code/
folder as well as a software/
folder. You might see them referenced going forward. code/
is a place I keep random scripts and exploit code, while software/
is a place where I clone repositories and install software. Using aliases to go directly to them makes it incredibly easy to navigate to them and do work:cd /to/that/long/share/path/
. I will touch more on them in a bit..pwk/
lab/
directory has a few files in the root of it, before dropping into the PUBLIC/
directory. These files were incredibly important, and I will refer to them as "Global Files" when I outline their use in the next portionPUBLIC/
represents a subnet within PWK. By the end of the lab, you should have an ADMIN/
and an IT/
directory as well.PUBLIC/
), I have another folder that is named after the last octet of the IP address and the hostname. This denotes a machine I am attacking. Everything related to this machine is under this directory.<ip address>.txt
file. This is my "notes" file and will be a collection of everything I tried and thought. In this directory, I also have only relevant code and files that helped lead to the exploitation of this machine.post-enum/
folder is where goodies/loot go. I might keep interesting files, network information, or hashdumps here, but the most important file in this folder is called get-root.txt
. This is a "1 - N steps to re-root the box" and I cannot stress how important this file was to me. There are many times you will need to go back to a box you have already rooted, and taking the time to scratch this together will save you countless hours when it happens. Here is a sample of what that file might look like:lab/
directory:.255 (TEDDY) 07/19 lfi on custom webapp, scheduled task overwrite
. It's not incredibly specific, but with this information you might be able to remember the machine better. If you look here first, you can dive into your notes with a better understanding of what points are meaningful.admin:admin
, you log it here. Here is a sample entry from my file: admin:pass # .255 (TEDDY) - http://10.11.1.255/admin/
. Similar to completion_log.txt, this file is supposed to be broad, but also point you directly to something. You should be able to grep
this file or look here for even the most basic logins for particular machines. It also helps you locate where a given password was found. Which leads me into...hydra
or other crackers. Password reuse IS a thing in PWK so make sure you take advantage of it from the start. I would recommend putting this list through something that will strip out the duplicates before cracking, as there is no reason to try the same password more than once (awk '!seen[$0]++' unames.txt && awk '!seen[$0]++' passwords.txt
should do it). /etc/profile.d/00-aliases.sh
. Below are some of the ones I rely on pretty consistently:xp_cmdshell
. However, I remember activating and using xp_cmdshell
on a prior lab machine. Running the following commands puts me in pretty good shape:grep
to recursively search all files for a specific term ("xp_cmdshell"), and I'm going back to the machine directory I was in prior to running gopwk
. This is a perfect summary of how all of what you just read ties together:xp_cmdshell
and create an administrator user "burmat". I also have clear indication on what boxes I have used this for and what their IP's are. I even have 2 records in the completion_log.txt file where I actively used this to elevate to SYSTEM.meterpreter
payloads if I had to. By the end of my ~55 days in the lab and the exam, I had rooted 30/50(ish?) machines and had low-privileged shells on about 5 more. I only did 1.5/4 of the "big-four" (hard) machines and I only had pivoted into one other subnet. I used MSF to launch a total of three exploits. Additionally, I only used full meterpreter
payloads for post-enumeration (to hasten hashdumps and search for loot off of flakey reverse shells). route
, but now what? I would recommend scanning the entire subnet trying to find the DNS server. Once you have the DNS server, you can leverage it to get the hostnames on your scans as well: snmpwalk
for you, and run things like nikto
on your behalf. I'm only naming a few of the features that make this tool great, but my favorite is that Sparta has the ability to save all of this information to a single workspace file, capable of being loaded back up in seconds. This was a key piece to keeping my data organized, because often times I found myself leaving a host I was stuck on for days or weeks at a time. Coming back to a nice cozy group of scan results is an absolute pleasure.nmap -p161 -sU -sV -sC 10.11.1.XX
, so you don't really have an excuse to not check this port.bof 25 + easy 10 + lab work 5 = 40
). I felt incredibly confident, but I still had the remaining 3 boxes in front of me with 30 points to go.gobuster
, dirbuster
, and dirb
. Try not to fall down rabbit holes on the web directories, they do set a few up for you...alias sc='gnome-screenshot -ac'
and mapped it to a hotkey. This made it very easy to screen-grab and paste directly into CherryTree.