Congratulations on making it to Phase 4 of PEN Consultants’ interview process! This next phase is the pentest phase. We’ve setup an intentionally vulnerable server. Find as many vulnerabilities as you can (within a given amount of time) and then write-up the details of your findings. There are no riddles to solve or breadcrumbs to find…you will actually exploit discovered vulnerabilities.
Part 1 – IP addresses
- If you have not done so already, send us your IP address so we can white list it in the firewall protecting the server.
- Only you will have access to this server.
- Once we receive your IP, we’ll send you the server IP.
Part 2 – Hack It
- Spend up to 2 weeks finding everything this server is vulnerable to. After two weeks, this server will be shut down.
- Note: The server is a fresh clone and has never been exploited. There are no remnants of past exploitation.
- Hint: There’s no need to look above port 1024, nor for UDP ports.
- We recommend not spending more than 8hrs total on this phase. Intermediate skilled testers will find dozens of vulnerabilities in <8hrs. With that said, feel free to spend as much time as you’d like within the 2 week time frame.
- Once you get in, you’ll find a list/menu of vulnerabilities. Navigate to those areas and attempt to exploit the system in the manner indicated.
Part 3 – Report
- Before the 2 weeks is up, and the server is taken down, pick three of the most critical vulnerabilities and write a detailed finding and recommendation (FR) for each.
- Use this as an example of the level of detail we’re looking for: https://penconsultants.com/report
- Note: You do not need to create an entire report; you will just create three FRs to address your findings and recommendations for the three most critical vulnerabilities.
- Each of the three vulnerabilities/write-ups must be from different categories of findings. Example categories: SQLi, XSS, file inclusion, privilege escalation, user enumeration, auth bypass, XXE, etc.. You will likely find multiple vulnerabilities per category, so be sure to pick the most critical and/or most complex to pull off (impress us with solving some of the harder ones!). If the details of the exploit or recommendation is a copy/paste of another finding, there is too much overlap…please choose another.
- We recommend spending no more than 3-4 hours total on these three write-ups.
- Note: The service(s) are non-SSL, all HTTP security headers are missing, etc. There’s no need to write those up as issues (even though they are). Stick to the items in the list/menu.
Rules and Ethics
As mentioned, this is an actual vulnerable server. If you know what you’re doing, you WILL gain root-level control of it. With that said:
- Do not attack any other systems from this platform! If we even suspect you have, all logs will be sent to the law enforcement (LE). If you have any doubts about what you are doing, STOP. If you have any questions about this, please ask.
- Note: Using a service such as Portswigger’s Collaborator or standing up your own listening post (LP) for the server to call back to, if needed, is completely appropriate. Attacking Portswigger (for example) from the server is illegal and will be reported to LE.
- Do not attempt to hack any other server, other than the IP we give you. The testing scope is one single IP, the one we give you.
- Do not cheat! We have used some well-known built-vulnerable frameworks for this testing. By default, many of those frameworks have built-in hints, difficulty levels, etc. We’ve made a best-effort to hide those, as to not be tempting.
- You are not to enable/change those settings, or download/test against another instance of a given framework with those items enabled.
- If you find that we missed hiding something, please let us know so we can make a modification before next time.
- There are many hacker-101 level vulnerabilities with this server. If you are not finding and exploiting them within minutes, you likely do not have the skill set we’re looking for and would not be able to perform on-the-job. Be honest, if that is the case.
- If you have any questions or think something may be broken, don’t hesitate to ask! In reality, our QA process for this is low, so there could be unintended bugs.
- We are monitoring the server activity for both out-of-scope attacks and cheating. Cheaters will be disqualified and out-of-scope activity will be logged and sent to LE.