Track 01 — Offensive Security¶
Learn to think like an attacker. Work an engagement end to end — recon, exploitation, post-exploitation, and the reporting that makes it useful to a defender. The goal isn't to collect exploits; it's to understand why systems fall so you can explain and fix them.
What you'll be able to do¶
- Map an attack surface from public information and active scanning.
- Identify, validate, and responsibly exploit the major vulnerability classes.
- Attack web applications across the OWASP Top 10.
- Escalate privileges, move laterally, and run post-exploitation tradecraft.
- Write a clear, reproducible report a defender can act on.
Modules¶
| # | Module | What you'll learn | OSS tools |
|---|---|---|---|
| 01 | Reconnaissance & OSINT | Passive/active intel; building a target picture | amass, theHarvester, recon-ng |
| 02 | Scanning & Enumeration | Host discovery, service/version detection | nmap, gobuster, enum4linux-ng |
| 03 | Vulnerability Identification | Mapping findings to CVE/CWE and verifying | nuclei, searchsploit |
| 04 | Exploitation Fundamentals | How exploits work; framework + manual | metasploit, msfvenom |
| 05 | Memory Corruption Primer | Stack overflows and why exploits work | gdb, pwntools |
| 06 | Web — Injection | SQLi and command injection in practice | sqlmap, burpsuite CE |
| 07 | Web — Auth & Access Control | Broken auth, sessions, IDOR, privilege flaws | burpsuite CE, ffuf |
| 08 | Web — SSRF, XXE & Deserialization | Server-side classes and file-upload abuse | OWASP ZAP |
| 09 | Password & Credential Attacks | Hashing, cracking, spraying, reuse | hashcat, john, hydra |
| 10 | Privilege Escalation — Linux | Local enumeration and escalation | linpeas, pspy |
| 11 | Privilege Escalation — Windows | Token, service, and registry paths | winpeas, PrivescCheck |
| 12 | Pivoting & Lateral Movement | Tunneling and moving between hosts | chisel, ligolo-ng, proxychains |
| 13 | C2 & Post-Exploitation | Command-and-control and tradecraft | sliver, pwncat |
| 14 | Living-off-the-Land & Evasion | Native tooling and basic AV/EDR evasion | LOLBAS, GTFOBins |
| 15 | PowerShell Offensive Tradecraft | Cradles, in-memory execution, AMSI & logging evasion | pwsh, PowerSploit |
| 16 | Cloud & Container Attack Primer | Where on-prem skills meet cloud (handoff to T05) | pacu, peirates |
| 17 | Reporting & Remediation | Prioritised, reproducible, defender-ready reports | ghostwriter |
Phases & projects¶
The sixteen modules run in four phases; each ends in a project that chains its modules into a portfolio-worthy artifact.
- Phase 1 · Recon & mapping (01–03) — Project: a full attack-surface map of an authorised target → scan → prioritised vulnerability list, scripted and reproducible.
- Phase 2 · Finding the way in (04–08) — Project: gain access to a real-CVE Vulhub target and exploit one web class on a deliberately vulnerable app, captured as a replayable PoC + writeup.
- Phase 3 · After access (09–15) — Project: from a foothold, crack credentials, escalate to root/SYSTEM, and pivot — documented as a single attack chain with the artifacts each step leaves.
- Phase 4 · Closing the loop (16) — Project: the track capstone — the professional engagement report.
Prerequisites¶
Complete Track 00 — Foundations first.
Authorization is mandatory. Only test systems you own or have explicit written permission to test. Labs use intentionally vulnerable targets (DVWA, locally spun VMs, free CTF rooms). Never point these techniques at anything else.
Capstone¶
Run a full engagement against an intentionally vulnerable target — recon through exploitation, privilege escalation, and lateral movement — and deliver a professional report: findings, evidence, business impact, and prioritised remediation. Deliverable: the report is the artifact, not the shell.
The starter scaffold and acceptance checks live in
plaintext-labs/offensive/capstone/.
Capstone rubric¶
Graders score the report, not the number of shells. Proficient is the bar to ship.
| Dimension | Developing | Proficient | Exemplary |
|---|---|---|---|
| Methodology & scope | Ad-hoc; no clear phases; scope unstated | Recon → exploit → privesc → lateral movement documented as phases, all in stated scope | Maps each action to MITRE ATT&CK and PTES, with timestamps that form an attack timeline |
| Findings quality | Findings asserted without proof, or copied from a scanner | Each finding has CVE/CWE, reproducible steps, and evidence (output/screenshot), validated by hand | Every finding rated by real business impact, with a working PoC a defender can replay |
| Exploitation | Used a one-click exploit without understanding it | Gained access and escalated; can explain why each exploit worked | Chained a multi-step path (foothold → DA/root) and noted detection opportunities at each step |
| Remediation | Generic advice ("patch everything") | Specific, prioritised fix per finding | Fixes are testable and mapped to root cause, not just the symptom |
| Report craft | Disorganised; a defender couldn't act on it | Clear exec summary + technical detail; reproducible | Reads like a professional deliverable: severity-ranked, evidence-linked, remediation a team can ticket |
| Authorization & safety | Out-of-scope actions, or no scope note | Every action provably in scope; authorization stated | Demonstrates restraint — destructive steps avoided or explicitly authorised and contained |
AI & automation¶
AI drafts; you verify and own it. Models accelerate recon synthesis, payload and wordlist generation, and turning findings into a readable report — but every vulnerability is validated by hand (no hallucinated findings), every action stays in scope, and generated exploit code is read before it's run.
Standards & further reading¶
- OWASP Top 10 and the OWASP Web Security Testing Guide
- MITRE ATT&CK (Enterprise) for technique mapping
- MITRE CWE / NIST NVD for vulnerability classes
- PTES (Penetration Testing Execution Standard)
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).