# Primary sections for comprehensive documentation:
1. Attack Path           # Complete exploitation chain with screenshots
2. Credentials          # Centralized credential tracking
3. Findings            # Individual vulnerabilities with evidence
4. Vulnerability Scan Research    # Scanner analysis and research
5. Service Enumeration Research   # Service investigation notes
6. Web Application Research      # Web app discoveries and testing
7. AD Enumeration Research       # Active Directory investigation
8. OSINT                # Open source intelligence gathering
9. Administrative Information    # Contacts, objectives, RoE
10. Scoping Information         # IP ranges, URLs, provided credentials
11. Activity Log               # High-level activity tracking
12. Payload Log               # Uploaded files and cleanup tracking

# Recommended directory organization:
mkdir -p PROJECT/{Admin,Deliverables,Evidence/{Findings,Scans/{Vuln,Service,Web,'AD Enumeration'},Notes,OSINT,Wireless,'Logging output','Misc Files'},Retest}

# Result:
PROJECT/
├── Admin/                    # SOW, kickoff notes, status reports
├── Deliverables/            # Reports, spreadsheets, presentations
├── Evidence/
│   ├── Findings/           # Per-finding evidence folders
│   ├── Scans/
│   │   ├── Vuln/          # Vulnerability scanner output
│   │   ├── Service/       # Nmap, Masscan results
│   │   ├── Web/           # Burp, ZAP, EyeWitness data
│   │   └── AD Enumeration/ # BloodHound, PowerView data
│   ├── Notes/              # Structured note files
│   ├── OSINT/             # Intelligence gathering output
│   ├── Wireless/          # WiFi testing results
│   ├── Logging output/    # Tmux, tool logs
│   └── Misc Files/        # Payloads, scripts, tools
└── Retest/                # Retest evidence (separate)

# Local storage (secure for client data):
- Obsidian           # Markdown-based, local storage
- CherryTree         # Hierarchical notes
- Notion (local)     # All-in-one workspace
- Visual Studio Code # Code editor with markdown

# Cloud-based (training only):
- GitBook           # Documentation platform
- Outline           # Team collaboration
- Standard Notes    # Encrypted notes
- Evernote          # Traditional note-taking

# Terminal logging solutions:
- Tmux + logging plugin    # Comprehensive session logging
- Script command          # Built-in Unix logging
- Terminator logging      # GUI terminal logging
- Windows Terminal        # Windows PowerShell logging

# Clone Tmux Plugin Manager
git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm

# Create configuration file
cat > ~/.tmux.conf << EOF
# List of plugins
set -g @plugin 'tmux-plugins/tpm'
set -g @plugin 'tmux-plugins/tmux-sensible'
set -g @plugin 'tmux-plugins/tmux-logging'

# Increase history limit
set -g history-limit 50000

# Initialize TMUX plugin manager (keep at bottom)
run '~/.tmux/plugins/tpm/tpm'
EOF

# Apply configuration
tmux source ~/.tmux.conf

# Start new session
tmux new -s assessment

# Install plugins (first time)
# Press: Ctrl+B, Shift+I

# Start logging current session
# Press: Ctrl+B, Shift+P

# Stop logging
# Press: Ctrl+B, Shift+P (again)

# Retroactive logging (save current pane)
# Press: Ctrl+B, Alt+Shift+P

# Screen capture of current pane
# Press: Ctrl+B, Alt+P

# Clear pane history
# Press: Ctrl+B, Alt+C

# Essential Tmux commands:
Ctrl+B, Shift+%     # Split panes vertically
Ctrl+B, Shift+"     # Split panes horizontally  
Ctrl+B, O           # Switch between panes
Ctrl+B, Shift+P     # Start/stop logging
Ctrl+B, Alt+Shift+P # Retroactive logging
Ctrl+B, Alt+P       # Screen capture

# High-priority evidence:
- Command execution and output
- Screenshots of GUI applications
- Network scan results
- Vulnerability scanner output
- Successful exploitation attempts
- Failed attempts (for thoroughness)
- System information and configuration
- Credential discoveries

# Technical guidelines:
- Include address bar in browser screenshots
- Crop to relevant information only
- Add minimal border for document contrast
- Use annotations (arrows, boxes) for clarity
- Redact credentials and PII properly

# Redaction methods:
✅ Solid black bars (secure)
❌ Pixelation/blurring (reversible)
❌ CSS/HTML styling (easily bypassed)

# Preferred: Copy-paste terminal text
# Benefits:
- Easier redaction and highlighting
- Smaller file sizes
- Copy-paste friendly for client reproduction
- Professional appearance

# Format example:
┌─[htb-student]─[10.10.14.3]─[~/tools]
└──╼ $ crackmapexec smb 172.16.5.5 -u administrator -p '<REDACTED>'
SMB    172.16.5.5    445    DC01    [+] INLANEFREIGHT.LOCAL\administrator:<REDACTED> (Pwn3d!)

# Essential tracking information:
- Timestamp of payload deployment
- Target host IP/hostname
- File path on target system
- File hash (SHA256/MD5)
- Cleanup status (removed/needs cleanup)
- Purpose/functionality of payload

# Required documentation:
- Host IP/hostname where change was made
- Timestamp of modification
- Description of change made
- Location of change on host
- Application/service affected
- Account created (if applicable)
- Reversion status and procedures

## Payload Log

| Timestamp | Host | Path | Hash | Status | Notes |
|-----------|------|------|------|--------|-------|
| 2025-01-15 14:30 | 10.10.10.50 | C:\temp\shell.exe | a1b2c3d4... | Removed | Reverse shell payload |
| 2025-01-15 15:45 | 10.10.10.51 | /var/www/html/cmd.php | e5f6g7h8... | Needs cleanup | Web shell |

## Account Modifications

| Timestamp | Host | Change | Account | Status |
|-----------|------|--------|---------|--------|
| 2025-01-15 16:00 | DC01 | User created | testuser | Removed |
| 2025-01-15 16:15 | WEB01 | Added to Admins | htb-user | Reverted |

# Question 1: Session logging tool
# Answer: tmux

# Question 2: Vertical pane split key combination
# Answer: [Ctrl] + [B] + [Shift] + [%]

# Optional lab access:
xfreerdp /v:10.129.203.82 /u:htb-student /p:HTB_@cademy_stdnt!

# Activities:
1. Explore Obsidian sample notebook
2. Practice Tmux logging setup
3. Test pane splitting and navigation
4. Experiment with evidence organization

# 1. Create project directory structure
mkdir -p CLIENT-ASSESSMENT/{Admin,Deliverables,Evidence/{Findings,Scans/{Vuln,Service,Web,'AD Enumeration'},Notes,OSINT,'Logging output','Misc Files'}}

# 2. Initialize notetaking tool (Obsidian/CherryTree)
# 3. Configure Tmux logging
# 4. Set up evidence collection templates

# Continuous documentation:
- Log all commands and output
- Screenshot significant findings
- Track credentials in centralized location
- Document failed attempts for thoroughness
- Maintain activity timeline
- Track all uploaded files and modifications

# Report preparation:
- Organize evidence by findings
- Redact sensitive information
- Verify command reproducibility
- Clean up temporary files
- Archive complete assessment data

# Avoid collecting:
- Unredacted PII (personal information)
- Potentially criminal content
- Legally discoverable documents
- Sensitive file contents (screenshot directory listing instead)
- Client proprietary information beyond scope

# Legal obligations:
- GDPR compliance for EU clients
- Data retention policies
- Secure storage requirements
- Client data handling agreements
- Evidence chain of custody

# Characteristics:
- Automated scanning (authenticated/unauthenticated)
- No exploitation attempted
- Scanner result validation
- False positive identification

# Scope variations:
- External: Internet-facing systems
- Internal: Behind-firewall network scan
- Credentialed: Domain account context
- Anonymous: Unauthenticated scanning

# Characteristics:
- Beyond automated scanning
- Active exploitation attempts
- Lateral/vertical movement
- Complete attack chain demonstration

# Testing perspectives:
- Black box: Company name only
- Grey box: IP ranges/network access
- White box: Credentials, source code, configs

# Evasion levels:
- Zero evasion: Maximum vulnerability discovery
- Hybrid: Start evasive, escalate when detected
- Full evasive: Remain undetected throughout

# Primary focus:
- Active Directory domain compromise
- Lateral movement chains
- Privilege escalation paths
- Complete attack narratives

# Key sections:
- Executive Summary
- Technical Findings
- Attack Path Documentation
- Credential Discoveries
- Remediation Recommendations

# Additional elements:
- OSINT data collection
- Public-facing application attacks
- Email addresses and breach data
- Subdomain enumeration
- Third-party vendor analysis
- Cloud resource discovery

# OSINT categories:
- DNS/domain ownership records
- Email addresses (breach checking)
- Subdomains and similar domains
- Public cloud resources
- Third-party vendor relationships

# Content focus:
- Scanner result themes
- Vulnerability severity distribution
- False positive identification
- Procedural deficiency mapping
- Automated finding validation

# Report structure:
- Vulnerability statistics
- Risk categorization
- Remediation prioritization
- Compliance gap analysis

# Purple Team Assessments:
- Red team simulation + Blue team response
- Detection capability evaluation
- Alerting configuration review
- Collaborative improvement process

# Cloud-Focused Testing:
- Cloud architecture expertise
- Container/serverless assessment
- Secret/key abuse evaluation
- Cloud-specific attack vectors

# IoT Comprehensive Testing:
- Network component analysis
- Cloud platform evaluation
- Application security testing
- Hardware layer assessment

# Web Application Focus:
- Application vulnerability testing
- Infrastructure compromise via apps
- Role-based authenticated testing
- Development background integration

# Scope considerations:
- IoT device security
- Physical device analysis
- Kiosk/ATM security testing
- Laptop/endpoint evaluation

# RoE requirements:
- Destructive testing limits
- Device return expectations
- Component modification boundaries
- Safety and functionality preservation

# Purpose:
- Third-party compliance evidence
- Vendor/customer requirements
- General security posture validation

# Content (1-2 pages):
- Number of findings discovered
- Assessment methodology used
- General environment comments
- NO specific technical details
- NO credentials or sensitive data

# Audience considerations:
- Technical vs Executive focus
- Industry-specific examples
- Current event correlations
- Relatable risk scenarios

# Content strategy:
- Avoid purely statistical presentations
- Include relevant anecdotes
- Industry-specific attack examples
- Actionable recommendations

# Format:
- Tabular finding layout
- Sortable by severity/category
- Import-friendly for ticketing systems
- Pivot table analytics

# Contents:
- Finding titles and descriptions
- Severity ratings
- Affected hosts
- Remediation recommendations
- NO executive summary content

# When to issue:
- Critical internet-exposed RCE
- Unauthenticated sensitive data exposure
- Default/weak credential systems
- Client-specified threshold findings

# Content (minimal):
- Technical finding details
- Exploitation evidence
- Immediate remediation steps
- NO excessive narrative content

# Client collaboration approach:
1. Submit draft report
2. Client review period
3. Feedback incorporation meeting
4. Management response integration
5. Language/presentation adjustments
6. Final report delivery

# Benefits:
- Client input incorporation
- Board presentation optimization
- Security roadmap integration
- Compliance requirement fulfillment

# Scope limitations:
- Original findings only
- Original affected hosts only
- Time-limited window
- NO new environment scanning

# Potential issues:
- Environment changes over time
- Scope creep with new discoveries
- Severity modification pressure
- Compliance timeline conflicts

# Solutions:
- Treat as new assessment if needed
- Document time passage impact
- Focus on original scope only
- Maintain ethical boundaries

# Question 1: Automated assessment with no exploitation
# Answer: Vulnerability Assessment

# Question 2: Company name + network connection only
# Answer: black box

# Testing perspectives:
Black Box:  Company name only
Grey Box:   IP ranges/network access provided
White Box:  Credentials, source code, configurations

# Evasion levels:
Zero:       Maximum vulnerability discovery
Hybrid:     Start evasive, escalate when detected
Full:       Remain undetected throughout assessment

# Pre-assessment:
- Establish RoE boundaries
- Define vulnerability notification thresholds
- Agree on draft/final report process
- Set remediation testing scope

# During assessment:
- Issue critical vulnerability notifications
- Maintain communication on scope changes
- Document all system modifications
- Track cleanup requirements

# Maintain integrity:
- No severity modification under pressure
- Accurate timeline documentation
- Honest scope limitation communication
- Professional remediation guidance

# Compliance support:
- Documented remediation plans
- Reasonable timeline justification
- Auditor-acceptable evidence
- Professional recommendation alternatives

# Purpose:
- Written for non-technical stakeholders
- Budget allocation decision makers
- Board of Directors presentation
- Funding justification support

# Key principles:
- 1.5-2 pages maximum
- No technical jargon or acronyms
- Specific metrics (not "several" or "multiple")
- Business impact focus
- Remediation effort estimates

# Purpose:
- Demonstrate exploitation path
- Show finding interconnections
- Justify severity ratings
- Evidence for individual findings

# Structure:
1. Summary of complete attack path
2. Step-by-step walkthrough
3. Supporting command output
4. Screenshots for GUI interactions
5. Impact demonstration

# Content:
- Technical vulnerability details
- Exploitation evidence
- Reproduction steps
- Remediation recommendations
- Risk assessment justification

# Organization:
- Severity-based ordering
- Clear finding titles
- Consistent formatting
- Complete evidence packages

# Timeframe categories:
- Short-term: Immediate patches/fixes
- Medium-term: Process improvements
- Long-term: Strategic security enhancements

# Requirements:
- Tie back to specific findings
- Actionable recommendations only
- Effort level estimates
- Business impact consideration

# Content guidelines:
- Use specific numbers instead of vague terms
- Describe accessible systems/data types
- Explain general improvement areas
- Include remediation effort estimates
- Focus on high-impact findings

# Writing style:
- Non-technical language
- Clear, concise sentences
- Business impact focus
- Universal understanding
- Attention-grabbing content

# Avoid:
- Specific vendor recommendations
- Technical acronyms (SNMP, MitM)
- References to technical sections
- Obscure vocabulary
- Excessive detail on minor findings

# Common mistakes:
- More than 2 pages length
- Technical jargon usage
- Assumption of technical knowledge
- Ambiguous metrics
- Overwhelming detail

# Professional vocabulary conversion:
VPN/SSH → "secure remote administration protocol"
SSL/TLS → "secure web browsing technology"
Hash → "cryptographic password validation"
Password Spraying → "automated weak password testing"
Buffer Overflow → "remote command execution attack"
OSINT → "public information gathering"
SQL Injection → "database manipulation vulnerability"

# Attack progression:
1. LLMNR/NBT-NS Poisoning → bsmith user hash
2. Offline hash cracking → domain foothold
3. BloodHound enumeration → privilege mapping
4. Kerberoasting attack → mssqlsvc account
5. Credential extraction → srvadmin cleartext
6. Lateral movement → pramirez TGT ticket
7. Pass-the-Ticket → DCSync privileges
8. Domain compromise → Administrator hash
9. Full domain control → NTDS database dump

# Evidence components:
- Responder output (hash capture)
- Hashcat results (password cracking)
- BloodHound graphs (privilege paths)
- GetUserSPNs output (Kerberoasting)
- CrackMapExec LSA dumps (credential extraction)
- Rubeus ticket operations (Pass-the-Ticket)
- Mimikatz DCSync (domain compromise)

# Scope:
- Assessment boundaries
- Network ranges/URLs
- Facilities tested
- Auditor requirements

# Methodology:
- Repeatable process documentation
- Testing approach explanation
- Tool usage justification
- Quality assurance measures

# Severity Ratings:
- Risk level definitions
- Scoring criteria
- CVSS mapping (if applicable)
- Defensible rating system

# Biographies:
- Tester qualifications
- Relevant experience
- Certifications
- PCI compliance requirements

# Exploitation Attempts:
- Payload deployment log
- File locations and hashes
- Cleanup status tracking
- Forensics team reference

# Compromised Credentials:
- Account listing
- Privilege levels
- Password change requirements
- Monitoring recommendations

# Configuration Changes:
- System modifications made
- Reversion procedures
- Risk mitigation steps
- Approval documentation

# Additional Affected Scope:
- Extended host listings
- Service enumeration results
- Large-scale finding impacts
- Supplementary evidence

# Information Gathering (External):
- OSINT data collection
- Domain ownership information
- Subdomain enumeration
- Breach data analysis
- SSL/TLS configuration review

# Domain Password Analysis:
- NTDS database statistics
- Hashcat cracking results
- Privileged account analysis
- Password policy recommendations
- DPAT report integration

# Question 1: Non-technical report component
# Answer: Executive Summary

# Question 2: Vendor recommendations in Executive Summary
# Answer: False

# Target audience:
- Budget decision makers
- Non-technical executives
- Board of Directors
- Internal audit teams

# Success criteria:
- Funding allocation support
- Clear business impact
- Actionable recommendations
- Professional credibility

# Focus areas:
- Remote code execution flaws
- Sensitive data exposure
- Authentication bypasses
- Privilege escalation paths

# Noise filtering:
- Consolidate minor findings
- Remove false positives
- Group related vulnerabilities
- Focus on exploitable issues

# Essential elements:
- Clear reproduction steps
- Complete command output
- Relevant screenshots
- Business impact demonstration
- Remediation guidance

# Formatting standards:
- Consistent presentation
- Proper redaction
- Professional appearance
- Client-friendly language

# Minimum finding information:
1. Description           # Vulnerability explanation and affected platforms
2. Impact               # Risk if left unresolved
3. Affected Systems     # Specific hosts/networks/applications
4. Remediation         # Actionable fix recommendations
5. References          # External resources for additional information
6. Reproduction Steps  # Evidence and step-by-step validation

# Optional elements:
- CVE numbers
- OWASP/MITRE IDs
- CVSS scores
- Ease of exploitation
- Attack probability
- Additional context

## [Finding Title]

| Field | Details |
|-------|---------|
| **Severity** | High/Medium/Low |
| **CVSS Score** | X.X (if applicable) |
| **Affected Systems** | Specific hosts/networks |
| **CVE** | CVE-YYYY-XXXXX (if applicable) |

### Description
[Clear explanation of vulnerability and root cause]

### Impact
[Business risk if left unresolved]

### Remediation
[Actionable, specific fix recommendations]

### References
[Quality external resources]

### Reproduction Steps
[Step-by-step evidence with screenshots/output]

# Structure principles:
- Break each step into separate figures
- Include full tool configuration
- Write narrative between figures
- Explain thought process
- Offer alternative validation tools

# Evidence quality:
- Completely defensible proof
- Clear cause-and-effect demonstration
- Client environment verification
- Professional presentation

# Requirements:
- Include URL/address bar
- Show ifconfig/ipconfig for host verification
- Disable bookmarks bar
- Remove unprofessional browser extensions
- Crop to relevant information
- Add minimal annotations for clarity

# Avoid:
- Random internet images
- Generic vulnerability screenshots
- Unclear context or location
- Unprofessional browser setup

# Preferred: Copy-paste terminal text
# Benefits:
- Client can copy-paste commands
- Easier redaction
- Professional appearance
- Smaller file sizes

# Example format:
┌─[htb-student]─[10.10.14.3]
└──╼ $ crackmapexec smb 172.16.5.5 -u administrator -p '<REDACTED>'
SMB    172.16.5.5    445    DC01    [+] INLANEFREIGHT.LOCAL\administrator:<REDACTED> (Pwn3d!)

# Specific and actionable:
"To remediate this finding, update the following registry values:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 2
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM = 1

Note: Registry changes should be tested in a small group before enterprise deployment."

# Multiple options provided:
"There are different approaches to address this finding:
1. [Vendor] has published an official workaround (see references)
2. Commercial tools are available but may be cost-prohibitive
3. Interim mitigation can be achieved through network segmentation"

# Vague and unhelpful:
"Reconfigure your registry settings to harden against X"
"An attacker can own your whole network cause your DC is way out of date. You should really fix that!"
"Implement [expensive commercial tool] to address this finding"

# Problems:
- No specific steps
- Unprofessional language
- Only expensive solutions
- No context or warnings

## Weak Kerberos Authentication ("Kerberoasting")

| Field | Details |
|-------|---------|
| **Severity** | High |
| **CVSS Score** | 9.5 |
| **Affected Systems** | INLANEFREIGHT.LOCAL domain |
| **CVE** | N/A (Configuration Issue) |

### Description
Service accounts in the Active Directory domain are configured with Service Principal Names (SPNs) that allow any authenticated domain user to request Kerberos tickets encrypted with the service account's password. These tickets can be extracted and subjected to offline password cracking attacks.

### Impact
Successful exploitation provides attackers with service account credentials that often have elevated privileges, enabling lateral movement and potential domain compromise.

### Remediation
1. Enable AES encryption for Kerberos (disable RC4)
2. Implement Group Managed Service Accounts (gMSA)
3. Use 25+ character complex passwords for service accounts
4. Regular password rotation for service accounts
5. Monitor for unusual TGS ticket requests

### References
- Microsoft: Kerberoasting Attack Protection
- MITRE ATT&CK: T1208 - Kerberoasting

### Reproduction Steps
[Detailed GetUserSPNs.py and Hashcat evidence]

## Tomcat Manager Weak/Default Credentials

| Field | Details |
|-------|---------|
| **Severity** | High |
| **CVSS Score** | 9.5 |
| **Affected Systems** | 192.168.195.205:8080 |

### Description
Apache Tomcat Manager application is accessible with default credentials (tomcat:tomcat), allowing unauthorized administrative access and potential remote code execution.

### Impact
Attackers can deploy malicious web applications (WAR files) leading to complete server compromise and potential lateral movement within the network.

### Remediation
1. Change default Tomcat Manager credentials immediately
2. Restrict access to management interface by IP
3. Disable Tomcat Manager if not required
4. Implement strong authentication mechanisms
5. Regular credential rotation policy

### References
- Apache Tomcat Security Considerations
- OWASP: Default Passwords

### Reproduction Steps
[Browser screenshots and WAR upload evidence]

# Vendor-agnostic sources:
- OWASP documentation
- NIST guidelines
- SANS Institute resources
- Security research papers
- Vendor security advisories

# Quality criteria:
- Thorough walkthrough provided
- No paywall restrictions
- Gets to the point quickly
- Clean, professional websites
- Reputable, stable sources

# Avoid:
- Paywall-protected content
- Competitor websites
- Personal blogs (unstable)
- Ad-heavy websites
- Overly complex documentation
- Recipe-style articles with excessive fluff

# Question: Good or Bad remediation recommendation?
# "An attacker can own your whole entire network cause your DC is way out of date. You should really fix that!"

# Answer: Bad

# Problems with this recommendation:
- Unprofessional language ("cause", "way out of date")
- Vague guidance ("fix that")
- No specific steps
- No context or warnings
- Inflammatory tone

# Lab access:
# Browse to: https://TARGET_IP
# Credentials: htb-student:HTB_@cademy_stdnt!

# Practice activities:
1. Add findings to database
2. Generate custom reports
3. Experiment with finding templates
4. Practice evidence organization

# Professional tone:
- Clear, concise language
- Technical accuracy
- Respectful communication
- Actionable guidance
- Appropriate warnings

# Avoid:
- Casual language
- Inflammatory statements
- Vague recommendations
- Unprofessional tone
- Absolute statements without proof

# Reader perspective:
- May not have penetration testing background
- Need clear reproduction steps
- Require actionable remediation
- Appreciate effort level estimates
- Value multiple solution options

# Evidence presentation:
- Assume no tool familiarity
- Explain each step clearly
- Provide alternative tools
- Include setup configurations
- Verify complete defensibility

# During assessment:
- Fill templated sections (contacts, scope, client info)
- Document attack chain in real-time
- Write findings with evidence immediately
- Maintain organized evidence collection
- Update credentials and artifacts continuously

# Benefits:
- No rushed final report
- Complete evidence capture
- Reduced QA issues
- Professional quality maintenance

# Template requirements:
- Blank templates for each assessment type
- Never modify previous client reports
- Use placeholders for dynamic content
- Consistent formatting across team
- Regular template updates

# Risk mitigation:
- Avoid client name leakage
- Prevent data contamination
- Maintain professional appearance
- Ensure consistent quality

# Font Styles (not direct formatting):
- Consistent heading styles
- Professional appearance
- Global change capability
- Reduced formatting errors

# Table Styles:
- Consistent table formatting
- Easy global modifications
- Professional presentation
- Reduced manual work

# Captions:
- Auto-renumbering capability
- Professional reference system
- Easy figure management
- Consistent presentation

# Navigation:
- Page numbers for collaboration
- Table of Contents for structure
- Bookmarks for hyperlinks
- List of Figures/Tables

# Productivity shortcuts:
F4              # Repeat last action
Ctrl+A, F9      # Update all fields (ToC, figures)
Ctrl+S          # Save frequently
Ctrl+Alt+S      # Split window view
Shift+F5        # Go to last revision

# Professional workflow:
- Use styles instead of direct formatting
- Create custom dictionary for common terms
- Set language settings for code blocks
- Configure Quick Access Toolbar

# Common macro applications:
- Client information insertion
- Template section removal
- Quality assurance checks
- Placeholder replacement

# Macro capabilities:
- Pop-up forms for data entry
- Automatic template customization
- Section removal via bookmarks
- Consistent formatting application

# Requirements:
- Save as .dotm files
- Windows environment (Mac VB Editor limited)
- VBA programming knowledge
- Testing and validation

# Free options:
- Ghostwriter
- Dradis
- Security Risk Advisors VECTR
- WriteHat

# Paid solutions:
- AttackForge
- PlexTrac
- Rootshell Prism

# Benefits:
- Consistent finding quality
- Time savings
- Template management
- Team standardization

# Start notification content:
- Tester name and contact information
- Assessment type and scope description
- Source IP address for testing
- Anticipated testing dates
- Primary/secondary contact details

# Stop notification content:
- End of testing confirmation
- High-level findings summary
- Report delivery timeline
- Next steps communication

# Immediate notification triggers:
- Internet-exposed RCE vulnerabilities
- Unauthenticated sensitive data exposure
- Default/weak credential systems
- SQL injection on external applications

# Notification process:
- Stop testing immediately
- Formal vulnerability notification
- Client decision on proceeding
- Documentation of response

# Professional dialogue:
- Additional scope discussions
- High-risk finding alerts
- System availability issues
- Domain compromise notifications
- Focus area adjustments

# Relationship building:
- Transparent communication
- Professional problem-solving
- Proactive client support
- Trust advisor approach

# Content review:
- Technical accuracy verification
- Evidence completeness check
- Remediation recommendation quality
- Executive summary effectiveness
- Attack chain clarity

# Formatting review:
- Grammar and spelling check
- Consistent font usage
- Professional screenshot quality
- Proper redaction verification
- Style guide compliance

# Minimum requirements:
- Author self-review (sleep on it)
- One external reviewer
- Preferably two QA rounds
- Technical and formatting separation

# Review standards:
- No self-review of own work
- Track Changes enabled
- Learning opportunity focus
- Professional development support

# Requirements:
- Solid console backgrounds (not transparent)
- Professional themes (black/white, not colorful)
- Clear, readable text
- Proper cropping
- Professional hostnames/usernames

# Annotations:
- Arrows and boxes for clarity
- Explanatory text under screenshots
- Greenshot for professional editing
- Solid shapes for redaction (not blurring)

# Redaction guidelines:
- Remove unprofessional tool output (Pwn3d!)
- Clean up crude Hashcat candidates
- Redact all credentials and hashes
- Maintain technical accuracy
- Professional language only

# Presentation:
- Raw terminal text preferred
- Copy-paste friendly format
- Client reproduction capability
- Professional appearance

# Lab environment:
# Browse to: https://TARGET_IP
# Credentials: htb-student:HTB_@cademy_stdnt!

# Practice activities:
1. Explore findings database
2. Practice report generation
3. Experiment with templates
4. Test evidence organization
5. Practice finding customization

# Report narrative:
- Connect findings to business impact
- Explain attack chain progression
- Demonstrate risk escalation
- Show interconnected vulnerabilities
- Justify severity ratings through context

# Sensitive information handling:
- Redact credentials everywhere
- Remove password hashes
- Protect PII and sensitive data
- Consider report distribution scope
- Use solid shapes for redaction

# Data protection:
- Auto-save configuration
- Regular backup procedures
- Multiple storage locations
- VM failure contingency
- Evidence preservation