cyber revision

Penetration testing methodology

The structured phases of an authorised engagement, the CTF categories, and how to approach a target box.

~5 min read

From theory to hands-on

Everything in the other topics describes how systems are attacked and defended. This one is about doing it, legally and methodically. There are two main contexts.

  • Penetration testing is an authorised, scoped simulated attack on a real system to find exploitable weaknesses before a real attacker does, reported so they can be fixed.
  • Capture the Flag (CTF) refers to security challenges, usually in a lab, where you exploit deliberately vulnerable targets to find flags (text strings proving you reached a goal). This is the legal way to build and practise offensive skill. Platforms: TryHackMe, Hack The Box, PicoCTF, OverTheWire.

Before anything else: authorisation. A penetration test needs a signed contract, a defined scope (which systems, which techniques, when), and rules of engagement. Testing outside scope, or anything you don't own without permission, is an offence under the Computer Misuse Act. In a CTF the platform is your authorisation; never point those techniques at systems outside it.

The phases of an engagement

A penetration test follows a recognised sequence (this mirrors frameworks like the PTES and, loosely, the attacker's kill chain):

  1. Reconnaissance: gather information about the target. Passive recon uses public sources without touching the target (OSINT, covered next); active recon interacts with it (scanning).
  2. Scanning / Enumeration: actively map the attack surface: live hosts, open ports, services and versions, users, shares, web directories. Enumeration is where most CTF boxes are won or lost. Being thorough here surfaces the way in. The mantra is "enumerate, enumerate, enumerate."
  3. Gaining access / Exploitation: exploit a discovered weakness (a vulnerable service, weak credentials, a web flaw) to get an initial foothold, often a low-privileged shell.
  4. Privilege escalation: go from that foothold to higher privileges (root/Administrator/Domain Admin), since the first access is rarely privileged. (Its own chapter.)
  5. Maintaining access / Post-exploitation: establish persistence, explore, move laterally, and locate the objective (data, the flag). In a real test, demonstrate impact without causing harm.
  6. Covering tracks: what a real attacker does (clearing logs). A legitimate tester does the opposite, documenting everything for the report.
  7. Reporting: for a real engagement, the actual deliverable: findings, risk ratings, evidence and remediation advice. The report is the product; the access was just how you found the issues.

The two shell types

A concept you'll use constantly: after exploiting a service you usually want command execution via a shell.

  • A reverse shell has the target connect back to you (you run a listener, e.g. nc -lvnp 4444, and the target initiates the connection). It's preferred because outbound connections usually pass through firewalls that block inbound.
  • A bind shell has the target listen on a port and you connect in. Inbound firewalls block it more often, so it's less common.

Early shells are often unstable ("dumb"). Upgrading to a fully interactive TTY (so you can use tab-completion, sudo, and Ctrl-C without killing the shell) is a routine early step.

CTF challenge categories

CTFs group challenges by skill, and the categories map onto the whole course:

Category What you do Topic it draws on
Web Exploit web app flaws (injection, IDOR, auth bypass) Web Security
Crypto Break weak or misused cryptography Cryptography
Forensics Recover evidence from files, disk images, PCAPs Forensics
Reverse engineering Disassemble a binary to understand/defeat it (binary analysis)
Pwn / binary exploitation Exploit memory-corruption bugs (buffer overflows) OS/low-level
OSINT Find information from public sources Recon
Steganography Find data hidden inside images/audio Forensics
Boot2root / machines Fully compromise a vulnerable host end to end Everything

Boot2root machines are the most complete practice: recon → enumerate → exploit → privilege-escalate, exactly the engagement phases above, which is why they make up the bulk of platforms like Hack The Box.

A practical approach to a target box

A repeatable mental loop for a CTF machine or a scoped host:

  1. Scan all ports, then enumerate each open service in depth (versions, default creds, known CVEs).
  2. For web services, browse the site, view source, and run directory enumeration (web is the most common entry point).
  3. Research every service/version for known vulnerabilities and default credentials.
  4. Get a foothold via the most promising finding; stabilise your shell.
  5. Enumerate locally for privilege escalation (the checklist in the Linux/Windows chapters).
  6. Escalate, then loot: find the flag/objective and document every step as you go.

The discipline that separates success from frustration is methodical enumeration and good notes. Most "I'm stuck" moments are something missed in step 1 or 2.

Quick recall

  • Pentest = authorised, scoped simulated attack; CTF = legal practice in a lab. Authorisation (signed scope / the platform) is non-negotiable.
  • Phases: recon (passive/active) → scanning & enumeration → exploitation → privilege escalation → post-exploitation → (cover tracks / for testers, document) → reporting. The report is the real deliverable.
  • Reverse shell = target connects to you (beats outbound firewalls); bind shell = you connect to target. Upgrade to a full TTY early.
  • CTF categories: web, crypto, forensics, reversing, pwn/binary exploitation, OSINT, stego, boot2root. Boot2root exercises the whole chain.
  • Win through thorough enumeration and notes; most blockers are something missed early.
PreviousNext