEMDRIVE%\Users\user_name
+ - Desktop, Downloads, Documents, .ssh, etc
+ - AppData (may also have some interesting things in Local, Roaming)
+ - %SYSTEMDRIVE%\Windows\System32\drivers\etc\hosts
+ - %SYSTEMDRIVE%\inetpub
+ - %SYSTEMDRIVE%\Program Files\program_name
+ - %SYSTEMDRIVE%\Program Files (x86)\program_name
+ - %SYSTEMDRIVE%\ProgramData
+ - %SYSTEMDRIVE%\Temp
+ - %SYSTEMDRIVE%\Windows\Temp
+ - Check the Registry for passwords, configurations, interesting text
+ - HKEY_LOCAL_MACHINE or HKLM
+ - HKEY_CURRENT_USER or HKCU
+ - Search the HKLM hive recursively for the word 'password'
+ - "reg query HKLM /f password /t REG_SZ /s"
+
+- *nix
+ - Check for SUID binaries
+ - "find / -type f -perm /4000 -exec ls -l {} \; 2>/dev/null"
+ - Check for writable scripts, writable directories
+ - Check for configuration files with passwords and other interesting info
+ - Check for scripts with external dependencies that can be overwritten or changed
+ - Use strings on interesting binaries to check for relative binary names and $PATH hijacking
+ - Some interesting places to check (check for hidden items)
+ - Check PATH variable for current user for possible interesting locations
+ - /interesting_folder
+ - /home/user_name
+ - Desktop, Downloads, Documents, .ssh, etc.
+ - /var/www/interesting_folder
+ - /var/mail/user_name
+ - /opt/interesting_folder
+ - /usr/local/interesting_folder
+ - /usr/local/bin/interesting_folder
+ - /usr/local/share/interesting_folder
+ - /etc/hosts
+ - /tmp
+ - /mnt
+ - /media
+ - /etc
+ - Look for interesting service folders
+ - Check for readable and/or writable configuration files
+ - May find cleartext passwords
+```
+
+
+
+
+
+
+
+ /opt/interesting_dir/interesting-file2.txt
+
+```text
+Add full file contents
+Or snippet of file contents
+```
+
+
+
+
+
+
+
+
+# **Privilege Escalation**
+Document here:
+* Exploit used (link to exploit)
+* Explain how the exploit works
+* Any modified code (and why you modified it)
+* Proof of privilege escalation (screenshot showing ip address and privileged username)
+
+
+
+
+
+
+# **Persistence**
+Document here how you set up persistence on the target
+
+
+
+
+
+
+# **Flags**
+
+
+ User
+
+```text
+Flag here
+```
+
+
+
+
+
+ Root
+
+```text
+Flag here
+```
+
+
+
+
+