apeiron@kali:~/fieldbook
TTY-04

Terminal Fieldbook

Kali workflows / lab exploitation notes / authorized targets only
Controlled environments only: owned VMs, CTF boxes, DVWA/Juice Shop, Metasploitable, lab hashes, and written authorization. No public targets. No stolen data.
01 / Network Recon Chain
apeiron@kali:~$ mkdir -p ops/target01/{scans,loot,notes}
apeiron@kali:~$ cd ops/target01

apeiron@kali:~/ops/target01$ ip -brief address
lo               UNKNOWN        127.0.0.1/8
eth0             UP             192.168.64.6/24

apeiron@kali:~/ops/target01$ ip route
default via 192.168.64.1 dev eth0
192.168.64.0/24 dev eth0 proto kernel scope link src 192.168.64.6

apeiron@kali:~/ops/target01$ nmap -sn 192.168.64.0/24 -oN scans/00-hosts.txt
Nmap scan report for 192.168.64.1
Host is up.
Nmap scan report for 192.168.64.6
Host is up.
Nmap scan report for target.lab
Host is up.

apeiron@kali:~/ops/target01$ nmap -sV -sC target.lab -oN scans/01-basic.txt
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH
80/tcp  open  http    Apache httpd
445/tcp open  smb     Samba smbd

apeiron@kali:~/ops/target01$ nmap -p- --min-rate 2500 target.lab -oN scans/02-fulltcp.txt
Discovered open port 22/tcp
Discovered open port 80/tcp
Discovered open port 445/tcp
Discovered open port 8080/tcp

apeiron@kali:~/ops/target01$ nmap -sV -sC -p 22,80,445,8080 target.lab -oN scans/03-deep.txt
# refine only confirmed ports, avoid wasting probes on dead space
Scan Logic
-sn     host discovery
-sV     service version detection
-sC     default NSE scripts
-p-     all 65535 TCP ports
-oN     normal report output

sequence:
discover → basic scan → full TCP → deep service scan
Operator Read
22/tcp  remote access surface
80/tcp  web attack surface
445/tcp SMB enumeration surface
8080   alternate web/admin surface

Only continue against lab/owned targets.
02 / Web Surface Mapping
apeiron@kali:~/ops/target01$ curl -I http://target.lab
HTTP/1.1 200 OK
Server: Apache/2.4.x
X-Powered-By: PHP/7.x
Set-Cookie: PHPSESSID=lab-session

apeiron@kali:~/ops/target01$ whatweb http://target.lab
Apache, PHP, Cookies, HTML5, Login-Page

apeiron@kali:~/ops/target01$ mkdir -p scans/web

apeiron@kali:~/ops/target01$ gobuster dir -u http://target.lab -w /usr/share/wordlists/dirb/common.txt -o scans/web/gobuster-common.txt
/admin               (Status: 301)
/login               (Status: 200)
/uploads             (Status: 200)
/backup              (Status: 403)
/server-status       (Status: 403)
/robots.txt          (Status: 200)

apeiron@kali:~/ops/target01$ ffuf -u http://target.lab/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 200,301,302,403 -o scans/web/ffuf.json
admin                  [Status: 301]
uploads                [Status: 200]
backup                 [Status: 403]
dev                    [Status: 302]

apeiron@kali:~/ops/target01$ curl http://target.lab/robots.txt
User-agent: *
Disallow: /backup
Disallow: /dev
Disallow: /admin

apeiron@kali:~/ops/target01$ nikto -h http://target.lab -o scans/web/nikto.txt
# misconfiguration sweep against controlled web target
Web Targets
/admin        authentication surface
/uploads      file-handling surface
/backup       sensitive directory candidate
/robots.txt   hidden-path clue source
/dev          staging/dev leak candidate
Next Probes
apeiron@kali:~$ curl -s http://target.lab/login | head
apeiron@kali:~$ grep -Ri "password" loot/ 2>/dev/null
apeiron@kali:~$ exiftool loot/* 2>/dev/null
# collect clues, do not attack public apps
03 / Password Audit Lab
apeiron@kali:~/hash-lab$ cat sample_hashes.txt
5f4dcc3b5aa765d61d8327deb882cf99
098f6bcd4621d373cade4e832627b4f6
25d55ad283aa400af464c76d713c07ad

apeiron@kali:~/hash-lab$ hashid sample_hashes.txt
[+] Possible Hashs: MD5

apeiron@kali:~/hash-lab$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt sample_hashes.txt
Loaded 3 password hashes
password         (?)
test             (?)
12345678         (?)

apeiron@kali:~/hash-lab$ john --show --format=raw-md5 sample_hashes.txt
?:password
?:test
?:12345678
3 password hashes cracked

apeiron@kali:~/hash-lab$ hashcat -m 0 sample_hashes.txt /usr/share/wordlists/rockyou.txt --status
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Recovered........: 3/3
Cracking Logic
1. identify hash type
2. choose correct mode
3. run controlled wordlist audit
4. record weak patterns
5. recommend stronger password policy

Do not use stolen/leaked hashes.
Hashcat Modes
-m 0       MD5
-m 100     SHA1
-m 1000    NTLM
-m 1400    SHA2-256
-a 0       straight attack
--status  live progress
04 / Linux Enumeration After Foothold
www-data@target:/var/www/html$ whoami && id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@target:/var/www/html$ hostname && uname -a
target
Linux target 5.x.x x86_64 GNU/Linux

www-data@target:/var/www/html$ ip a && ip route
eth0: 192.168.56.110/24
default via 192.168.56.1

www-data@target:/var/www/html$ ss -tulnp 2>/dev/null
tcp LISTEN 0 128 0.0.0.0:22
tcp LISTEN 0 128 0.0.0.0:80
tcp LISTEN 0 80 127.0.0.1:3306

www-data@target:/var/www/html$ find /var/www -type f -name "*.php" 2>/dev/null | head
/var/www/html/config.php
/var/www/html/login.php
/var/www/html/upload.php

www-data@target:/var/www/html$ grep -Ri "password\|passwd\|db_" /var/www 2>/dev/null
/var/www/html/config.php:$db_pass='lab-password';
Enumeration Questions
user: who am I?
groups: what permissions do I inherit?
kernel: old/vulnerable?
network: internal-only services?
webroot: credentials or configs?
sudo: allowed commands?
files: writable paths?
05 / Privilege Escalation Vector Checks
www-data@target:/tmp$ sudo -l
Sorry, user www-data may not run sudo on target.

www-data@target:/tmp$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/find
/usr/bin/bash

www-data@target:/tmp$ find / -writable -type d 2>/dev/null | head
/tmp
/var/tmp
/dev/shm
/opt/scripts

www-data@target:/tmp$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh

www-data@target:/tmp$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 124 May 18 04:00 backup.sh

# lab interpretation: writable root-executed script is an escalation candidate
Vector Order
sudo -l
SUID binaries
cron jobs
writable root scripts
credentials in configs
PATH hijack checks
internal services
kernel research
Do Not Publish
real credentials
real private IPs
private tokens
real client data
working abuse scripts
unauthorized target details
06 / Recon Automation Skeleton
#!/bin/bash

TARGET=$1
BASE="ops/$TARGET"
SCANS="$BASE/scans"
NOTES="$BASE/notes"

if [ -z "$TARGET" ]; then
  echo "usage: ./recon-chain.sh target.lab"
  exit 1
fi

mkdir -p "$SCANS" "$NOTES"

echo "[+] target: $TARGET"
echo "[+] workspace: $BASE"

nmap -sV -sC "$TARGET" -oN "$SCANS/basic.txt"
nmap -p- --min-rate 2500 "$TARGET" -oN "$SCANS/full_tcp.txt"

PORTS=$(grep "/tcp" "$SCANS/full_tcp.txt" | awk -F/ '{print $1}' | paste -sd, -)

if [ -n "$PORTS" ]; then
  echo "[+] exposed ports: $PORTS"
  nmap -sV -sC -p "$PORTS" "$TARGET" -oN "$SCANS/deep.txt"
fi

{
echo "# TARGET: $TARGET"
echo "# DATE: $(date)"
echo ""
echo "## FILES"
ls -la "$SCANS"
} > "$NOTES/summary.md"

echo "[+] complete"
Run Log
apeiron@kali:~/tools$ chmod +x recon-chain.sh
apeiron@kali:~/tools$ ./recon-chain.sh target.lab
[+] target: target.lab
[+] workspace: ops/target.lab
[+] exposed ports: 22,80,445,8080
[+] complete
Purpose
This script organizes lab recon artifacts.
It does not exploit targets.
It creates repeatable scan folders, output files, and notes for authorized environments.