Cleanup & Documentation

# Screenshot naming convention
# [Date]_[Target]_[Vulnerability]_[Step].png
2024-01-15_webapp_sqli_01_detection.png
2024-01-15_webapp_sqli_02_exploitation.png
2024-01-15_webapp_sqli_03_data_access.png

# Essential screenshots to capture:
# 1. Initial vulnerability detection
# 2. Request/Response in Burp Suite
# 3. Successful exploitation
# 4. Impact demonstration (data access, admin access)
# 5. Remediation verification (if applicable)

# Screenshot checklist per finding:
# □ Vulnerable endpoint/page
# □ Payload used
# □ Server response showing success
# □ Impact evidence
# □ Timestamps visible

# Automated screenshot with timestamp
import datetime
from selenium import webdriver

driver = webdriver.Chrome()
driver.get('https://target.com/vulnerable-page')

timestamp = datetime.datetime.now().strftime('%Y%m%d_%H%M%S')
driver.save_screenshot(f'evidence_{timestamp}.png')

# Save Burp Suite requests as evidence
# Right-click request → Save item

# curl request logging
curl -v 'https://target.com/api/users' \
  -H "Cookie: session=xxx" \
  2>&1 | tee finding_01_request.log

# Python request logging
import requests
import logging

logging.basicConfig(filename='requests.log', level=logging.DEBUG)

def logged_request(method, url, **kwargs):
    """Log full request and response"""
    response = requests.request(method, url, **kwargs)
    
    log_entry = f"""
=== REQUEST ===
{method} {url}
Headers: {kwargs.get('headers', {})}
Body: {kwargs.get('data', kwargs.get('json', ''))}

=== RESPONSE ===
Status: {response.status_code}
Headers: {dict(response.headers)}
Body: {response.text[:1000]}
"""
    logging.info(log_entry)
    return response

# Use throughout testing
response = logged_request('POST', 'https://target.com/api/login',
    json={'username': "admin' OR '1'='1", 'password': 'x'})

# Record terminal session with asciinema
asciinema rec exploit_demo.cast

# Perform exploitation steps...
# Press Ctrl+D to stop recording

# Play back recording
asciinema play exploit_demo.cast

# Upload for sharing (optional)
asciinema upload exploit_demo.cast

# Convert to GIF for reports
# Install agg (asciinema gif generator)
agg exploit_demo.cast exploit_demo.gif

# Alternative: script command (built-in)
script -timing=time.log session.log
# Perform commands
exit
# Replay: scriptreplay time.log session.log

# Screen recording for GUI exploitation
# Use OBS Studio, SimpleScreenRecorder, or Kazam

# Metadata to include in recordings:
# - Date and time
# - Target system
# - Tester name
# - Engagement ID

# Finding Documentation Template

## Finding ID: WEB-001
## Title: SQL Injection in Login Form

### Severity: Critical (CVSS 9.8)

### Description
The login form at /login is vulnerable to SQL injection. An attacker can 
bypass authentication and extract sensitive data from the database.

### Affected Component
- URL: https://app.target.com/login
- Parameter: username
- Method: POST

### Steps to Reproduce
1. Navigate to https://app.target.com/login
2. Enter the following in the username field: admin' OR '1'='1' --
3. Enter any value in the password field
4. Click "Login"
5. Observe: User is authenticated as admin without valid credentials

### Proof of Concept
```http
POST /login HTTP/1.1
Host: app.target.com
Content-Type: application/x-www-form-urlencoded

username=admin'+OR+'1'%3d'1'--&password=anything
```

### Impact
- Authentication bypass (any user account)
- Full database read access
- Potential for data modification/deletion
- Compliance violation (PCI DSS, GDPR)

### Evidence
- Screenshot: WEB-001_01_login_bypass.png
- Request log: WEB-001_request.txt
- Database dump sample: WEB-001_data_sample.txt

### Remediation
1. Use parameterized queries (prepared statements)
2. Implement input validation with allowlisting
3. Apply least privilege database permissions
4. Enable WAF SQL injection rules

### References
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html

# Engagement Timeline Template

## Engagement: ACME Corp Web Application Assessment
## Dates: January 15-19, 2024
## Tester: John Smith

### Day 1 - January 15, 2024
| Time | Activity | Notes |
|------|----------|-------|
| 09:00 | Kickoff call | Scope confirmed, credentials received |
| 09:30 | Environment setup | VPN connected, tools configured |
| 10:00 | Reconnaissance | Subdomain enumeration, 47 subdomains found |
| 12:00 | Lunch break | |
| 13:00 | Active scanning | Nikto, Nuclei scans completed |
| 15:00 | Manual testing | Login functionality |
| 15:30 | Finding: SQL Injection | WEB-001 documented |
| 17:00 | End of day | Progress report sent |

### Day 2 - January 16, 2024
| Time | Activity | Notes |
|------|----------|-------|
| 09:00 | Continue testing | API endpoints |
| 10:00 | Finding: IDOR | WEB-002 documented |
| 11:30 | Finding: Missing rate limiting | WEB-003 documented |
...

### Testing Statistics
- Total testing hours: 32
- Endpoints tested: 156
- Vulnerabilities found: 12
- Critical: 2, High: 4, Medium: 4, Low: 2

# Track all uploaded files during testing
# Maintain a cleanup checklist throughout engagement

# Cleanup Checklist - Web Shells
## Files Uploaded:
- [x] /var/www/html/shell.php - REMOVED
- [x] /uploads/test.php.jpg - REMOVED
- [x] /tmp/backdoor.aspx - REMOVED

# Verify removal
curl -s https://target.com/shell.php  # Should return 404
curl -s https://target.com/uploads/test.php.jpg  # Should return 404

# If direct file access not available, request client verify:
"""
Please verify the following files have been removed:
1. /var/www/html/shell.php
2. /uploads/test.php.jpg
3. /tmp/backdoor.aspx

Provide confirmation screenshot showing files no longer exist.
"""

# Search for any missed uploads
find /var/www -name "*.php" -mtime -7 -type f
find /var/www -name "*.aspx" -mtime -7 -type f
grep -r "eval\|base64_decode\|system\|exec" /var/www/html/

# Track all accounts created during testing
# Cleanup Checklist - Test Accounts

## Database Accounts:
- [x] testuser1@pentest.local - DELETE FROM users WHERE email='testuser1@pentest.local'
- [x] admin_test@evil.com - DELETED
- [x] sqli_user - DELETED

## Application Accounts:
- [x] pentest_admin - Account disabled/deleted via admin panel
- [x] test_analyst - Account deleted

## System Accounts (if applicable):
- [x] pentest_ssh - userdel pentest_ssh
- [x] backup_test - Account removed

# SQL cleanup queries
DELETE FROM users WHERE email LIKE '%@pentest.local';
DELETE FROM users WHERE username LIKE 'pentest_%';
DELETE FROM sessions WHERE user_id NOT IN (SELECT id FROM users);

# Verify cleanup
SELECT * FROM users WHERE created_at > '2024-01-15';  # Check for missed accounts
SELECT * FROM audit_log WHERE action='CREATE_USER' AND timestamp > '2024-01-15';

# Track all data modifications during testing
# Cleanup Checklist - Data Modifications

## Modified Records:
- [x] Product ID 123: Price changed from $100 to $0.01 - RESTORED
- [x] User ID 456: Role changed from 'user' to 'admin' - RESTORED
- [x] Config setting: debug_mode set to true - RESTORED to false

## Injected Data:
- [x] XSS payload in user profile bio - REMOVED
- [x] SQLi test strings in comment fields - REMOVED

# SQL restoration queries
UPDATE products SET price = 100.00 WHERE id = 123;
UPDATE users SET role = 'user' WHERE id = 456;
UPDATE config SET value = 'false' WHERE key = 'debug_mode';

# Remove test data
DELETE FROM comments WHERE body LIKE '%<script>%';
DELETE FROM comments WHERE body LIKE '%UNION SELECT%';
UPDATE users SET bio = '' WHERE bio LIKE '%<script>%';

# Verify data integrity
# Compare row counts and checksums with pre-test baseline if available
SELECT COUNT(*) FROM users;
SELECT COUNT(*) FROM products;
SELECT CHECKSUM_AGG(CHECKSUM(*)) FROM critical_table;

# Track all infrastructure changes
# Cleanup Checklist - Infrastructure

## Tunnels/Proxies:
- [x] Chisel tunnel on port 8080 - Process killed, verified closed
- [x] SSH tunnel to internal network - Disconnected
- [x] SOCKS proxy on compromised server - Removed

## Firewall/Network Changes:
- [x] Temporary firewall rule allowing port 4444 - Rule removed
- [x] DNS records added for testing - Removed

## Scheduled Tasks/Crons:
- [x] Persistence cron job - Removed from /etc/crontab
- [x] Scheduled task on Windows - Deleted

# Verify no listeners remain
netstat -tlnp | grep -E '4444|8080|9050'
ss -tlnp | grep -E '4444|8080|9050'

# Check for remaining processes
ps aux | grep -E 'chisel|nc|socat|meterpreter'

# Verify cron cleanup
crontab -l
cat /etc/crontab
ls /etc/cron.d/

# Windows cleanup verification
schtasks /query /fo LIST /v | findstr pentest
netstat -an | findstr LISTENING

# Comprehensive Cleanup Verification Script

#!/bin/bash
# cleanup_verification.sh

TARGET="target.com"
LOG_FILE="cleanup_verification_$(date +%Y%m%d).log"

echo "=== Cleanup Verification Report ===" | tee $LOG_FILE
echo "Date: $(date)" | tee -a $LOG_FILE
echo "Target: $TARGET" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE

# Check for web shells
echo "[*] Checking for web shells..." | tee -a $LOG_FILE
web_shells=("shell.php" "cmd.php" "c99.php" "r57.php" "backdoor.aspx" "test.jsp")
for shell in "${web_shells[@]}"; do
    response=$(curl -s -o /dev/null -w "%{http_code}" "https://$TARGET/$shell")
    if [ "$response" != "404" ]; then
        echo "[!] WARNING: $shell may still exist (HTTP $response)" | tee -a $LOG_FILE
    else
        echo "[+] $shell not found (OK)" | tee -a $LOG_FILE
    fi
done

# Check for test accounts (API check)
echo "" | tee -a $LOG_FILE
echo "[*] Checking for test accounts..." | tee -a $LOG_FILE
test_accounts=("pentest_admin" "test_user" "sqli_test")
for account in "${test_accounts[@]}"; do
    # Adjust based on application API
    response=$(curl -s "https://$TARGET/api/users?search=$account")
    if [[ "$response" == *"$account"* ]]; then
        echo "[!] WARNING: Account $account may still exist" | tee -a $LOG_FILE
    else
        echo "[+] Account $account not found (OK)" | tee -a $LOG_FILE
    fi
done

# Check for open ports used during testing
echo "" | tee -a $LOG_FILE
echo "[*] Checking for test ports..." | tee -a $LOG_FILE
test_ports=(4444 5555 8888 9999)
for port in "${test_ports[@]}"; do
    nc -zv $TARGET $port 2>&1 | tee -a $LOG_FILE
done

echo "" | tee -a $LOG_FILE
echo "=== Verification Complete ===" | tee -a $LOG_FILE

# Post-Engagement Cleanup Communication Template

Subject: [ENGAGEMENT_ID] Penetration Test Cleanup Confirmation

Dear [CLIENT_NAME],

The penetration testing engagement for [APPLICATION_NAME] has been completed. 
Please find below the cleanup summary and items requiring your verification.

## Testing Period
- Start Date: [START_DATE]
- End Date: [END_DATE]
- Tester(s): [TESTER_NAMES]

## Artifacts Created During Testing

### Files Uploaded (Removed)
| File Path | Status | Verification |
|-----------|--------|--------------|
| /uploads/test_shell.php | Removed | Please verify |
| /tmp/pentest.txt | Removed | Please verify |

### Test Accounts (Deleted)
| Account | Type | Status |
|---------|------|--------|
| pentest_admin@test.com | Application | Deleted |
| api_test_user | API Key | Revoked |

### Data Modifications (Restored)
| Table/Record | Change | Status |
|--------------|--------|--------|
| users.id=123 | Role modified | Restored |
| products.id=456 | Price modified | Restored |

## Client Action Required

Please verify the following:
1. [ ] Listed files have been removed from servers
2. [ ] Test accounts no longer have access
3. [ ] Modified data has been restored correctly
4. [ ] No unusual scheduled tasks or services running

## Recommendations
- Review application logs for any anomalies during testing period
- Reset any credentials that were tested/discovered
- Apply patches for critical findings before public disclosure

Please confirm cleanup completion by replying to this email.

Best regards,
[TESTER_NAME]
[COMPANY]