After this lesson, you will be able to: Complete a HackTheBox Starting Point machine from scratch and write the professional pentest report that goes with it.
This is the passion project for the Penetration Testing sub-track. You'll pick one HTB Starting Point machine, walk through every stage of the methodology, and produce a report that looks like what a real consulting engagement delivers. Time budget: 1-2 evenings for the machine, 1 evening for the writeup.
Starting Point machines are explicitly designed to teach the full methodology in miniature. They have writeups, hints, and clear difficulty bands. Picking one of them as your capstone keeps the focus on the methodology and the report, not on whether you got lucky finding the exploit. You will produce a writeup that an interviewer can read in 5 minutes and immediately see you understand the lifecycle.
Before you touch anything, lock in your environment.
Sign in to HackTheBox and open Starting Point > Tier 1 (free tier is enough)
Pick a machine, ideally 'Funnel' or 'Pennyworth' if you want a Linux box, or 'Three' if you want a web focus. (If those are unavailable when you take this lesson, pick any Tier 1 machine and follow the same outline.)
Download the HTB VPN config and connect (TryHackMe is identical if your region prefers it)
Boot Kali Linux from your VM snapshot, confirm you can ping the target IP
Create a project folder: hostname-YYYYMMDD/ with subdirs: scans/, evidence/, notes/
Treat this as a real engagement. Take notes, save outputs.
Document the scope: target IP, allowed actions (everything on HTB Starting Point is in scope)
Run nmap -sV -p- --open <ip> | tee scans/nmap-fullports.txt
For each open port, gather a service banner: nmap -sV -p <port> --script=banner <ip>
For HTTP services, capture screenshots of the homepage and any default-app indicators (Wappalyzer or HTTP headers)
Note every interesting URL, parameter, and form into notes/recon.md
Look for the specific weakness before throwing exploits.
For web services: gobuster dir -u http://<ip>/ -w /usr/share/wordlists/dirb/common.txt | tee scans/gobuster.txt
For SMB: smbclient -L //<ip> -N (anonymous) then enum4linux <ip> if anonymous works
For SSH: nmap --script ssh2-enum-algos -p 22 <ip>; check for default credentials in the HTB hints if you're stuck
For any service version, search 'searchsploit <service> <version>' to find known exploits; record the CVE numbers
By the end of this phase, you should have at least one specific hypothesis for how to get a shell
Execute the exploit you identified. Document every command and output.
Use Metasploit ONLY if the lab explicitly allows it; for portfolio quality, manual exploitation is more impressive
Log every command + output to notes/exploit.md. Screenshot the shell when you get it.
Capture the initial-foothold flag/user file as evidence (Starting Point machines have a user.txt to grab)
Note your hypothesis before the exploit fires and update it if the result surprises you, this is what real testers do
Find a way to root. Document the path.
On the foothold shell, gather situational awareness: id, hostname, uname -a, sudo -l, find SUID binaries (find / -perm -4000 2>/dev/null)
Look for misconfigurations: writable cron jobs, weak service permissions, kernel CVEs
Use LinPEAS or pspy (HTB Academy has free versions) for a structured enumeration
Document the privilege-escalation chain you found, capture the root flag
Screenshot every step
The report IS the deliverable. Spend at least 90 minutes on it.
Use this exact structure (this is the format consultancies use):
# Executive Summary
One paragraph, no jargon. 'The target host was found to be vulnerable to <CVE / weakness>. Full administrative access was achievable in under <X> minutes. Remediation: <patch / config / hardening>.'
# Scope and Methodology
List the target, the dates, the tools used (Nmap, Burp, Metasploit if any), and the methodology (PTES, OSSTMM, or your own).
# Findings (most severe first)
For each finding: title (e.g., 'Anonymous SMB access enabled'), severity (CVSS), description, evidence (screenshot or command output), impact, recommended remediation.
# Attack Narrative
The story of how you got from outside the network to root. Numbered steps. Each step has the command and the result. This is the most impressive part of the report.
# Remediation Summary
A bulleted list of recommendations, ordered by impact.
# Appendix
All raw scan outputs, screenshots, and full tool logs.
Spending more time scanning than enumerating. Once you have the port list, slow down and read what's there. Treating the exploit as the goal. The exploit is the means; impact + remediation is the deliverable. Forgetting screenshots. A report without evidence is a story; a report with evidence is consulting. Skipping the executive summary. Executives don't read the rest; the exec summary must stand alone. Pasting tool output as the entire 'Findings' section. Tool output is appendix; findings should be readable by a non-pentester.
Sign in and purchase access to unlock this lesson.