PentesterLab.com — My experience — Totally awesome and totally not getting paid for this!
Here, I document my journey and key learnings with Pentesterlab.com PRO subscription.
So I had been sharing my PentesterLab progress actively on my Linkedin for the past 2 months and with every next badge, I would receive many DMs regarding my personal experience. The questions were the same as the ones you might have since you are reading this blog post...if the price of labs is matched with the content, do we have to set up VMs, what’s the difficulty level of labs and is it suitable for a beginner or an advanced pentester, etc. I tried my best to acknowledge everyone’s questions and provide with them with an honest review. So what I want to share in this blog post is why I decided to spend my entire summer break hacking on pentesterlab.com and why, in my opinion, you should too and some tips for you to get more out of it !
Before we go any further, I would just like to add that I am a 19 year old engineering student from India who just started his 2nd year, and I was(am?) a web security noob. For the most part of my freshman year, I was participating in (and conducting) Capture The Flag(CTF) cyber security competitions. I got introduced to the PentesterLab platform as it’s PRO subscription was a prize in DEF CON 91120 0x01 CTF that I along with my team mates conducted. And I decided to check it out for myself and was totally awestruck on seeing how much content they have, especially the bootcamp!
As a total newbie in web security, I started following the bootcamp and Web For Pentester, and few more free exercises and finally decided to buy PentesterLab PRO subscription in the summer break at the end of my freshman year.
Do note that, this blog post is in no way sponsored by Pentesterlab nor did they ask me to write this. The suggestions provided herein are totally personal and you are most welcome to provide critical feedback.
1. The Bootcamp
I personally completed the first 3 weeks of the bootcamp(even learned to code in PHP), then moved on to the Web For Pentester free exercise and if you already have PRO subscription and you follow the badges in the provided order, you are more or less following the bootcamp, and you can see where you stand in the same and what more there is to do for a better understanding.
Whether you are a web security noob or you are Elliot Alderson or if you are someone unsure about buying the PRO subscription, start with the bootcamp provided by PentesterLab. It is very well laid out, is free and introduces you IT fundamentals and web infrastructure which are essential to understand their security.
2. The solution videos
Along with a thorough course explanation in text, there are videos which serve as spoilers for the lab.
I would advise you to not go for these solution videos right away. They’re okay if you’re truly at your wits end after hours of bashing your head against the wall. But try absolutely everything first. Try scripting, Try finding a public bug report for the same. Or in a nutshell, Read the Frickin’ manual and Research the problem.
Videos can be also be played slowly and stopped to give little hints at a time. You could even watch them after you solved it to see if there’s another way.
3. Take Notes / Writeups
TAKE NOTES, DAMN IT!
I can’t stress this enough so I will just give a sneak peek.
I made directories for every badge and challenge and in every such directory, I wrote solutions/writeups for that challenge. Along with short notes, which I generally got from watching the solution video.
I wrote such solutions not to post them publicly(that’s why all the censoring) but for my own understanding and revision at a later time.
They have already helped me so much. Many a times you would need to go back to a previous exercise or tinker with an old exploit/script. Writing short notes, scripting provides you with a good repository of payloads, exploits, vulnerability and attack explanations, and templates that you can always go back to for revision when you are pentesting on a website or for any other future engagement. Since, you have put down the solution in your own words, any time you go back to it, it will be easily understandable and will save time.
4. My favorite set of exercises
My favorite set of exercises were the JSON Web Token(JWT) ones. There are a total of 12 exercises on JWT distributed over different badges.
I think the reason would be because they improved my python skills alot, I scripted a solution.py for each of these exercises wherein I decode a cookie, build the malicious cookie and post it to the URL too i.e. scoring the exercise from my script only.
Also because I found them very intuitive, like gaining RCE or exploiting a SQL injection or directory traversal through JWT, you get the idea. The fact that I already had my notes on such attacks proved real helpful and made it easy for me to understand why there was a vulnerability in the first place and how it could actually have been avoided/patched.
5. I had no idea I would learn so much crypto!
At the moment of subscribing to PRO, I did not know that there were exercises on cryptography based attacks too.
For example, Electronic Code Book(ECB), Cipher Block Chaining(CBC), CBC-MAC, Hash Length Extension attack, Breaking Elliptic Curve Digital Signature Algorithm(ECDSA), and the Android Badge is full of AES cracking.
Again, these were some of my favorite because I got to learn about these cryptography techniques, their limitations, use cases, and vulnerable endpoints and scripting cryptography with python which I always wanted to learn.
6. Python and shell scripting skills
Like I said above, the most fun challenges were the ones where I had to craft my own exploit. I wrote exploits for the JWT exercises, all the crypto exercises, and many more. I wish I could share them all publicly but that defeats the purpose of learning with PentesterLab. Anyways, I would give a few generalized examples:
In this one exercise on a known CVE, I won’t mention which one, we had to craft an exploit and obviously when my own exploit didn’t work I went to exploitdb to look for one. The one I found was written in python 2 and not working so I decided to fix it and converted it to python 3 and made a pull request to the exploitdb’s github repository. It was accepted. It was one of the proudest moments. Full story on this, here.
In another exercise, regardless of there already being a famous tool to serve the purpose. I again went on bashing my head against the wall writing a git hash dumper tool. Never thought I’d be using recursion with bash.
The learning curve with writing so many exploits in python or bash was amazing.
In a nutshell, Don’t be a script kiddie!
This blog post actually got quite messy. I kept bouncing back and forth between talking about my experience and giving tips. Spoiler! Hopefully, I will get better at writing blogs :D
I would like to end this on the note and advise someone gave me on twitter before I started my journey with PentesterLab:
If you don’t know much, don’t sweat it. It means you are in the process of learning something new. Also, especially with the first section, read up on what commands do! Feel free to ask help, the infosec community is really great if you know how to ask the right questions!
Also, I would highly recommend you to check out this post: https://medium.com/@johntroony/learning-web-app-sec-at-pentesterlab-d9b7da206324
If you are not yet a PRO member of PentesterLab, please consider using this link to register: https://pentesterlab.com/referral/_fTGJ6QYakkd7g
We both get 10 points if you subscribe to PRO using the above link and 50 such points can get you 1 additional month of PRO access.
You can sign up as a student and get the special student discount or as an individual or even as an enterprise. The hacktivitity tracker is worth a mention.
Thanks for reading, happy hackin’! ~ Eshaan7