From 9631badff2fd91acb418dd98e5a04568c86fbad3 Mon Sep 17 00:00:00 2001 From: weyne85 Date: Wed, 22 May 2024 07:58:15 +0200 Subject: [PATCH] Create template.md --- template.md | 555 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 555 insertions(+) create mode 100644 template.md diff --git a/template.md b/template.md new file mode 100644 index 0000000..db516f6 --- /dev/null +++ b/template.md @@ -0,0 +1,555 @@ +# **Nmap Results** +```text +Nmap output here +``` + +
+
+
+
+ +# **Service Enumeration** + +## **TCP/00** +Document here: +* Screenshots (web browser, terminal screen) +* Service version numbers +* Document your findings when interacting with the service at various stages + +
+
+ +## **UDP/00** +Document here: +* Screenshots (web browser, terminal screen) +* Service version numbers +* Document your findings when interacting with the service at various stages + +
+
+
+
+ +# **Exploit** +Document +here: +* Exploit used (link to exploit) +* Explain how the exploit works against the service +* Any modified code (and why you modified it) +* Proof of exploit (screenshot of reverse shell with target IP address output) + +
+
+
+
+ +# **Post-Exploit Enumeration** +## **Operating Environment** +
+ OS & Kernel + +```text +Document here: + +- Windows + - "systeminfo" or "Get-ComputerInfo" output + +- *nix + - "uname -a" output + - "cat /etc/os-release" (or similar) output +``` + +
+ +
+
+ +
+ Current User + +```text +Document here: + +- Windows + - "whoami /all" output + +- *nix + - "id" output + - "sudo -l" output +``` + +
+ +
+
+ +## **Users and Groups** + +
+ Local Users + +```text +Document here any interesting username(s) after running the below commands: + +- Windows + - "net user" or "Get-LocalUser" output + - "net user " or "Get-LocalUser | Select-Object *" to enumerate details about specific users + - Can you dump and pass/crack hashes from SAM using your current access? + +- *nix + - "cat /etc/passwd" output +``` + +
+ +
+
+ +
+ Local Groups + +```text +Document here any interesting group(s) after running the below commands: + +- Windows + - "net localgroup" or "Get-LocalGroup" output + - "net localgroup " or "Get-LocalGroupMember | Select-Object *" to enumerate users of specific groups + +- *nix + - "cat /etc/group" output + - "cat /etc/group | grep " to check group memberships of specific users +``` + +
+ +
+
+ +
+ Domain Users + +```text +Document here any interesting username(s) after running the below commands: + +- Windows + - "net user /domain" or "Get-ADUser -Filter * -Properties *" output + - "net user /domain" or "Get-ADUser -Identity -Properties *" to enumerate details about specific domain users + - Not a local administrator and can't run PowerShell AD cmdlets? + - See here: https://notes.benheater.com/books/active-directory/page/powershell-ad-module-on-any-domain-host-as-any-user + - Can you dump and pass/crack local user / admin hashes from the SAM using your current access? + - Can you dump and pass/crack hashes from LSA using your current access? + +- *nix + - Check if joined to a domain + - /usr/sbin/realm list -a + - /usr/sbin/adcli info + + - No credential: + + - Check for log entries containing possible usernames + + - "find /var/log -type f -readable -exec grep -ail '' {} \; 2>/dev/null" + - Then, grep through each log file and remove any garbage from potential binary files: + + - Using strings: "strings /var/log/filename | grep -i ''" + - If strings not available, try using od: "od -An -S 1 /var/log/filename | grep -i ''" + - If od not available, try grep standalone: "grep -iao '.*.*' /var/log/filename" + + - Validate findings: + - Check if discovered usernames are valid: "getent passwd " + - If valid, check user group memberships: List "id " + - Check domain password and lockout policy for password spray feasibility + + - See "Domain Groups", as certain commands there can reveal some additional usernames + + - With a domain credential: + + - If you have a valid domain user credential, you can try "ldapsearch" + - Dump all objects from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=*'" + - Dump all users from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=account'" + + + - If you're root on the domain-joined host: + + - You can try best-effort dumping the SSSD cache: + + - Using strings: "strings /var/lib/sss/db/cache_.ldb | grep -iE '[ou|cn]=.*user.*'" | grep -iv 'disabled' | sort -u + - If strings not available, try using od: "od -An -S 1 /var/lib/sss/db/cache_.ldb | grep -iE '[ou|cn]=.*user.*'" | grep -iv 'disabled' | sort -u + - If od not available, try grep standalone: "grep -iao '.*.*' /var/lib/sss/db/cache_.ldb | sed 's/[^[:print:]\r\t]/\n/g' | grep -iE '[ou|cn]=.*user.*' | grep -iv disabled" + + - You can transfer the SSSD TDB cache for local parsing + + - Default file path: /var/lib/sss/db/cache_.tdb + - You can dump this file with tools such as "tdbtool" or "tdbdump" +``` + +
+ +
+
+ +
+ Domain Groups + +```text +Document here any interesting group(s) after running the below commands: + +- Windows + - "net group /domain" or "Get-ADGroup -Filter * -Properties *" output + - "net group /domain" or "Get-ADGroup -Identity | Get-ADGroupMember -Recursive" to enumerate members of specific domain groups + - Not a local administrator and can't run PowerShell AD cmdlets? + - See here: https://notes.benheater.com/books/active-directory/page/powershell-ad-module-on-any-domain-host-as-any-user + +- *nix + + - Check if joined to a domain + - /usr/sbin/realm list -a + - /usr/sbin/adcli info + + - No credential: + + - Enumerate default Active Directory security groups: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#default-active-directory-security-groups + + - "getent group 'Domain Admins@'" + - "getent group 'Domain Users@'" + - NOTE: "getent" will only return domain group members that have been cached on the local system, not all group members in the domain + - This can still build a substantial user list for password spraying (check domain password and lockout policy) + + - With a domain credential: + + - If you have a valid domain user credential, you can try "ldapsearch" + - Dump all objects from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=*'" + - Dump all groups from LDAP: "ldapsearch -x -H ldap://dc-ip-here -D 'CN=username,DC=realmDomain,DC=realmTLD' -W -b 'DC=realmDomain,DC=realmTLD' 'objectClass=group'" + + - If you're root on the domain-joined host: + + - You can try dumping the SSSD cache: + + - Using strings: "strings /var/lib/sss/db/cache_.ldb | grep -i ''" + - If strings not available, try using od: "od -An -S 1 /var/lib/sss/db/cache_.ldb | grep -i ''" + - If od not available, try grep standalone: "grep -iao '.*.*' /var/lib/sss/db/cache_.ldb | sed 's/[^[:print:]\r\t]/\n/g' | grep -iE '[ou|cn]=.*group.*' | grep -i '^CN='" + + - You can transfer the SSSD TDB cache for local parsing + + - Default file path: /var/lib/sss/db/cache_.tdb + - You can dump this file with tools such as "tdbtool" or "tdbdump" +``` + +
+ +
+
+ +## **Network Configurations** + +
+ Network Interfaces + +```text +Document here any interesting / additional interfaces: + +- Windows + - "ipconfig" or "Get-NetAdapter" output + +- *nix + - "ip address" or "ifconfig" output +``` + +
+ +
+ +
+ Open Ports + +```text +Document here any ports listening on loopback or not available to the outside: + +- Windows + - "netstat -ano | findstr /i listening" or "Get-NetTCPConnection -State Listen" output + +- *nix + - "netstat -tanup | grep -i listen" or "ss -tanup | grep -i listen" output +``` + +
+ +
+ +
+ ARP Table + +```text +If targeting a network and enumerating additional hosts... +Document here: + +- Windows + - "arp -a" or "Get-NetNeighbor" output + +- *nix + - "ip neigh" or "arp -a" output +``` + +
+ +
+ +
+ Routes + +```text +If targeting a network and enumerating additional hosts... +Document here: + +- Windows + - "route print" or "Get-NetRoute" output + +- *nix + - "ip route" or "route" output +``` + +
+ +
+ +
+ Ping Sweep + +```text +If the host has access to additional routes / interfaces: + + - Look at the IP address space and network mask + - Find a ping sweep script that will work for the target network + - Or you could try: + - Transfering "nmap" or some other host discover tool to the host + - Set up a SOCKS proxy and try a port scan through the foothold +``` + +
+ +
+
+ +## **Processes and Services** + +
+ Interesting Processes + +```text +First... +Enumerate processes: + +- Windows + - "tasklist" + - "Get-Process" + - "Get-CimInstance -ClassName Win32_Process | Select-Object Name, @{Name = 'Owner' ; Expression = {$owner = $_ | Invoke-CimMethod -MethodName GetOwner -ErrorAction SilentlyContinue ; if ($owner.ReturnValue -eq 0) {$owner.Domain + '\' + $owner.User}}}, CommandLine | Sort-Object Owner | Format-List" + +- *nix + - "ps aux --sort user" + +Then... +Document here: + - Any interesting processes run by users/administrators + - Any vulnerable applications + - Any intersting command line arguments visible +``` + +
+ +
+
+ +
+ Interesting Services + +```text +- Windows + - First... + Enumerate services: + - "sc.exe query" + - Then "sc.exe qc " + - List the configuration for any interesting services + - "Get-CimInstance -ClassName Win32_Service | Select-Object Name, StartName, PathName | Sort-Object Name | Format-List" + - Then... + Check for things like: + - Vulnerable service versions + - Unquoted service path + - Service path permissions too open? + - Can you overwrite the service binary? + - DLL injection? + +- *nix + - First... + Enumerate services: + - "service --status-all" or "systemctl list-units --type=service --state=running" + - Then... + Check for things like: + - Vulnerable service versions + - Configuration files with passwords or other information + - Writable unit files + - One-liner to check for writable service unit files: `systemctl list-units --state=running --type=service | grep '\.service' | awk -v FS=' ' '{print $1}' | xargs -I % systemctl status % | grep 'Loaded:' | cut -d '(' -f 2 | cut -d ';' -f 1 | xargs -I % find % -writable 2>/dev/null` + - Writable service binaries + +Then... +Document here: + - Any interesting services or vulnerabilities + - Any vulnerable service versions + - Any intersting configuration files +``` + +
+ +
+
+ +## **Scheduled Tasks** + +
+ Interesting Scheduled Tasks + +```text +First... +Enumerate scheduled tasks: + +- Windows + - schtasks /QUERY /FO LIST /V | findstr /i /c:"taskname" /c:"run as user" /c:"task to run" + - Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask | Select-Object TaskName, @{Name = 'User' ; Expression = {$_.Principal.UserId}}, @{Name = 'Action' ; Expression = {($_.Actions.Execute + ' ' + $_.Actions.Arguments)}} | Format-List + +- *nix + - "crontab -l" + - "cat /etc/cron* 2>/dev/null" + - "cat /var/spool/cron/crontabs/* 2>/dev/null" + +Then... +Document here: + - Any interesting scheduled tasks + - Any writable paths in the scheduled task + - Any intersting command line arguments visible +``` + +
+ +
+
+ +## **Interesting Files** +
+ C:\InterestingDir\Interesting-File1.txt + +```text +- Windows + - Check for writable scripts, writable directories + - Check for configuration files with passwords and other interesting info + - Check for scripts with external dependencies that can be overwritten or changed + - Some interesting places to check + - Check PATH variable for current user for possible interesting locations + - Also check for hidden items + - I reference %SYSTEMDRIVE%, as C: is not always the system volume + - %SYSTEMDRIVE%\interesting_folder + - %SYSTEMDRIVE%\Users\user_name + - Desktop, Downloads, Documents, .ssh, etc + - AppData (may also have some interesting things in Local, Roaming) + - %SYSTEMDRIVE%\Windows\System32\drivers\etc\hosts + - %SYSTEMDRIVE%\inetpub + - %SYSTEMDRIVE%\Program Files\program_name + - %SYSTEMDRIVE%\Program Files (x86)\program_name + - %SYSTEMDRIVE%\ProgramData + - %SYSTEMDRIVE%\Temp + - %SYSTEMDRIVE%\Windows\Temp + - Check the Registry for passwords, configurations, interesting text + - HKEY_LOCAL_MACHINE or HKLM + - HKEY_CURRENT_USER or HKCU + - Search the HKLM hive recursively for the word 'password' + - "reg query HKLM /f password /t REG_SZ /s" + +- *nix + - Check for SUID binaries + - "find / -type f -perm /4000 -exec ls -l {} \; 2>/dev/null" + - Check for writable scripts, writable directories + - Check for configuration files with passwords and other interesting info + - Check for scripts with external dependencies that can be overwritten or changed + - Use strings on interesting binaries to check for relative binary names and $PATH hijacking + - Some interesting places to check (check for hidden items) + - Check PATH variable for current user for possible interesting locations + - /interesting_folder + - /home/user_name + - Desktop, Downloads, Documents, .ssh, etc. + - /var/www/interesting_folder + - /var/mail/user_name + - /opt/interesting_folder + - /usr/local/interesting_folder + - /usr/local/bin/interesting_folder + - /usr/local/share/interesting_folder + - /etc/hosts + - /tmp + - /mnt + - /media + - /etc + - Look for interesting service folders + - Check for readable and/or writable configuration files + - May find cleartext passwords +``` + +
+ +
+
+ +
+ /opt/interesting_dir/interesting-file2.txt + +```text +Add full file contents +Or snippet of file contents +``` + +
+ +
+
+
+
+ +# **Privilege Escalation** +Document here: +* Exploit used (link to exploit) +* Explain how the exploit works +* Any modified code (and why you modified it) +* Proof of privilege escalation (screenshot showing ip address and privileged username) + +
+
+
+
+ +# **Persistence** +Document here how you set up persistence on the target + +
+
+
+
+ +# **Flags** + +
+ User + +```text +Flag here +``` +
+ +
+ +
+ Root + +```text +Flag here +``` + +
+ +
+