Professional Documents
Culture Documents
School of Science
3. You have been provided with an ‘Exemplar Assignment’ that may assist you in understanding
how this assessment task can be formulated. However, you cannot use any of the written
content from the exemplar. Doing so may lead you to a loss of marks and/or potential
Academic Misconduct. This is further elaborated on Blackboard under the Assignment
Exemplar link.
4. Read and understood the rubrics available under ‘My Grades’ on Blackboard (also available
at the end of this document). In particular, the first criterion related to ‘Academic Integrity
(Originality and Student Voice)’. Please be aware that scoring low in this criterion may
negatively impact your marks in other criterions of the rubrics and a possible report for
Academic Misconduct.
Assignment Overview:
This assessment requires you to develop and implement a procedure for an ethical hacking scenario.
The assessment will evaluate your understanding and knowledge gained from the weekly content in
relation to articulating and writing a penetration testing report in line with industry standards.
Task:
1. You are to infiltrate the supplied system (virtual machine) and attain root level privileges
using appropriate tools and a legitimate process. There are five flags strategically placed in
the provided system. The flags are represented as values and are available at each point of
the system compromise. Look for them in home directories, web pages, etc. Ideally, you
should be able to find the flags in sequence, i.e. Flag 1 followed by Flag 2, onwards. The
value could be similar to the following:
“chahNaelia9zohlaseiPaich0QuoWoh8ohfaenaiQuaetaebushoakarai6lainohjongoneesoocahdei6guosiethae7uwuu5Kaid9ei
sah8EChoo4kaiGh2eit2mu”
2. The report should outline each test/attack run against the system and the result.
3. You must follow a process that should be defined prior to the commencement of testing.
4. Your report should include the flags as well as any credentials you uncover as part of your
hacking endeavours.
5. You must compromise the system over the network. Local, physical or other attacks
requiring direct interaction with the target system are not valid for the purposes of the
assignment.
6. All screenshots from the provided system (if you record and wish to add) must be part of the
Appendix. You may lose marks if you add them in the main body of the report.
Report Structure:
Component Broad Description and Guidelines
Title Page Unit code and title, assignment title, your name, student number, campus and tutor’s
name
Executive Summary • The executive summary should be a summary of the entire report, including a
brief description of the findings, results and recommendations.
• A mix of introduction and executive summary is not acceptable.
• An executive summary is for somebody who will not read the report but needs to
learn the key points, outcomes, and important information.
• An executive summary is aimed at encouraging somebody to read the report
• The executive summary uses appropriate terminology and language including an
objective tone, present tense and well-structured sentences. Write in paragraph
form - dot points should only be used for recommendations.
• The executive summary is located after the Contents page.
Introduction • An overview of the activity and the objectives covering the broad contours of the
work undertaken.
• A discussion of the phases, scope and extent of the examination
• Type of test based on the provided information – white box, grey box, or black box
• Resources used
Defined • A description of the process undertaken including the generic phases of the
Methodology investigation used to examine the given scenario such as Discovery and Probing,
Vulnerability assessment, penetration testing and escalation and reporting.
Component Broad Description and Guidelines
• The method should be generic and written prior to the commencement of testing
the scenario. This is the plan for how to conduct the test.
• Any inclusion of very specific information demonstrates that this section was
written subsequent to testing rather than prior.
Testing Log • Testing log is developed with the aim to allow repeatability and follow a sequence.
• A reader should be able to perform the steps by following the testing log.
• It should follow a process and be written clearly.
• Should be presented in tabular format showing all your actions that can be
repeated by the marker.
Results & • This should include details of each vulnerability uncovered and the suggested
Recommendations mitigations for these.
• All results should be mentioned including flags found, credentials recovered, etc.
• Each vulnerability should be handled thoroughly with the appropriate mitigation
strategies.
• General recommendations are good but it is preferable to indicate how the
Additional Points:
1. Start early and plan ahead. You may need to spend considerable time experimenting with
various tools. If a tool or method fails to result in a successful outcome, you should still
document this action in your running sheet.
2. Carefully read the marking rubric. It contains a detailed description of what is expected of you
for written communication skills. Ask any questions you may have.
3. You will not be graded on finding the flags. You are assessed on the procedure adopted for
finding, exploiting the vulnerabilities, recommendations, content, etc.
4. During the semester, you will be given some hints. Follow them.
5. The report must use appropriate structure with clear, concise headings, and ideas must flow
logically.
6. The style of writing should be appropriate for the purpose and the audience, including third
person objective voice i.e. avoid the use of first person (‘I’, ‘my’, ‘we’) and second (‘you’) person.
7. Appropriate discipline-specific terminology and vocabulary must be used in the report.
8. Sentence structure, spelling, punctuation and grammar should be correct for the report.
Deliverable: A single PDF or Microsoft Word Document. ECU Assignment Cover Sheet must not be
included with the PDF document.
Remember that this is an individual assignment. Never give anyone any part of your assignment –
even after the due date or after results have been released. Do not work together with other
students on individual assignments – helping someone by explaining a concept or directing them to
the relevant resources is fine, but doing the assignment for them or alongside them, or showing
them your work is not appropriate. An unacceptable level of cooperation between students on an
assignment is collusion and is deemed an act of academic misconduct. If you are uncertain about
plagiarism, collusion or referencing, simply contact your learning adviser and ask.
You may be asked to explain and demonstrate your understanding of the work you have submitted.
Your submission should accurately reflect your understanding and ability to apply the unit content.
Marking Key/Rubrics:
Please read, understand and do your best to apply each of the criterion and the requirements to score a good grade. Criterion number 1 is of particular
importance as scoring low here may negatively impact your scores in other criterions and create issues relating to breaches of Academic Integrity.
Criterion Fail Pass Credit Distinction High Distinction
Academic Integrity (Originality <50% >=50% >=60% >=70% >=80%
and Student Voice) No or little attempt to An attempt has been made to An attempt has been made to Consistent use of Highly skilful use of quality,
(3 marks) adequately integrate evidence use sources to integrate use credible/relevant sources credible/relevant sources to credible sources to integrate
from quality sources with evidence with integrity to to integrate evidence with integrate evidence with evidence to support highly
integrity to support student support student argument or integrity to support student integrity to support well developed critical argument or
argument or discussion. discussion. Satisfactory use of argument or discussion. Good developed student argument or discussion. Appropriate use of
others’ work which is
Inappropriate use of other’s other’s work and with some use of other’s work which is discussion. Very good use of
adequately and correctly
work which is not attempt to acknowledge mostly acknowledged. Mostly other’s work which is
acknowledged. Highly
acknowledged. Lack of or sources, but more work needed good paraphrasing and in-text acknowledged. Good evidence developed paraphrasing and
inadequate paraphrasing and on how to adequately and referencing skills. Some areas of sound paraphrasing and intext referencing skills evident.
in-text referencing constituting correctly paraphrase an in-text still to address to adequately intext referencing skills.
plagiarism. reference. and correctly in-text reference.
Executive Summary (5 <50% >=50% >=60% >=70% >=80%
marks) There is either no executive The executive summary A good executive summary that Very good executive summary Outstanding executive
summary or the attempt does attempts to summarise the presents a fairly clear and that presents a clear and summary that presents a very
not summarise the entire entire report, but there are concise summary of the entire concise summary of the entire clear and concise summary of
report. The executive summary gaps in the information. The report. The executive summary report. The executive summary the entire report. The executive
does not use appropriate executive summary does not uses some appropriate but mostly uses appropriate summary uses appropriate
language or grammar. always use appropriate there are weaknesses in these language and grammar. language and grammar.
language and grammar. areas.