CSY202 Week 12 Intermediate

Run full-scope practice engagements before moving to reading resources.

Applied Cryptography

Track your progress through this week's content

Opening Framing: The Complete Engagement

Over the past eleven weeks, you've built a comprehensive penetration testing toolkit. You've learned reconnaissance, scanning, exploitation, post-exploitation, privilege escalation, Active Directory attacks, and network attacks.

Now it's time to bring everything together. This capstone simulates a real penetration testing engagement—from receiving the scope to delivering the final report. You'll demonstrate not just technical skills, but professional methodology.

The scenario challenges you to approach a target environment systematically, document your work thoroughly, and communicate findings clearly. This is what professional pentesters do.

Key insight: Technical skills get you access. Professional methodology and communication deliver value to clients.

Capstone Scenario: MegaCorp Industries

You've been engaged to perform a penetration test for MegaCorp Industries, a mid-sized manufacturing company. 

ENGAGEMENT OVERVIEW

Client: MegaCorp Industries
Industry: Manufacturing
Size: 500 employees, 3 locations

Engagement Type: Internal Network Penetration Test
Duration: 1 week (simulated)
Start Position: Attacker on internal network

SCOPE:
- Network range: 192.168.1.0/24 (lab simulation)
- All systems in range are in scope
- Web applications on discovered hosts
- Active Directory (if present)

OUT OF SCOPE:
- Denial of Service attacks
- Physical security testing
- Social engineering
- Production manufacturing systems (192.168.2.0/24)

OBJECTIVES:
1. Identify and exploit vulnerabilities
2. Demonstrate business impact
3. Attempt to achieve Domain Admin (if AD present)
4. Access sensitive data
5. Document attack paths
6. Provide remediation recommendations

RULES OF ENGAGEMENT:
- Testing hours: Any (lab environment)
- Emergency contact: N/A (lab)
- Data handling: Do not exfiltrate real sensitive data
- Documentation: Full documentation required

Phase 1: Reconnaissance and Scanning

Begin with comprehensive discovery:

Tasks:

  1. Host Discovery: Identify all live hosts in scope
  2. Port Scanning: Full port scan of discovered hosts
  3. Service Enumeration: Identify services and versions
  4. Vulnerability Scanning: Run vulnerability scans
  5. Web Application Discovery: Identify web applications

Deliverables:

□ Network diagram showing discovered hosts
□ Port/service matrix for all hosts
□ Technology inventory
□ Initial vulnerability findings
□ Prioritized target list

Methodology Notes:

# Host discovery
nmap -sn 192.168.1.0/24 -oA discovery

# Full port scan
nmap -p- --min-rate=1000 -oA full_ports [targets]

# Service enumeration
nmap -sV -sC -p [ports] -oA services [targets]

# Vulnerability scan
nmap --script=vuln -oA vuln_scan [targets]

# Document everything as you go!

Phase 2: Vulnerability Analysis

Analyze findings and plan exploitation:

Tasks:

  1. Review Scan Results: Analyze all scan output
  2. Research Vulnerabilities: CVE lookup for identified versions
  3. Manual Verification: Confirm key vulnerabilities
  4. Prioritization: Rank by exploitability and impact
  5. Attack Planning: Create exploitation roadmap

Deliverables:

□ Vulnerability inventory with CVE references
□ Verified vulnerability list
□ Exploitation priority matrix
□ Attack plan document

Analysis Framework:

For each vulnerability:

1. What is it? (CVE, description)
2. Is it exploitable? (PoC available?)
3. What access does it provide?
4. What's the business impact?
5. Priority: Critical/High/Medium/Low

Attack plan structure:
- Primary targets (highest value, easiest exploit)
- Secondary targets (backup options)
- Attack chains (vulnerability A → access → vulnerability B)

Phase 3: Exploitation

Execute your attack plan:

Tasks:

  1. Initial Access: Exploit first vulnerability
  2. Post-Exploitation: Enumerate compromised system
  3. Credential Harvesting: Collect credentials
  4. Privilege Escalation: Escalate to root/SYSTEM
  5. Lateral Movement: Move to additional systems

Deliverables:

□ Documentation of each successful exploit
□ Screenshots proving access
□ Credentials harvested (hashes, not plaintext in report)
□ Privilege escalation evidence
□ Lateral movement path documentation

Documentation Requirements:

For each exploitation:

EXPLOITATION RECORD
===================
Target: [IP/hostname]
Vulnerability: [name/CVE]
Tool Used: [Metasploit/manual/etc.]
Commands:
[exact commands used]

Result:
[access level achieved]

Evidence:
[screenshot reference]

Timestamp: [when]

Phase 4: Active Directory (If Applicable)

If AD is present in your lab:

Tasks:

  1. AD Enumeration: Map the domain
  2. Attack Path Analysis: Use BloodHound
  3. Credential Attacks: Kerberoasting, AS-REP roasting
  4. Privilege Escalation: Path to Domain Admin
  5. Domain Dominance: DCSync if achieved

Deliverables:

□ Domain enumeration results
□ BloodHound attack path screenshots
□ Kerberoasted/AS-REP hashes (if cracked)
□ Domain Admin evidence (if achieved)
□ Attack path diagram

Phase 5: Reporting

The report is your final deliverable:

Report Structure:

PENETRATION TEST REPORT
=======================

1. EXECUTIVE SUMMARY (1-2 pages)
   - Engagement overview
   - Key findings summary
   - Risk rating
   - Critical recommendations

2. SCOPE AND METHODOLOGY (1 page)
   - What was tested
   - Testing approach
   - Tools used
   - Timeline

3. FINDINGS SUMMARY (1-2 pages)
   - Vulnerability count by severity
   - Finding categories
   - Risk matrix

4. DETAILED FINDINGS (bulk of report)
   For each finding:
   - Title
   - Severity (Critical/High/Medium/Low)
   - Affected Systems
   - Description
   - Evidence
   - Business Impact
   - Remediation
   - References

5. ATTACK NARRATIVE (2-3 pages)
   - Story of the attack path
   - How initial access was gained
   - How privileges were escalated
   - What data was accessed
   - Timeline of attack

6. RECOMMENDATIONS (1-2 pages)
   - Prioritized remediation steps
   - Strategic improvements
   - Quick wins

7. APPENDICES
   - Raw scan output
   - Full tool output
   - Technical details

Finding Template:

FINDING: [Title]
================
Severity: [Critical/High/Medium/Low]
CVSS: [Score if applicable]
Affected Systems: [IP addresses/hostnames]

DESCRIPTION:
[What the vulnerability is, technical explanation]

EVIDENCE:
[Screenshots, command output]

BUSINESS IMPACT:
[What an attacker could do, business consequences]

REMEDIATION:
[Specific steps to fix]
[Priority: Immediate/Short-term/Long-term]

REFERENCES:
[CVE links, vendor advisories, etc.]

Capstone Deliverables

Your complete submission must include:

1. Reconnaissance Report (15 points)

2. Vulnerability Assessment (20 points)

3. Exploitation Evidence (25 points)

4. Professional Report (30 points)

5. Reflection (10 points)

Evaluation Criteria

Your capstone will be evaluated on:

Criteria Points
Methodology: Systematic, thorough approach 15
Technical Depth: Exploitation quality and variety 25
Documentation: Clear, complete evidence 20
Report Quality: Professional, actionable 25
Recommendations: Practical, prioritized 10
Reflection: Honest self-assessment 5

Total: 100 points. Projects scoring 80+ demonstrate job-ready competency.

Lab Environment Options

Choose a target environment for your capstone: 

Option 1: Metasploitable + Additional VMs
- Metasploitable 2 or 3
- Add Windows VM if possible
- Create small network

Option 2: VulnHub Machines
- Download 2-3 VulnHub VMs
- Network them together
- Progressive difficulty

Option 3: HackTheBox/TryHackMe
- Complete a Pro Lab or Learning Path
- Document as if real engagement
- Multiple machines recommended

Option 4: Custom Lab
- Build AD environment
- Add vulnerable services
- Most realistic but most work

Recommended minimum:
- 3+ target systems
- Mix of Linux and Windows
- At least one web application
- Network services to enumerate

Tips for Success

Methodology:
- Follow the phases in order
- Don't skip enumeration
- Document as you go, not after
- Take screenshots constantly

Technical:
- Try multiple exploitation methods
- Don't give up after first failure
- Check for credential reuse
- Look for attack chains

Reporting:
- Write for the audience
- Executive summary is critical
- Evidence must be clear
- Recommendations must be actionable

Common Mistakes:
- Rushing to exploitation
- Poor documentation
- Missing obvious vulnerabilities
- Unclear or incomplete report
- No remediation recommendations

Week 12 Outcome Check

By completing this capstone, you will have demonstrated:

Congratulations! Completing this capstone demonstrates the skills expected of a junior penetration tester.

🛡️ Crypto Capstone Extension: Secure Messaging

In addition to the pentest, design a secure messaging prototype. This reinforces applied crypto skills in a practical build.

Deliverable: Design notes + minimal prototype or pseudocode.

🎯 Hands-On Labs (Free & Essential)

Run full-scope practice engagements before moving to reading resources.

🎮 TryHackMe: Blue (Windows Pentest)

What you'll do: Execute a full attack chain against a Windows target.
Why it matters: Applies reconnaissance, exploitation, and reporting in one flow.
Time estimate: 2-3 hours

Start TryHackMe Blue →

🎮 TryHackMe: Kenobi (Linux Pentest)

What you'll do: Perform recon, exploit weaknesses, and escalate privileges.
Why it matters: Mimics a full Linux pentest workflow.
Time estimate: 2-3 hours

Start TryHackMe Kenobi →

📝 Lab Exercise: Full Pentest Report

Task: Write a complete report from scope to remediation.
Deliverable: Executive summary, findings table, evidence, and remediation steps.
Why it matters: The report is the main value clients receive.
Time estimate: 2-3 hours

🛡️ Lab: Secure Messaging Prototype

What you'll do: Build or outline a secure messaging flow with proper key handling.
Deliverable: Prototype, pseudocode, or architecture diagram.
Why it matters: Applied crypto makes you a more credible tester.
Time estimate: 2-3 hours

💡 Lab Tip: Your report should map each finding to evidence, impact, and fix.

Resources

Reference these resources as you complete your capstone.

Week 12 Quiz

Test your understanding of penetration testing methodology, reporting, and professional practices.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Final Reflection

Reflection Prompt (400-500 words):

This capstone represents the culmination of your ethical hacking journey in CSY202. You've progressed from understanding concepts to executing a complete penetration test.

Reflect on these questions:

A strong final reflection will honestly assess growth, identify areas for continued learning, and articulate your career direction.

What's Next?

Completing CSY202 opens doors to specialized topics:

Certifications to Consider:

Practice Platforms:

Congratulations on completing CSY202! You now have a solid foundation in ethical hacking and penetration testing. These skills are in high demand and open doors to many career paths. Remember: with great power comes great responsibility. Use your skills ethically, continue learning, and contribute positively to the security community. Welcome to the offensive security world!

← Previous: Week 11 Back to Course Overview →