Last year we decided to expand our pentest team, and we figured that offering a hands-on challenge would be a good filter for possible candidates, since we’ve accumulated quite a bit of experience from organizing wargames and CTF at various events. We provided an isolated network with three hosts and anyone could apply by submitting a name, and email address and a CV – we’ve sent VPN configuration packs to literally everyone who did so. These packs included the following message (the original was in Hungarian).
Your task is to perform a comprehensive (!) security assessment of the hosts within range 10.10.82.100-254.
Typical tasks of a professional penetration tester include
- asking relevant clarifying questions about new projects,
- writing the technical part of business proposals,
- comprehensive penetration testing,
- report writing and presentation.
That is why we decided to test the candidates’ knowledge about the above subjects. The scope of the challenge consisted of 3 servers, report writing and presentation to the technical staff with a time limit of two weeks. Here is our solution: