# Note Taking & Reporting For OSCP ## Directory Structure for the Exam ``` pwk/ ├── connection/ │ └── OS-39215-PWK.ovpn | ├── docs/ │ ├── OS-39215 Course Material.pdf │ └── OS-39215 Lab Exercise Report.pdf | ├── exercises/ │ ├── 1.1.1-dns-zone-transfer.sh │ ├── 2.2.1-ips.txt │ └── etc... | └── lab/ ├── completion_log.txt ├── crendentials.txt ├── passwords.txt ├── unames.txt └── PUBLIC/ └── 255-TEDDY/ ├── 10.1.1.255.txt ├── exploit.sh └── post-enum/ ├── get-root.txt └── hashdump.txt ``` * All documents are kept within the `pwk/` * `lab/` directory has important "global files" that are going to be important to grab for the entirety of the lab * `PUBLIC/` represents a subnet within PWK. By the end of exploiting a machine with multiple subnets, you will have an `ADMIN/` and an `IT/` directory as well. * Within the subnet directory (`PUBLIC/`), there will be another directory that is named after the IP address and the hostname. This denotes a specific machine that is being attacked. **Everything** related to this machine is under this directory. * Within the specific target machine directory, there will be a `.txt` file. This is the "notes" file that will be a collection of everything I tried and thought. In this directory, there will also be **only relevant code** and files that helped lead to the exploitation of the machine. * The `post-enum/` folder is where goodies/loot go. This will store interesting files, network information, or hashdumps here, but the most important file in this folder is called `get-root.txt`. This is a "1-N steps to re-root the box" and this file is EXTREMELY important. There will be times when you need to back to a box that you already rooted, and taking the time to scratch this together will save you countless hours. Here is a sample `get-root.txt` file: ``` 1) start a reverse shell listener on port 443: root@hello:255-TEDDY# nc -nvlp 443 2) go to the following url and login: http://10.11.1.255:8080/manager/html/upload tomcat:tomcat 3) upload `burmat.war` using the "WAR file to deploy" feature 4) navigate to: http://10.11.1.255:8080/burmat ``` ## Global Files These 4 important files are kept in the `lab/` directory: * completion\_log.txt * credentials.txt * unames.txt * passwords.txt 1. **completion\_log.txt** - This file is used to keep track of progress. In this file, put the IP and hostname of the machine, the date that I achieved root/SYSTEM on it, and a super broad explanation of how I did so. For example: `.255 (TEDD) 07/19 lfi on custom webapp, scheduled task overwrite` . It doesn't need to be specific, but with this information you can remember the machine better. If you look here first, you can dive into the notes with a better understanding of the overarching structure. 2. **credentials.txt** - This file will keep all of the credentials you find. Even if it is `admin:admin`you log it here. Here is an example entry: `admin:pass # .255 (TEDDY) - http://10.11.1.255/admin/` . You should be able to grep this file or look here for basic logins for particular machines. 3. **unames.txt** and **passwords.txt** - These "Global Files" are custom wordlists. Every time you find a username or a password, you append it to the corresponding file. You can then use these files if you need to brute things with hydra or other crackers. Password reuse **IS** a thing in PWK so make sure you take advantage of it from the start. I would recommend putting this list through something that will strip out the duplicates before cracking, as there is no reason to try the same password more than once(`awk '!seen[$0]++' unames.txt && awk '!seen[$0]++' passwords.txt`) ## Report Writing Use CherryTree and the following structure for the report: ``` 1.0 - High Level Summary 1.1 - Host Summary: > hostname, IP, OS, ports open / services on them 1.2 - Attack Surface Summary > high level overview of exploitable services / potential 1.3 - Exploitation Summary > high level overview of the services you exploited 2.0 - Methodology and Walkthrough 2.1 - Enumeration > scans and inital discover 2.2 - Exploitation > gaining a shell 2.3 - Elevation > methods used to gain SYSTEM / root 3.0 - Loot and Code 3.1 - Proof > screenshot of whoami, ip, and flag 3.2 - Code Used > full exploit code with source and highlights of changes ``` Grab only relevant screenshots and try to only show output you think is relevant. I took the following alias: `alias sc='gnome-screenshot -ac'` and mapped it to a hotkey. This made it very easy to screen-grab and paste directly into CherryTree.