StC Pentesting Fundamentals Study Group — Week #2 Recap

Today we had our second session of the Pentesting Fundamentals Study Group.

We covered Chapter 2 of the CompTIA PenTest+ Study Guide and learned about the following topics:

• Difference between goals-based, compliance-based and red-team based assessments
• White box versus black box versus gray box assessments
• What a Rules of Engagement (RoE) document is and the key elements it includes
• How to plan and scope an assessment
• The key legal concepts related to penetration testing

We also watched IppSec’s video on how to get system level access on the Devel Hack The Box (HTB) machine.

Since IppSec solved the machine using Metasploit, we looked at another way of solving the machine without having to use the Metasploit framework. We then ended the session by reviewing the vulnerabilities that allowed us to get system level access on the Windows machine and how these vulnerabilities could have been remediated.

Next week, we’ll cover Ch-3 of the CompTIA Pentest+ book and work on the Lame (Linux) & Legacy (Windows) HTB boxes.

Additional Resources

The following are some of the resources we looked at.

• Metasploit Fundamentals
• MSFvenom
• A Guide to Hacking Without Metasploit
• Hack The Box — Devel Writeup w/ Metasploit
• Hack The Box — Devel Writeup w/o Metasploit
• Command line FTP client in Windows
• Securing FTP Servers