Note Taking & Reporting For OSCP

Directory Structure for the Exam

pwk/
├── connection/
│   └── OS-39215-PWK.ovpn
|
├── docs/
│   ├── OS-39215 Course Material.pdf
│   └── OS-39215 Lab Exercise Report.pdf
|
├── exercises/
│   ├── 1.1.1-dns-zone-transfer.sh
│   ├── 2.2.1-ips.txt
│   └── etc...
|
└── lab/
    ├── completion_log.txt
    ├── crendentials.txt
    ├── passwords.txt
    ├── unames.txt
    └── PUBLIC/
        └── 255-TEDDY/
        	├── 10.1.1.255.txt
        	├── exploit.sh
        	└──  post-enum/
				├── get-root.txt
				└── hashdump.txt

  • All documents are kept within the pwk/

  • lab/ directory has important "global files" that are going to be important to grab for the entirety of the lab

  • PUBLIC/ represents a subnet within PWK. By the end of exploiting a machine with multiple subnets, you will have an ADMIN/ and an IT/ directory as well.

  • Within the subnet directory (PUBLIC/), there will be another directory that is named after the IP address and the hostname. This denotes a specific machine that is being attacked. Everything related to this machine is under this directory.

  • Within the specific target machine directory, there will be a <ip address>.txt file. This is the "notes" file that will be a collection of everything I tried and thought. In this directory, there will also be only relevant code and files that helped lead to the exploitation of the machine.

  • The post-enum/ folder is where goodies/loot go. This will store interesting files, network information, or hashdumps here, but the most important file in this folder is called get-root.txt. This is a "1-N steps to re-root the box" and this file is EXTREMELY important. There will be times when you need to back to a box that you already rooted, and taking the time to scratch this together will save you countless hours. Here is a sample get-root.txt file:

Global Files

These 4 important files are kept in the lab/ directory:

  • completion_log.txt

  • credentials.txt

  • unames.txt

  • passwords.txt

  1. completion_log.txt - This file is used to keep track of progress. In this file, put the IP and hostname of the machine, the date that I achieved root/SYSTEM on it, and a super broad explanation of how I did so. For example: .255 (TEDD) 07/19 lfi on custom webapp, scheduled task overwrite . It doesn't need to be specific, but with this information you can remember the machine better. If you look here first, you can dive into the notes with a better understanding of the overarching structure.

  2. credentials.txt - This file will keep all of the credentials you find. Even if it is admin:adminyou log it here. Here is an example entry: admin:pass # .255 (TEDDY) - http://10.11.1.255/admin/ . You should be able to grep this file or look here for basic logins for particular machines.

  3. unames.txt and passwords.txt - These "Global Files" are custom wordlists. Every time you find a username or a password, you append it to the corresponding file. You can then use these files if you need to brute things with hydra or other crackers. Password reuse IS a thing in PWK so make sure you take advantage of it from the start. I would recommend putting this list through something that will strip out the duplicates before cracking, as there is no reason to try the same password more than once(awk '!seen[$0]++' unames.txt && awk '!seen[$0]++' passwords.txt)

Report Writing

Use CherryTree and the following structure for the report:

Grab only relevant screenshots and try to only show output you think is relevant. I took the following alias: alias sc='gnome-screenshot -ac' and mapped it to a hotkey. This made it very easy to screen-grab and paste directly into CherryTree.

PreviousBroken Access ControlNextBrute Force Attacks

Last updated