eLearnSecurity WAPT Journey (Starting December 2019)

Hi all,
Unfortunately I seem to have lost access to my account which i've had since 2014, so i've made a new one to keep you all updated! I started the eLearnSecurity WAPT course last week. There are 15 chapters and i've finished the first 3 (Pentesting Process / Introduction & Information Gathering and XSS). So far, so good. Connecting to their labs has been a complete nightmare for me - tried on Mac, Windows & Linux. The easiest setup seems to be on Linux - Mac isn't pleasant whatsoever to get working, although it can be done with some fiddling around.
Have I learnt anything new just yet? No - but i've only got through the first few chapters. There are lots of slides per topic (~200), support videos, challenges with no solutions, labs with solutions if you do get stuck. So far - i've used just one solution for one of the XSS labs. I'm intrigued to see how this course pans out. No idea what the exam will be like at this point, but i'm going to stick with it and try to soak up all the information I can.
Next steps: SQLi lab, revisit Information Gathering lab and a quick browse over the Pentesting Process slides.
I'll post an update at the weekend.
Unfortunately I seem to have lost access to my account which i've had since 2014, so i've made a new one to keep you all updated! I started the eLearnSecurity WAPT course last week. There are 15 chapters and i've finished the first 3 (Pentesting Process / Introduction & Information Gathering and XSS). So far, so good. Connecting to their labs has been a complete nightmare for me - tried on Mac, Windows & Linux. The easiest setup seems to be on Linux - Mac isn't pleasant whatsoever to get working, although it can be done with some fiddling around.
Have I learnt anything new just yet? No - but i've only got through the first few chapters. There are lots of slides per topic (~200), support videos, challenges with no solutions, labs with solutions if you do get stuck. So far - i've used just one solution for one of the XSS labs. I'm intrigued to see how this course pans out. No idea what the exam will be like at this point, but i'm going to stick with it and try to soak up all the information I can.
Next steps: SQLi lab, revisit Information Gathering lab and a quick browse over the Pentesting Process slides.
I'll post an update at the weekend.
Comments
2023 Cert Goals: SC-100, eCPTX
There is like a night and day difference between the regular labs and the challenge labs. Just FYI, if you can do all the regular labs without issues, then you should be able to pass the exam. I think I only took one concept I learned form the challenge labs and applied it in the actual exam. But I did end up learning the most from the challenge labs. There was only one challenge I could not complete (in the HTML5 section). I'm sure once you get there, you'll know the exact challenge lab I'm talking about.
Agreed on the VPN issues. On Mac, the only way i've got it working is to add every single individually named <lab>.site to the resolver file. On my Linux laptop, it seems to work fine if I edit resolver.conf to only use their IP address they provide. Flaky setup really, but for now, it's running ok.
I'm looking forward to the HTML lab now! So when would you say i'm ready for the exam? When I can tackle all the regular labs without issue? And if I can pass the challenge labs I should be really well set for the exam? Are you able to say what the exam consists of without ruining it? Is it like a pen-test? Or is it more goal orientated?
What I did to make sure I was ready for the exam. I went through the whole course (probably took roughly 10 weeks, but I was also juggling full time job and 3 kids that are involved with a lot of things after school). I was only able to dedicate 1-2 hours a day on it. After i went through the whole course, I re-did all the labs one more time, just to make sure I was ready. Once I completed all labs a second time, I took the exam. You have 7 days to do the pen test and then 7 more days to do the report, so it gives you plenty of time.
I can proudly say I completed all 4 challenges - admittedly, I did use the PDF material they provide as reference, but I definitely don't consider this bad practice - that's what it's there for. You have to still understand the SQL commands and results to carry out the attack(s).
Again: The challenge answers are NOT published - so you have to solve these alone, so I am genuinely pleased to have done these without any clues or help from other members, the forum or the admins.
So the sections i've now covered are as follows:
Introduction labs [done]
Information Gathering [done]
Cross Site Scripting [3 labs / 3 challenges all done]
SQL Injection [3 labs , 4 challenges - all done]
Next up: Authentication and Authorization.
I have to say: the OpenVPN setup is far from reliable. I suppose it's just something I'm going to have to get used to during this course. But it has opened my eyes to how bad OpenVPN can be.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
OpenVPN on mac truly sucks. On Linux (Parrot OS) it is better, but not perfect. Not really bothered with windows. I figured a pen-testing distro would be best due to the nature of the course. That being said, I've read some of the authentication slides and I'm now 4 labs into the (5?) labs in the authentication and authorization chapter.
If I was to rate the course so far: it's not bad. Would I recommend it? Not just yet. I think until I've completed all chapters and had an attempt at the exam, it's really hard to rate this. I don't know when I'll be ready for the exam - whereas on the CompTIA courses, or OSCP, you get a rough idea when you're ready for the exam. With WAPT, I've got no clue.
Reading the eLearnSecurity forums, they suggest that you don't need to read anything outside of their own material to pass, so I'm hoping that by doing the labs/challenges, that's all I'll need to pass? One can hope!
So i've completed Authentcation & Authorization - Completed 3 labs and 5 challenges. I'd say they were relatively straight forward. I actually completed them before reading the material. So you guessed it... I've now got probably around 200+ slides to read.
I dont mind spending 3-6 days on a module to fully grasp it. Even if you spend a week on each module it’s around 4 months of study. I feel many of us, including myself, want to blitz through these courses within 1 month. I’m shooting for 3 months tops.
2023 Cert Goals: SC-100, eCPTX
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
So far, I've crushed every lab and every challenge. I'll keep this updated weekly until my exam - this way, it'll keep me honest. It's a great course, although I think it's the OSCP of webapp - some parts are pretty damn tough. But, it's good fun.
2023 Cert Goals: SC-100, eCPTX
I think I'll request them to provide me WAPTx, but I think that'll be 2021. In the meantime, I might re-visit the Pentest+ and pay out of my own pocket, seeing as it's a fairly reasonable price.
2023 Cert Goals: SC-100, eCPTX
I've spent approx 20 hours on it this week (outside of work) and I have covered a massive amount of content. I've covered the Flash exploitation chapter, "Other Attacks" which covers clickjacking etc. I've spent this weekend exploiting CMS sites (wordpress/plugins) and XPath. I've easily put in another 8 hours today alone.
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP
I completely agree with that assessment. I've been doing Webapp pentesting for a year and a half and I found this course to be very applicable to what I do today. I'm really wanting to enroll in the WAPTX course to see what new things I learn. I'm currently taking the MASPT course, but looking forward to doing WAPTX right after. My work paid for the MASPT, so I feel I have to put some effort into it as it's part of my 2020 yearly goal, but I'd much rather be doing the WAPTX course.
I like to go slow and digest everything, and the eLearnSecurity pricing scheme supports this far better than Offense Security's 30-day marathon approach. I've logged 140 hours in the 2020 PWK course material as of yesterday and only halfway through, going on 60 days in. @si20 and @nathandrake, you've talked me into WAPT as the next course. Had to do a web app pentest just last week and what the PWK teaches for this, while good, is not enough. I agree about the slide show approach though. 75 hours or PowerPoint to look "forward" to
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP
I have the course waptv3 too. I think I am going to start it and hopefully be ready by end of July or early august to take it. Unless I find the material easier to digest based on my OSCP and eCPPT experience, I will try to take the exam end of June or mid July.
How long were you studying for the exam? What labs do you feel helped out the most?
2023 Cert Goals: SC-100, eCPTX
By the way are you jumping back on AWAE now? Had to ask
2023 Cert Goals: SC-100, eCPTX