Pentesting Lab (SS 2024)

Content

The primary focus of this course is to provide comprehensive insights into industry-standard penetration testing techniques. The Pentesting Lab will be conducted by various industry experts who will share their knowledge and experience. Throughout the course, we will offer a comprehensive overview of common techniques for scanning and attacking applications. Additionally, we will demonstrate the practical application of these tools in real-world scenarios. You will learn practically about privilege escalation, lateral movement, compromising a domain controller (and many more things) and how to report the findings in a standardized way.

Material

Lecture slides:

Date	Who	Slides
04.03.2024	Martin	L0 – Orga
04.03.2024	Martin	L1 – Pentesting 101
11.03.2024	Robert and Dominik	L2 – Enumeration
18.03.2024	Simon	L3 – Privesc UNIX
8.04.2024	Martin	L4 – Advanced Web Application Security
15.04.2024	Robert and Sebastian	L5 – Test system exploitation / Docker Security
22.04.2024	Lukas	L6 – Linux kernel exploitation
29.04.2024	All	Question Hour
06.05.2024	Simon	L7 - Windows PrivEsc
13.05.2024	Simon	L8 - Post Exploitation
27.05.2024	Patrick	L9 - Windows LDAP
3.6.2024	Robert	L10 - Bonus session + assignment interviews (whole week)

 

Administrative Information

Deadline: 31st of May, 2024 Deliverables: You will be graded on 3 main parts each equally worth (one third of the grade). For parts 2 and 3 provide a proper pentesting report using your findings template:

1. Lecture challenges: Throughout the course you will get the chance to collect some lecture challenge flags. You receive them either in the sessions or can solve them afterwards. Submit them at the ctfd.
2. Linux pentesting challenge - Solve the following realist challenge from root-me.org and provide a proper report: Well Known
3. Windows pentesting challenge - Solve one of the following Windows pentesting challenges and provide a proper report: ASRepRoast Custom Challenges Patrick / Simon (You'll get those throughout the course)

Pentesting report: Your report should meet the requirements of industry standards as shown in the lecture. See for instance the reports of cure53.

Important notes

• There will be no second chance option
• Submission deadlines are hard. We give you multiple weeks to solve an assignment, so ensure to start on time.

Oral exam

After the deadline of all assignments, there will be an oral exam. The oral exam is mandatory. You will have the option to select one of the multiple time slots where you need to be able to answer questions to each assignment and task that you fulfilled. Insufficient answers will lead to a point deduction that can even yield a negative grade. We will provide more information on what you need to know for the oral exam for each assignment individually.

Plagiarism

We encourage discussions with other students and really appreciate that. However, we do not tolerate any plagiarism at all. We will check all submissions for plagiarism. All affected students will receive 0 points and a Ungültig/Täuschung with all its consequences. Thus, do not give away your source code to other students. You are responsible for protecting your source code and solutions from unintended access of others. In the end, we do not want you to copy code and solutions. We want you to learn and understand the topics for yourself!

Lecturers