Edith Cowan University

School of Science

Ethical Hacking and Defence (CSI3208)

Case Study Assignment: Pen testing Investigation
Assignment Marks: 40% of the final mark of the unit
Due Date: See Blackboard (under Assessment ---> Assignments ---> Assessment Overview)
Length: Maximum of 20 A4 pages excluding the Title Page, Reference list, and
Appendices (if you wish to add). You should not submit an ECU cover sheet
with the assignment. Important Notes:
Before you move ahead and read the assignment instructions, you must understand/have completed
the following:
1. Watched the Academic Integrity Video from the Associate Dean Teaching and Learning
(ADTL), School of Science.

2. Read the Academic Integrity Document related to this unit

(the above two resources are available under Assessment ---> Assignments ---> Academic Integrity -
IMPORTANT).

3. You have been provided with an ‘Exemplar Assignment’ that may assist you in understanding
how this assessment task can be formulated. However, you cannot use any of the written
content from the exemplar. Doing so may lead you to a loss of marks and/or potential
Academic Misconduct. This is further elaborated on Blackboard under the Assignment
Exemplar link.

4. Read and understood the rubrics available under ‘My Grades’ on Blackboard (also available
at the end of this document). In particular, the first criterion related to ‘Academic Integrity
(Originality and Student Voice)’. Please be aware that scoring low in this criterion may
negatively impact your marks in other criterions of the rubrics and a possible report for
Academic Misconduct.

Assignment Overview:
This assessment requires you to develop and implement a procedure for an ethical hacking scenario.
The assessment will evaluate your understanding and knowledge gained from the weekly content in
relation to articulating and writing a penetration testing report in line with industry standards.

Task:
1. You are to infiltrate the supplied system (virtual machine) and attain root level privileges
using appropriate tools and a legitimate process. There are five flags strategically placed in
the provided system. The flags are represented as values and are available at each point of
the system compromise. Look for them in home directories, web pages, etc. Ideally, you
should be able to find the flags in sequence, i.e. Flag 1 followed by Flag 2, onwards. The
value could be similar to the following:
“chahNaelia9zohlaseiPaich0QuoWoh8ohfaenaiQuaetaebushoakarai6lainohjongoneesoocahdei6guosiethae7uwuu5Kaid9ei
sah8EChoo4kaiGh2eit2mu”

2. The report should outline each test/attack run against the system and the result.

CSI3208, Pen Testing Investigation PAGE 1

 Edith Cowan University
School of Science

3. You must follow a process that should be defined prior to the commencement of testing.

4. Your report should include the flags as well as any credentials you uncover as part of your
hacking endeavours.

5. You must compromise the system over the network. Local, physical or other attacks
requiring direct interaction with the target system are not valid for the purposes of the
assignment.

6. All screenshots from the provided system (if you record and wish to add) must be part of the
Appendix. You may lose marks if you add them in the main body of the report.

Report Structure:
Component Broad Description and Guidelines
Title Page Unit code and title, assignment title, your name, student number, campus and tutor’s
name
Executive Summary • The executive summary should be a summary of the entire report, including a
brief description of the findings, results and recommendations.
• A mix of introduction and executive summary is not acceptable.
• An executive summary is for somebody who will not read the report but needs to
learn the key points, outcomes, and important information.
• An executive summary is aimed at encouraging somebody to read the report
• The executive summary uses appropriate terminology and language including an
objective tone, present tense and well-structured sentences. Write in paragraph
form - dot points should only be used for recommendations.
• The executive summary is located after the Contents page.
Introduction • An overview of the activity and the objectives covering the broad contours of the
work undertaken.
• A discussion of the phases, scope and extent of the examination
• Type of test based on the provided information – white box, grey box, or black box
• Resources used
Defined • A description of the process undertaken including the generic phases of the
Methodology investigation used to examine the given scenario such as Discovery and Probing,
Vulnerability assessment, penetration testing and escalation and reporting.
Component Broad Description and Guidelines
• The method should be generic and written prior to the commencement of testing
the scenario. This is the plan for how to conduct the test.
• Any inclusion of very specific information demonstrates that this section was
written subsequent to testing rather than prior.
Testing Log • Testing log is developed with the aim to allow repeatability and follow a sequence.
• A reader should be able to perform the steps by following the testing log.
• It should follow a process and be written clearly.
• Should be presented in tabular format showing all your actions that can be
repeated by the marker.
Results & • This should include details of each vulnerability uncovered and the suggested
Recommendations mitigations for these.
• All results should be mentioned including flags found, credentials recovered, etc.
• Each vulnerability should be handled thoroughly with the appropriate mitigation
strategies.
• General recommendations are good but it is preferable to indicate how the

CSI3208, Pen Testing Investigation PAGE 2

 Edith Cowan University
School of Science

system can be secured in concrete terms.

References • All evidence and ideas from sources must be written in your own words and must
be acknowledged using in-text references in the body of the report and end-text
references (reference list) at the end of the report.
• Correct APA 7th edition style referencing conventions both for in-text and
endtext references should be used.

Additional Points:

1. Start early and plan ahead. You may need to spend considerable time experimenting with
various tools. If a tool or method fails to result in a successful outcome, you should still
document this action in your running sheet.
2. Carefully read the marking rubric. It contains a detailed description of what is expected of you
for written communication skills. Ask any questions you may have.
3. You will not be graded on finding the flags. You are assessed on the procedure adopted for
finding, exploiting the vulnerabilities, recommendations, content, etc.
4. During the semester, you will be given some hints. Follow them.
5. The report must use appropriate structure with clear, concise headings, and ideas must flow
logically.
6. The style of writing should be appropriate for the purpose and the audience, including third
person objective voice i.e. avoid the use of first person (‘I’, ‘my’, ‘we’) and second (‘you’) person.
7. Appropriate discipline-specific terminology and vocabulary must be used in the report.
8. Sentence structure, spelling, punctuation and grammar should be correct for the report.

Deliverable: A single PDF or Microsoft Word Document. ECU Assignment Cover Sheet must not be
included with the PDF document.

Referencing, Plagiarism and Collusion:

The entirety of your assignment must be your own work (unless the ideas are taken from sources,
in which case you must reference) and produced for the current instance of the unit. Any use of
unreferenced content you did not create constitutes plagiarism and is deemed an act of academic
misconduct. All assignments will be submitted to Turnitin which will match your assignment to
sources including previous copies of the assignment, and the work submitted by all other students
in the unit.

Remember that this is an individual assignment. Never give anyone any part of your assignment –
even after the due date or after results have been released. Do not work together with other
students on individual assignments – helping someone by explaining a concept or directing them to
the relevant resources is fine, but doing the assignment for them or alongside them, or showing
them your work is not appropriate. An unacceptable level of cooperation between students on an
assignment is collusion and is deemed an act of academic misconduct. If you are uncertain about
plagiarism, collusion or referencing, simply contact your learning adviser and ask.

You may be asked to explain and demonstrate your understanding of the work you have submitted.
Your submission should accurately reflect your understanding and ability to apply the unit content.

CSI3208, Pen Testing Investigation PAGE 3

 Edith Cowan University
School of Science
Marking Key/Rubrics:
Please read, understand and do your best to apply each of the criterion and the requirements to score a good grade. Criterion number 1 is of particular
importance as scoring low here may negatively impact your scores in other criterions and create issues relating to breaches of Academic Integrity.
Criterion Fail
Academic Integrity (Originality <50%
and Student Voice) No or little attempt to
(3 marks) adequately integrate evidence
from quality sources with
integrity to support student
argument or discussion.
Inappropriate use of other’s
work which is not
acknowledged. Lack of or
inadequate paraphrasing and
in-text referencing constituting
plagiarism.
Executive Summary (5 <50%
marks) There is either no executive
summary or the attempt does
not summarise the entire
report. The executive summary
does not use appropriate
language or grammar.
Defined Methodology (8 <50%
marks) No or very little attempt has
Pass
>=50%
An attempt has been made to
use sources to integrate
evidence with integrity to
support student argument or
discussion. Satisfactory use of
other’s work and with some
attempt to acknowledge
sources, but more work needed
on how to adequately and
correctly paraphrase an in-text
reference.
>=50%
The executive summary
attempts to summarise the
entire report, but there are
gaps in the information. The
executive summary does not
always use appropriate
language and grammar.
>=50%
An attempt has been made to
Credit Distinction
>=60% >=70%
An attempt has been made to Consistent use of
use credible/relevant sources credible/relevant sources to
to integrate evidence with integrate evidence with
integrity to support student integrity to support well
argument or discussion. Good developed student argument or
use of other’s work which is discussion. Very good use of
mostly acknowledged. Mostly other’s work which is
good paraphrasing and in-text acknowledged. Good evidence
referencing skills. Some areas of sound paraphrasing and
still to address to adequately intext referencing skills.
and correctly in-text reference.
>=60% >=70%
A good executive summary that Very good executive summary
presents a fairly clear and that presents a clear and
concise summary of the entire concise summary of the entire
report. The executive summary report. The executive summary
uses some appropriate but mostly uses appropriate
there are weaknesses in these language and grammar.
areas.
>=60% >=70%
A good description of the A very good description of the
High Distinction
>=80%
Highly skilful use of quality,
credible sources to integrate
evidence to support highly
developed critical argument or
discussion. Appropriate use of
others’ work which is
adequately and correctly
acknowledged. Highly
developed paraphrasing and
intext referencing skills evident.
>=80%
Outstanding executive
summary that presents a very
clear and concise summary of
the entire report. The executive
summary uses appropriate
language and grammar.
>=80%
An outstanding description of
 been made to describe the
general theory and process of
the investigation including
some of the generic phases
used to examine the given
scenario. The explanation lacks
clarity and accuracy. May
include specific information.
Criterion Fail
Testing Log (8 <50%
marks) No or little attempt has been
made to develop a testing log
that allows for some
repeatability and following of a
sequence. There are significant
gaps in the information. The
testing log is very poorly
written such that the steps are
missing, inaccurate and/or
ambiguous.
Results and Recommendations <50%
(10 marks) No or little attempt has been
made to explain the
vulnerabilities uncovered and
describe the general theory and
process of the investigation
including some of the generic
phases used to examine the
given. The explanation often
lacks clarity and accuracy. May
include specific information.
Pass
>=50%
An attempt has been made to
develop a testing log that
allows for some repeatability
and following of a sequence,
but there are significant gaps in
the information. The testing log
is poorly written such that the
steps are missing, inaccurate
and/or ambiguous.
>=50%
An attempt has been made to
explain the vulnerabilities
uncovered and to describe the
general theory and process of
the investigation including most
of the generic phases used to
examine the given scenario.
The explanation may often lack
clarity and accuracy. Does not
include specific information.
Credit
>=60%
A sound testing log developed
that allows for some
repeatability and following of a
sequence. The testing log is
fairly well-written using clear,
sequential steps, but there may
be inaccuracies and/or
ambiguity.
>=60%
A sound explanation of the
vulnerabilities uncovered and a
sound description of the
general theory and process of
the investigation including the
generic phases used to examine
the given. Some of the
explanations may not be clear
or accurate. Does not include
specific information.
Distinction
>=70%
A very good testing log
developed that allows for
repeatability and following of a
sequence. The testing log is
generally well-written using
clear, sequential steps.
>=70%
A very good and thorough
explanation of each
vulnerability uncovered and
the general theory and process
of the investigation including
the generic phases used to
examine the given. Does not
include specific information.
High Distinction
>=80%
An outstanding testing log
developed that allows for
repeatability and following of a
sequence. The testing log is well-
written using very clear,
sequential steps.
>=80%
An outstanding and thorough
explanation of each
vulnerability uncovered and a
 to describe the mitigation
strategies suggested for these.
There are many gaps in the
information. No or very few
recommendations provided for
how the system can be secured.
Referencing (3 <50%
marks) In-text and end-text references
are either not included or not
formatted according to APA 7th
edition style.
Written Communication Skills/ <50%
Report Structure Report has not followed the
(3 marks) required structure, and has not
ensured each component is
included. Poor communication
skills that are not appropriate.
There are errors that often
impede meaning.
mitigation strategies suggested
for these, but there are
significant gaps in the
information. Recommendations
provide some strategies for
how the system can be secured,
but they are not always
relevant or concrete.
>=50%
Few in-text and end-text
references have been used to
acknowledge ideas and topics
taken from sources and the
format is not always according
to APA 7th edition style.
>=50%
Report has mostly followed the
required structure, with most
components included. Basic
communication skills that are
sometimes appropriate. There
are errors that occasionally
impede meaning.
mitigation strategies suggested
for these. Recommendations
provide some relevant and
concrete strategies for how the
system can be secured
>=60%
In-text and end-text references
have been mostly used
accurately and appropriately to
acknowledge the ideas and
topics taken from sources and
formatted according to the APA
7th edition style.
>=60%
Report has followed the
required structure, ensuring
each component is included.
Sound communication skills
that are mostly appropriate.
Has some errors but these do
not impede meaning.
overall a clear description of
the mitigation strategies
suggested for these.
Recommendations mostly
provide relevant and concrete
strategies for how the system
can be secured
>=70%
In-text and end-text references
have been used accurately and
appropriately to acknowledge
most ideas and topics taken
from sources and formatted
according to the APA 7th style.
>=70%
Report has clearly followed the
required structure, ensuring
each component is included.
Clear and concise
communication skills.
clear description of the
mitigation strategies suggested
for these. Recommendations
provide relevant and concrete
strategies for how the system
can be secured
>=80%
In-text and end-text references
have been accurately and
appropriately used to
acknowledge all ideas and topics
taken from sources and
formatted according to the APA
7th style.
>=80%
Report has very clearly followed
the required structure, ensuring
each component is precisely
included with fluent
communication skills.