█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Penetration Testing/Passion Project: HTB Starting Point Walkthrough
120 minIntermediate

Passion Project: HTB Starting Point Walkthrough

After this lesson, you will be able to: Complete a HackTheBox Starting Point machine from scratch and write the professional pentest report that goes with it.

This is the passion project for the Penetration Testing sub-track. You'll pick one HTB Starting Point machine, walk through every stage of the methodology, and produce a report that looks like what a real consulting engagement delivers. Time budget: 1-2 evenings for the machine, 1 evening for the writeup.

Prerequisites:Penetration Testing Resources and Next Steps

Why HTB Starting Point is the right capstone

Starting Point machines are explicitly designed to teach the full methodology in miniature. They have writeups, hints, and clear difficulty bands. Picking one of them as your capstone keeps the focus on the methodology and the report, not on whether you got lucky finding the exploit. You will produce a writeup that an interviewer can read in 5 minutes and immediately see you understand the lifecycle.

Project setup

Before you touch anything, lock in your environment.

  1. 1

    Sign in to HackTheBox and open Starting Point > Tier 1 (free tier is enough)

  2. 2

    Pick a machine, ideally 'Funnel' or 'Pennyworth' if you want a Linux box, or 'Three' if you want a web focus. (If those are unavailable when you take this lesson, pick any Tier 1 machine and follow the same outline.)

  3. 3

    Download the HTB VPN config and connect (TryHackMe is identical if your region prefers it)

  4. 4

    Boot Kali Linux from your VM snapshot, confirm you can ping the target IP

  5. 5

    Create a project folder: hostname-YYYYMMDD/ with subdirs: scans/, evidence/, notes/

Phase 1, Reconnaissance

Treat this as a real engagement. Take notes, save outputs.

  1. 1

    Document the scope: target IP, allowed actions (everything on HTB Starting Point is in scope)

  2. 2

    Run nmap -sV -p- --open <ip> | tee scans/nmap-fullports.txt

  3. 3

    For each open port, gather a service banner: nmap -sV -p <port> --script=banner <ip>

  4. 4

    For HTTP services, capture screenshots of the homepage and any default-app indicators (Wappalyzer or HTTP headers)

  5. 5

    Note every interesting URL, parameter, and form into notes/recon.md

Phase 2, Enumeration

Look for the specific weakness before throwing exploits.

  1. 1

    For web services: gobuster dir -u http://<ip>/ -w /usr/share/wordlists/dirb/common.txt | tee scans/gobuster.txt

  2. 2

    For SMB: smbclient -L //<ip> -N (anonymous) then enum4linux <ip> if anonymous works

  3. 3

    For SSH: nmap --script ssh2-enum-algos -p 22 <ip>; check for default credentials in the HTB hints if you're stuck

  4. 4

    For any service version, search 'searchsploit <service> <version>' to find known exploits; record the CVE numbers

  5. 5

    By the end of this phase, you should have at least one specific hypothesis for how to get a shell

Phase 3, Exploitation

Execute the exploit you identified. Document every command and output.

  1. 1

    Use Metasploit ONLY if the lab explicitly allows it; for portfolio quality, manual exploitation is more impressive

  2. 2

    Log every command + output to notes/exploit.md. Screenshot the shell when you get it.

  3. 3

    Capture the initial-foothold flag/user file as evidence (Starting Point machines have a user.txt to grab)

  4. 4

    Note your hypothesis before the exploit fires and update it if the result surprises you, this is what real testers do

Phase 4, Post-Exploitation and Privilege Escalation

Find a way to root. Document the path.

  1. 1

    On the foothold shell, gather situational awareness: id, hostname, uname -a, sudo -l, find SUID binaries (find / -perm -4000 2>/dev/null)

  2. 2

    Look for misconfigurations: writable cron jobs, weak service permissions, kernel CVEs

  3. 3

    Use LinPEAS or pspy (HTB Academy has free versions) for a structured enumeration

  4. 4

    Document the privilege-escalation chain you found, capture the root flag

  5. 5

    Screenshot every step

Phase 5, Write the report

The report IS the deliverable. Spend at least 90 minutes on it.

  1. 1

    Use this exact structure (this is the format consultancies use):

  2. 2

    # Executive Summary

  3. 3

    One paragraph, no jargon. 'The target host was found to be vulnerable to <CVE / weakness>. Full administrative access was achievable in under <X> minutes. Remediation: <patch / config / hardening>.'

  4. 4

    # Scope and Methodology

  5. 5

    List the target, the dates, the tools used (Nmap, Burp, Metasploit if any), and the methodology (PTES, OSSTMM, or your own).

  6. 6

    # Findings (most severe first)

  7. 7

    For each finding: title (e.g., 'Anonymous SMB access enabled'), severity (CVSS), description, evidence (screenshot or command output), impact, recommended remediation.

  8. 8

    # Attack Narrative

  9. 9

    The story of how you got from outside the network to root. Numbered steps. Each step has the command and the result. This is the most impressive part of the report.

  10. 10

    # Remediation Summary

  11. 11

    A bulleted list of recommendations, ordered by impact.

  12. 12

    # Appendix

  13. 13

    All raw scan outputs, screenshots, and full tool logs.

💡 How to talk about this in an interview

Walk the interviewer through the Attack Narrative section, not the tools section. Real consultants get hired on storytelling: 'I started with an Nmap scan and noticed X. That made me look at Y. The exploit failed at first because Z; I adjusted by W. Then I had a shell. To escalate, I noticed...' Practise telling that story in 90 seconds out loud. Most candidates can't.

Common mistakes only experienced pentesters avoid

Spending more time scanning than enumerating. Once you have the port list, slow down and read what's there. Treating the exploit as the goal. The exploit is the means; impact + remediation is the deliverable. Forgetting screenshots. A report without evidence is a story; a report with evidence is consulting. Skipping the executive summary. Executives don't read the rest; the exec summary must stand alone. Pasting tool output as the entire 'Findings' section. Tool output is appendix; findings should be readable by a non-pentester.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Penetration Testing Resources and Next Steps
Back to Penetration Testing
Penetration Testing Job Readiness→