Week 1, Practical — Building Your Lab

Module: COMP09031 — Cybersecurity & Secure Programming

Slot: W1 P Real budget: 100 min Phase split: 10 + 80 + 10 Hardware-dependent Book chapter: 3

Important

This is the most important practical of the term. A student who leaves Week 1 without a working lab is blocked from every subsequent practical. Use the optional Friday email check-in to catch anyone who is stuck.

Before the lab

Students should arrive with:

• Laptop with at least 16 GB RAM, 50 GB free disk, virtualisation enabled in BIOS/UEFI.
• A reliable internet connection — expect ~10 GB downloads across hypervisor, Kali image, container images, and updates. Run the downloads at home if the campus link is slow.
• An active @atu.ie email address — needed for the GitHub Student Developer Pack, HackTheBox Academy student plan, and TryHackMe student discount fallbacks.
• The book chapter (Week 1, Practical — Building Your Lab) read in advance. It contains the full step-by-step; the lab is execution, not exposition.

Lab activity

The chapter walks the four hardware paths in detail. Students follow whichever applies to their machine.

Path	Hardware	Hypervisor	Kali image
A	Windows 10/11	VMware Workstation Pro 25H2u1	x86_64
B	Intel Mac	VMware Fusion Pro 13.5.2+	x86_64
C	Apple Silicon	UTM	ARM64
D	Linux host	VirtualBox 7.2.x	x86_64
Fallback	Chromebook / locked corporate laptop	TryHackMe AttackBox + GitHub Codespaces	n/a

The four local paths share more than they differ — every one ends with a Kali VM on an isolated network and a vulnerable target running in Docker. Only the hypervisor and the Kali image format differ.

Lab session pacing (100 min)

• 0:00–0:10 — Framing and triage. Read the Outcome of this session box aloud, walk the path-decision tree on a slide, and identify the Chromebook / locked-corporate-laptop minority. Direct them at the TryHackMe AttackBox + Codespaces fallback before everyone else starts downloading.
• 0:10–0:30 — Hypervisor and Kali VM import. Most students follow the hypervisor install in parallel. Do not lecture during this block — circulate. Watch for the BIOS/UEFI virtualisation-disabled cohort (Lenovo and HP business laptops are repeat offenders) and the Hyper-V/WSL2-already-on cohort.
• 0:30–0:50 — First boot, snapshot, two-NIC network. This is the hardest 20 minutes. Almost every troubleshooting call lives here. Get every student to the clean-install snapshot before moving on.
• 0:50–1:20 — Toolchain, venv, GitHub, Juice Shop. The bulk of typing-in-the-terminal work.
• 1:20–1:40 — Verification table. Tell students to work through the table top-to-bottom and flag the first row that fails.
• 1:40–1:50 — Debrief and pre-scan checklist. Read the five-question checklist aloud. Set expectation that anyone whose verification table is not green by Friday should email a screenshot of where they are stuck.

Tools, with install / launch references

Hypervisor (pick one)

• VMware Workstation Pro / Fusion Pro — free for all uses since 11 November 2024. Register at https://profile.broadcom.com/ → download.
• VirtualBox 7.2.x — open source, GPLv3 base + PUEL extension pack. https://www.virtualbox.org/
• UTM (Apple Silicon) — free direct download or paid Mac App Store. https://mac.getutm.app/

Kali Linux

• Kali Linux 2026.1 prebuilt VM images. https://www.kali.org/get-kali/#kali-virtual-machines
• Verify the SHA256 of your download before importing. The chapter walks the shasum -a 256 command for Mac/Linux and Get-FileHash for PowerShell.

Cloud fallbacks (Chromebook / locked laptop / no spare disk)

• TryHackMe AttackBox — browser-based Kali via student-discount account. https://tryhackme.com/
• GitHub Codespaces — for the toolchain-only portions; not a Kali replacement. Activated via the GitHub Student Developer Pack: https://education.github.com/

Toolchain (installed inside Kali)

The chapter installs these in order:

Tool	Source	Why
git, python3, python3-venv, python3-pip, curl, jq	apt	Baseline. Already in Kali but verify.
docker.io, docker-compose-v2	apt	Container runtime for vulnerable targets.
gitleaks 8.30.1	GitHub releases (apt has 8.16.x)	Pre-commit secret scanner. https://github.com/gitleaks/gitleaks
trufflehog v3	install.sh from GitHub	Secret scanner with verifiers. https://raw.githubusercontent.com/trufflesecurity/trufflehog
osv-scanner v2	GitHub releases	Multi-language vulnerability scanner from Google. https://github.com/google/osv-scanner
Project venv (Python 3.13)	python3 -m venv	Module-isolated dependencies.

GitHub setup

• Create / verify GitHub account: https://github.com/signup
• Turn on 2FA: account → Settings → Password and authentication
• Generate an Ed25519 SSH key and add the public key to GitHub
• Accept the COMP09031 Classroom invitation (Mike emails the link)
• Lecturer view of submissions: https://github.com/orgs/atu-comp09031/repositories

First vulnerable target — OWASP Juice Shop

Run from the Kali VM:

docker pull bkimminich/juice-shop
docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop

Verify by browsing to http://localhost:3000 from the Kali VM (NOT from the host — Juice Shop must stay on the lab subnet).

The legality and ethics of the toolkit (pre-scan checklist)

Cover these out loud at the end of the session. They matter on day one and matter every week thereafter.

#	Question	If “no”
1	Do I have written permission to test this system?	Stop. Do not scan.
2	Is this scan inside the agreed scope (target, time window, methods)?	Stop. Confirm scope first.
3	Will the scan affect availability for legitimate users?	Coordinate with the system owner.
4	Have I logged who I am (user agent, contact email, declared identity)?	Add the identifier.
5	Do I have a kill switch if something goes wrong?	Define one before starting.

Relevant law:

• Ireland — Criminal Justice (Offences Relating to Information Systems) Act 2017. Unauthorised access is an offence; intent does not matter.
• UK — Computer Misuse Act 1990 (still primary; reform proposed but not yet enacted as of 2026).
• EU — NIS2 Directive; GDPR Article 33 (72-hour breach notification).
• US — Computer Fraud and Abuse Act (CFAA).

Worth knowing — the security.txt convention (RFC 9116) for declaring disclosure contact: https://www.rfc-editor.org/rfc/rfc9116.html

What to check at the end of the session

A student “passes” the lab session if their verification table is fully green:

• Kali VM boots; snapshot named clean-install exists
• Two-NIC network configured (one NAT to host, one isolated for the target)
• python3 --version returns 3.13.x; pip --version reports the venv path
• docker run --rm hello-world succeeds without sudo
• git config user.name and git config user.email set; SSH key added to GitHub
• ssh -T git@github.com returns Hi <username>!
• gitleaks version, trufflehog --version, osv-scanner --version all return
• OWASP Juice Shop loads at http://localhost:3000 from the Kali VM browser

If the verification table is not green by end of Friday, the student emails a screenshot of where they are stuck.

Take-home extension (for fast finishers)

• Install DVWA in a second Docker container (docker pull vulnerables/web-dvwa) — preview for the Week 6 ZAP practical.
• Configure GitHub Codespaces as a backup environment (covered briefly in the chapter under “fallbacks”).
• Read the PortSwigger Web Security Academy module on SQL injection: https://portswigger.net/web-security — preview for Ch 7 and Ch 8.

End-of-practical self-check

Optional, formative — not graded. Confirms the conceptual material from the lab landed.

---

← Schedule ← Previous: W1 L2 Next: W2 L1 (coming soon) →