thomfre.dev@home:~$

Yet another development, infosec and offensive security blog

My eLearnSecurity Web Application Pentester experience

This blog post is a review/summary of my experience with the eLearnSecurity Web Application Pentester training path.

eLearnSecurity has this to say about this training path:

The Web Application Pentester path is the most advanced and hands-on training path on web application penetration testing in the market.

This training path starts by teaching you the fundamentals of networking and penetration testing, then proceeds to providing you with the established web application penetration testing methodology and the latest web attacks, and ultimately showcases how to execute more advanced and complicated attacks, by heavily manipulating web application components.

After completing this path, you will be able to perform a professional web application penetration test against any kind of web application or web service, by using your own custom payloads, combining different attacking techniques and evading web application firewalls.

The path develops proficiency towards the NIST role Secure Software Assessor.

A little background

I’ve been a hobby coder since I was 10, and a professional developer for a long time, so I know my way around a computer. I have also in depth networking knowledge, and have been using tools like Wireshark and Fiddler for many years (for testing and development work).

I have done the OSCP and OSWP from Offensive Security in between the parts of this training path.

The start

I had zero experience with pentesting before I started the PTS course, I had only done one HTB box and a couple challenges.

The PTS course was what I used to determine if I wanted to continue with this journey or not. So even though I didn’t spend that many hours in total on it, it took me about a month to finish. I also continued doing HTB in parallel, which also affected the time it took.

I didn’t find the exam to be very hard, but it was very relevant to the course material. This was a great start, and it gave me the confidence I needed to jump on the PWK/OSCP.

Running through the WAPT

The same week as I finished the WiFu/OSWP, which I took directly after PWK/OSCP, the SARS-CoV-2 pandemic caused Norway to go into a state of semi-voluntary lockdown. I was still determined to continue my journey, so I started the WAPT course. It took a while to adjust to the new work from home conditions, both in terms of mentally adjusting and trying to stay away from all the new distractions. This impacted the time I was able to spend on the course.

Since I had very recently finished the OSCP, and the material felt a bit basic (due to my developer background), I decided to just do the slides, and skip both videos and labs.

Once the slides was finished, I jumped straight into the exam. The exam was a lot of fun, and I thoroughly enjoyed it! I submitted my report, went for a walk, and by the time I got back, I had already received the passing grade!

The third and final

WAPT was only a step along the way for me, WAPTX was the one I was waiting for. By the time I started this, I had finally adjusted to the (temporary) “new normal”, and was able to concentrate a lot better. There was a lot of slides to read through, and a lot of great labs. I struggled with a couple of them, but they were all a lot of fun.

I jumped into the exam almost immediately after I finished the material. Compared to the other two exams, this was a beast! I got stuck, badly, several times. It felt like I wasn’t going to make it, but then something finally clicked. Then I got stuck again. But I had come too far to give up, so I managed to get 8 hours to use during the working hours (everything up to this has been after regular working hours), and that was exactly what I needed to break through the wall. I got all the objectives, made sure I had found everything I was able to find, and then it was time to write the report.

I submitted the report, and the the waiting game started. Checking my email every 5 minutes. And then, finally, while driving across the country for the first time in a long while - I received the result I had been waiting for.

WAPTX offline labs

The WAPTXv2 comes with a set of “offline labs”, which consists of a VM and a PDF with further exercises. You have to download and run the VM yourself, which also means it won’t affect your lab time. These exercises are more advanced than the regular labs. I have not done these exercises, yet, but I highly recommend at least looking at them!

Thanks to @DraconianNet for pointing this out to me!

My thoughts

There are a couple things I like about eLearnSecurity, compared to other alternatives:

  • Student dashboard with access to all resources - the progress tracker is very nice both for motivation and actually tracking progress
  • Dedicated labs - you don’t share the lab environment with any other student
  • Exam can be started whenever you are ready - no need to schedule in advance, just click the button and start hacking!
  • No restrictions on tools - use whatever tools you are comfortable with, free and commercial
  • The exam feels a lot more realistic - you have more time and have to write a professional report

There are also a couple downsides, the biggest being the support. It is much harder to get help. It should be said that the current pandemic has led to an influx of new students, probably making it a lot worse. But for some questions, I did have success asking in the forums. The moderators appear to be quite active at times, which is very nice. The course material, especially for WAPTX, does have some minor bugs, but it’s not too bad.

The labs are really great, but they do get disconnected every now and then (also during the exam), which will give you a new IP address. This is a bit annoying, and force you to keep changing your payloads. It also makes it really hard to run long/slow scans during the night (for the exams).

I also wish ELS would deliver physical certificates, especially for the Elite editions (or at least for a completed training path).

eLearnSecurity is a lot less known than other big names in the industry, but that might change in the future.

PTSv4 / eJPT

The PTS course is a good introduction and warm-up, especially when it is on sale and you can get your employer to pay for it. It is also a nice course for developers/administrators that want to learn more about security.

I consider this course to only be a preparation for the other courses, it’s not enough on its own.

This course is often free in the barebone edition. At the time of writing, you can get it by registering on The Ethical Hacker Network. The free edition is more than enough to see if this is something you want to continue with - so give it a try!

WAPTv3 / eWPT

The WAPT course did feel a bit dated, especially when you get to modules like the Flash module. But a lot of things still work the same was as they did several years ago, so there’s a lot of relevant things in there.

I didn’t do any of the labs (but still have access to them, so I might spend some time on them later), so can’t say much about them. The slides are easy to read.

Given my developer background, a lot of the material was a bit basic for me, but this is still a good course for developers that want to learn more about how attackers can exploit their applications. It is also a nice stepping stone on the way to WAPTX.

WAPTXv2 / eWPTXv2

I watched the launch webinar of WAPTXv2, and wanted to dive right into it. But I finished the PWK, WiFu and WAPT first.

Based on the launch webinar, I was expecting a bit more custom exploits, but the course was mainly focused on firewall evasion/filter bypass. The course does explain some very interesting techniques, and I learnt a lot from it. The labs were great, but the lab guide/solutions are a bit lacking in some of them. It looks like the upgrade from v1 to v2 was a bit rushed, this is apparent also in some of the slides.

I enjoyed both the course, the labs, and the exam (when I finally managed to unstuck myself). Even though there are some minor annoyances, I have no trouble recommending this course to both developers and pentesters. It would be nice to see more about modern applications (JavaScript frameworks, containers, cloud, etc.), but the content is still relevant and interesting.

My advice

This training path is not cheap. I bought all of the courses at discounted prices (end of year sale, launch sale, etc.). I highly recommend keeping an eye out for sales, eLearnSecurity have a lot of them.

Don’t worry too much about the lab time, you probably don’t need 120 hours (nice to have though). Just make sure to stop the lab when you are done with it. The Elite editions do have some nice benefits, but Full is better than nothing! I would not recommend paying for the Barebone edition, it’s simply not worth it (no exam, no video, no labs).

I recommend taking notes during the entire course, for all of the courses. Make your own notebook where you write down everything you discover along the way. I have a git repository where I keep all my notes, written in Markdown in VS Code. This allow me to quickly find commands, techniques, reverse shells, etc. whenever I need it.

Use the forums! Search before you ask. Due to the age of some of the material, you will get some issues with wrong software versions etc. Everyone have the same issues, and the solutions are thoroughly explained in the forums.

Tools

I recommend the following tools:

Exam

The exam connection will drop at random intervals, reconnecting will give you a new IP address, so make sure to update your payloads. In some cases you can make the exam environment end up in a state where further exploitation is impossible - this is what we have reverts for, don’t be too afraid to use them.

eJPT exam

If you have done the course material, this exam shouldn’t be too hard. Just make sure you have enough time (maybe do it on a weekend).

I made a excel sheet with all the requirements, printed it, and used it to track my progress during the exam. Double check before you submit your answer.

eWPT exam

This exam will require a lot more time than eJPT, so make sure you have enough time to spend during the 7 day exam period.

Set manual DNS entries or block the exam domain in your DNS server (if you have one - if not, I recommend setting up a pi-hole). The domain used does actually exist. The exam connection will disconnect at random intervals, which may lead to you targeting actual servers on the internet!

Take regular breaks, especially when you are stuck! Make sure you take notes, and screenshots. I recommend mind mapping in XMind, and notes of findings and tool outputs in Joplin.

Write the report like ELS was a customer, focus on quality and presentation. This made it a lot more interesting for me, and I subconsciously put a lot more effort into it.

eWPTX exam

Unless you are a seasoned pentester, I recommend taking a day or two off from work for this one. Or start on a Friday and use the weekend to see if you need to take a day off or not. This exam is considerably harder than the other two. I got stuck, which cost me a lot of time. I would have used a lot less if I didn’t get stuck, but it would probably still take 30-40 hours.

I don’t think I could have done the exam without Burp Suite Professional. I probably could have, but it would have been a lot harder without it. So if you can, use Burp Pro!

Script it if you can. Python was very helpful for me during the exam.
Nothing very difficult, just slight modifications to scripts I used during the labs.

The exam is a bit CTF-ish, but make sure you don’t stop after finding the thing you are looking for.
Make sure you find all the other things as well.

Just as with eWPT, take regular breaks, especially when you are stuck! Make sure you take notes, and screenshots. I recommend mind mapping in XMind, and notes of findings and tool outputs in Joplin.

Same for the report here, think of ELS as a customer.

Time spent

I decided that I wanted to track all the time I spent doing the courses and the exams, resulting in very accurate numbers of time spent.

Time spent across all courses/certifications, not just this training path

Total hours spent: 278 hours, 16 minutes (eJPT: 45 hours, 21 minutes - eWPT: 51 hours, 27 minutes - eWPTX: 181 hours, 28 minutes)

Task Hours spent eJPT Hours spent eWPT Hours spent eWPTX
Study (slides/videos) 26 hours, 17 minutes 25 hours, 49 minutes 57 hours, 2 minutes
Exercises/Labs 13 hours, 17 minutes N/A 45 hours, 6 minutes
Exam 5 hours, 47 minutes 17 hours, 46 minutes 70 hours, 4 minutes
Exam Report N/A 7 hours, 52 minutes 9 hours, 16 minutes

My timeline

  • October 16th, 2019: PTP purchased
  • November 17th, 2019: eJPT Exam done
  • January 23rd, 2020: WAPT and WAPTX purchased
  • March 17th, 2020: Started working on WAPT
  • March 29th, 2020: WAPT slides finished
  • March 31st, 2020: WAPT Exam started
  • April 5th, 2020 21:35: WAPT Exam report submitted
  • April 5th, 2020 22:02: WAPT Exam graded - passed!
  • April 8th, 2020: Started working on WAPTX
  • April 25th, 2020: WAPTX slides and lab exercises finished
  • April 25th, 2020: WAPTX exam started
  • May 2nd, 2020: WAPTX exam report submitted
  • May 8th, 2020: WAPTX exam graded - passed!