The first example is providing a method of privilege escalation and making the flag only accessible to an administrative user. It's not hard to find software with privilege escalation vulnerabilities present as they are often ignored due to not being network accessible. Meterpreter will provide privilege escalation for the uninitiated, and bespoke methods can be used by the more skilled testers. To make it even simpler or possible in a case where a shell is limited, provide admin credentials in saved e-mails or files, and a legitimate method of authentication. This will show testers that exploitation isn't the aim of a test, as some may think, but discovering the associated risk. (If you need an easy sell, taunt anyone resting on their laurels with the age old phrase: "Got root?")

A second method is providing a secondary stage to the scenario resulting from things taken from the device. The application of cryptographic tools or scenarios detailed later in Chapter 5, Cryptographic Projects, will present extra challenges to even the most skilled testers. Hunting through an operating system for relevant details, keys, or snippets of information potentially describing the method used, or the method to be used, can be an engaging and educating experience.

Pivoting through providing credentials for other devices, certificates, or SSH keys can allow you to chain scenarios together, making a more realistic scenario. Though most clients will be reluctant to allow testers full access to their networks, they will often be curious about the risk an exposed service provides and provide an exemption for these circumstances. The last thing you want to happen here is for your tester to balk at the thought.

The final option encourages the tester to attempt to install their tools on the compromised machine to enable further testing. This is the true meaning of pivoting in a Subvert, Upgrade, Subvert (Su-Su) cycle (this is a joke more entertaining, marginally, for Linux users).