eLearnSecurity WAPT Journey (Starting December 2019)

sim20

Hi all,

Unfortunately I seem to have lost access to my account which i've had since 2014, so i've made a new one to keep you all updated! I started the eLearnSecurity WAPT course last week. There are 15 chapters and i've finished the first 3 (Pentesting Process / Introduction & Information Gathering and XSS). So far, so good. Connecting to their labs has been a complete nightmare for me - tried on Mac, Windows & Linux. The easiest setup seems to be on Linux - Mac isn't pleasant whatsoever to get working, although it can be done with some fiddling around.

Have I learnt anything new just yet? No - but i've only got through the first few chapters. There are lots of slides per topic (~200), support videos, challenges with no solutions, labs with solutions if you do get stuck. So far - i've used just one solution for one of the XSS labs. I'm intrigued to see how this course pans out. No idea what the exam will be like at this point, but i'm going to stick with it and try to soak up all the information I can.

Next steps: SQLi lab, revisit Information Gathering lab and a quick browse over the Pentesting Process slides.

I'll post an update at the weekend.

si20

*managed to get back into my account. I will post updates from this*

chrisone

Very cool, keep us updated. I am sure you will learn plenty from the course. I haven't had any issues connecting to any of their labs for any of their courses. What are you using in order to take and organize your notes?

si20

So far I'm using OneNote - not for any particular reason aside from the fact its freely available and is good with multiple pages and throwing screenshots in.

I think SQLi should be the best lesson it can teach me - I'm really hoping I can get to grips with it. I understand it at a basic level but hopefully it will hold my hand a bit before I tackle the challenges.

nathandrake

I really enjoyed the course.  I completed it and go the certification a few weeks back.  The only complaint was the VPN issues.  If I connected from my windows box, I had 0 issues.  When I would connect from my Kali VM, I had tons of disconnection issues.  When I'd get disconnected, I'd usually have to reboot, because I'd have tons of issues trying to reconnect back.   Judging from their forums, I think a lot of people experience the same type of issues.  

There is like a night and day difference between the regular labs and the challenge labs.  Just FYI, if you can do all the regular labs without issues, then you should be able to pass the exam.  I think I only took one concept I learned form the challenge labs and applied it in the actual exam.  But I did end up learning the most from the challenge labs.  There was only one challenge I could not complete (in the HTML5 section).  I'm sure once you get there, you'll know the exact challenge lab I'm talking about. 

si20

Thanks that sounds promising! I'm going to tackle the SQLi labs today. The XSS labs were very easy (including the challenge labs). I completed the labs + challenges without help (aside from one XSS lab, I would have got the answer, but I read the solution more-so to see the way the suggested it should be done).

Agreed on the VPN issues. On Mac, the only way i've got it working is to add every single individually named <lab>.site to the resolver file. On my Linux laptop, it seems to work fine if I edit resolver.conf to only use their IP address they provide. Flaky setup really, but for now, it's running ok.

I'm looking forward to the HTML lab now! So when would you say i'm ready for the exam? When I can tackle all the regular labs without issue? And if I can pass the challenge labs I should be really well set for the exam? Are you able to say what the exam consists of without ruining it? Is it like a pen-test? Or is it more goal orientated?

nathandrake

The exam is a full blown pen test, but there is one particular goal you have to achieve or it's an automatic fail.  Just be mindful to treat it as a full blown pen test, and not a CTF type thing when trying to achieve that one particular goal.  I got so caught up with that one goal, that my screen shots and notes started to lack on other issues I found.   So I had to spend some extra time fixing my notes for the report.

What I did to make sure I was ready for the exam.  I went through the whole course (probably took roughly 10 weeks, but I was also juggling full time job and 3 kids that are involved with a lot of things after school).  I was only able to dedicate 1-2 hours a day on it.   After i went through the whole course, I re-did all the labs one more time, just to make sure I was ready.  Once I completed all labs a second time, I took the exam.  You have 7 days to do the pen test and then 7 more days to do the report, so it gives you plenty of time.

tedjames

Do keep us posted. And best of luck! I've paid for this training (got it last year for 50% off), but I haven't had time to start. Hope to start in 2020 after I finish some other training.

When I was taking eJPT, I had the hardest time connecting to the lab via Windows but almost no trouble at all via Kali Linux. It made sense to me to use Kali Linux, anyway, because so many of the tools are built-in vs. having to install them one at a time in Windows.

si20

Early update before the weekend - I read 140 of the 280 slides for SQLi today. I attempted the SQLi lab and had to consult the solution - the slides are somewhat useful, but it's death by powerpoint. I understand the solution, and I suppose that's the main thing. I've actually done that solution in a CTF in the past - so it was a good re-cap of something i'd forgotten. I expect to have the SQLi slides read by the weekend, and spend the weekend on the labs/challenges.

tedjames

si20 said:

Early update before the weekend - I read 140 of the 280 slides for SQLi today. I attempted the SQLi lab and had to consult the solution - the slides are somewhat useful, but it's death by powerpoint. I understand the solution, and I suppose that's the main thing. I've actually done that solution in a CTF in the past - so it was a good re-cap of something i'd forgotten. I expect to have the SQLi slides read by the weekend, and spend the weekend on the labs/challenges.

I did that with some of the eJPT labs. Sometimes I learn and understand more when I can reverse engineer the answer. It's more fun that way (for me), anyway.

si20

Has it really been 10 days since I last worked on this?! Wow. Christmas and boxing day got in the way. Well, it's good news so far. I've just completed the SQL injection section, which consisted of: 3 labs and 4 challenges. The labs do have solutions if you get stuck, whereas the challenges do not.

I can proudly say I completed all 4 challenges - admittedly, I did use the PDF material they provide as reference, but I definitely don't consider this bad practice - that's what it's there for. You have to still understand the SQL commands and results to carry out the attack(s).

Again: The challenge answers are NOT published - so you have to solve these alone, so I am genuinely pleased to have done these without any clues or help from other members, the forum or the admins. 

So the sections i've now covered are as follows:

Introduction labs [done]
Information Gathering [done]
Cross Site Scripting [3 labs / 3 challenges all done]
SQL Injection [3 labs , 4 challenges - all done]

Next up: Authentication and Authorization. 

I have to say: the OpenVPN setup is far from reliable. I suppose it's just something I'm going to have to get used to during this course. But it has opened my eyes to how bad OpenVPN can be.

JoJoCal19

It's great to track your progress! I also haven't touched PWK since before Christmas    I'm surprised you're having that many issues with OpenVPN though. I had zero issues when I did eJPT.

si20

It's very easy to miss a few days - I genuinely had no idea I'd lost 10 days!

OpenVPN on mac truly sucks. On Linux (Parrot OS) it is better, but not perfect. Not really bothered with windows. I figured a pen-testing distro would be best due to the nature of the course. That being said, I've read some of the authentication slides and I'm now 4 labs into the (5?) labs in the authentication and authorization chapter.

If I was to rate the course so far: it's not bad. Would I recommend it? Not just yet. I think until I've completed all chapters and had an attempt at the exam, it's really hard to rate this. I don't know when I'll be ready for the exam - whereas on the CompTIA courses, or OSCP, you get a rough idea when you're ready for the exam. With WAPT, I've got no clue.

Reading the eLearnSecurity forums, they suggest that you don't need to read anything outside of their own material to pass, so I'm hoping that by doing the labs/challenges, that's all I'll need to pass? One can hope!

si20

A quick update: I'm not sure where I read it, but someone said the challenges are night and day compared to the reading material - and I think they're right. The challenges are pretty hard. You can get clues in the forum, but rarely is the full answer available, so you're likely on your own. I managed to clear 2 challenges from the Authentication & Authorization chapter, but wow, they're quite testing. I'm now thinking that this wouldn't be a good course for total beginners to webapp pentesting. You definitely need strong bash/html knowledge, maybe even python for some of the challenge material.

2nd update of the day:

So i've completed Authentcation & Authorization - Completed 3 labs and 5 challenges. I'd say they were relatively straight forward. I actually completed them before reading the material. So you guessed it... I've now got probably around 200+ slides to read.

I spent 4 hours+ today on this part of the course. I will say this much: it's a VERY time consuming course. I really wish i'd have kept a note of the time i'm spending on it. I'd take a wild guess and say 5 hours per section. I think there are 15 sections in total. That's without going back to sections etc.

chrisone

I like the slides they are very thorough and give lots of content based on context. You get a broader understanding of what is going on. 

I dont mind spending 3-6 days on a module to fully grasp it. Even if you spend a week on each module it’s around 4 months of study. I feel many of us, including myself, want to blitz through these courses within 1 month. I’m shooting for 3 months tops.

wd40

Any progress with your study?

LonerVamp

I just want to say I chuckled at "strong HTML knowledge."    In a good way!

si20

hi all - apologies for the delay in updating this. A few things have happened (in my work) which means I have to postpone WAPT and do OffSec's AWAE (90 days) then return to WAPT. So two certs for me this year. Shame really because I was 50% through WAPT. Anyway, i'll create a new thread for AWAE and return to WAPT late 2020. Thanks all.

si20

I decided after a long time to study the WAPT rather than the AWAE (many reasons), although, I have had to start from scratch because it has been 4 months since I touched it. Well, my personal circumstances are significantly better for studying now (long story..) and I have blasted through it this weekend. In just 2 days, I'm 6 chapters in - basically where I was when I got given the AWAE.

So far, I've crushed every lab and every challenge. I'll keep this updated weekly until my exam - this way, it'll keep me honest. It's a great course, although I think it's the OSCP of webapp - some parts are pretty damn tough. But, it's good fun.

chrisone

Congrats! So you are doing WAPTv3 and do you plan on jumping in to AWAE after or WAPTX? 

si20

chrisone said:

Congrats! So you are doing WAPTv3 and do you plan on jumping in to AWAE after or WAPTX? 

Thanks - I don't think my company will pay for AWAE again - like I say, by giving me both, it really screwed me over (I appreciate them giving me the courses, but...). I feel like I need to go with the one I have the best chance at passing - and that's the WAPT v3, as it pretty much covers 50-60% of the things I do in my daily job.

I think I'll request them to provide me WAPTx, but I think that'll be 2021. In the meantime, I might re-visit the Pentest+ and pay out of my own pocket, seeing as it's a fairly reasonable price.

chrisone

Excellent! I look forward to hearing your progress! 

si20

Ok - weekend update as promised. I've been *hammering* this course relentlessly. My drive is well and truly back like it used to be.

I've spent approx 20 hours on it this week (outside of work) and I have covered a massive amount of content. I've covered the Flash exploitation chapter, "Other Attacks" which covers clickjacking etc. I've spent this weekend exploiting CMS sites (wordpress/plugins) and XPath. I've easily put in another 8 hours today alone.

If anyone reads this in future: this course is NOT for someone who wants a quick 10 hour read and an "easy" cert. Heck, I wouldn't even call this a beginner course (I've heard some people say it's a beginner Webapp course). There are approx 3000 presentation slides to read, a large amount of labs to attack and then there's some configuring tools/scripts etc. And what's more - you really need to understand why things are working - why things are broken.

I'm fully expecting to be exam-ready by the end of May. So I suspect I will take the exam in June (if I can keep going at this rate!!!)

yoba222

Great to hear you are still chugging away at this! Curious, since you've sampled both the Offensive Security and the eLearnSecurity web pentest offerings -- purely from a learning journey standpoint -- which content do you prefer? This is with taking cert value and cost of training off the table.

si20

yoba222 said:

Great to hear you are still chugging away at this! Curious, since you've sampled both the Offensive Security and the eLearnSecurity web pentest offerings -- purely from a learning journey standpoint -- which content do you prefer? This is with taking cert value and cost of training off the table.

I think the eLearnSecurity course is much, much more "realistic". I've been doing webapp pentests for the past year for my day-job and the stuff I see on the WAPT is (somewhat) similar to what I see in my job. There are a whole bunch of things that are new to me, but to me, the true value of the WAPT is in the labs/challenges. Labs do have solutions, so if you're totally stuck, you can get answers and understand why you were going wrong. Challenges are designed to be just that - and some a a REAL challenge.

The AWAE didn't feel polished at all from the 2-3 weeks I spent on it. The WAPT feels mostly finished, although could probably do with some tweaks (1-2 challenges seem broken and admins are aware, but judging by their forums, the challenges haven't been fixed in years). Neither course is perfect, but I think WAPT is the more realistic and attainable of the two. I feel like I've learned more on WAPT than I would have learned on AWAE.

nathandrake

si20 said:

I think the eLearnSecurity course is much, much more "realistic". I've been doing webapp pentests for the past year for my day-job and the stuff I see on the WAPT is (somewhat) similar to what I see in my job. 

I completely agree with that assessment.  I've been doing Webapp pentesting for a year and a half and I found this course to be very applicable to what I do today.  I'm really wanting to enroll in the WAPTX course to see what new things I learn.  I'm currently taking the MASPT course, but looking forward to doing WAPTX right after.  My work paid for the MASPT, so I feel I have to put some effort into it as it's part of my 2020 yearly goal, but I'd much rather be doing the WAPTX course. 

yoba222

si20 said:

. . . I spent 4 hours+ today on this part of the course. I will say this much: it's a VERY time consuming course. I really wish i'd have kept a note of the time i'm spending on it. I'd take a wild guess and say 5 hours per section. I think there are 15 sections in total. That's without going back to sections etc.

I like to go slow and digest everything, and the eLearnSecurity pricing scheme supports this far better than Offense Security's 30-day marathon approach. I've logged 140 hours in the 2020 PWK course material as of yesterday and only halfway through, going on 60 days in. @si20 and @nathandrake, you've talked me into WAPT as the next course.  Had to do a web app pentest just last week and what the PWK teaches for this, while good, is not enough. I agree about the slide show approach though. 75 hours or PowerPoint to look "forward" to

si20

So earlier in the week, I kicked off the exam. My workplace wasn't extremely happy with me as I told them I was working from 5pm finish, through til 1am. They were somewhat understandably worried it might affect my day to day.

Well, I can say that I'm almost done with the exam and all that's left is to do a write-up and submit it. I hear eLearn are fairly quick to respond with exam results, so I'm hoping for the best.

I can confirm that I got admin access and have found around 10 vulnerabilities in total. There may be more, but from the material I've studied, 10 is the most I can find. Hopefully this should be enough for a pass.

chrisone

Woah that is epic @si20 Congrats! You should hear from them by next week. I am not sure if anyone will be checking the report over the weekend. 

I have the course waptv3 too. I think I am going to start it and hopefully be ready by end of July or early august to take it. Unless I find the material easier to digest based on my OSCP and eCPPT experience, I will try to take the exam end of June or mid July. 

How long were you studying for the exam? What labs do you feel helped out the most?

si20

Thanks! I haven't submitted just yet. I'm spending a large portion of time making sure the report looks good and reads well. Judging by course material it looks like you can fail by producing a really bad report - not that I was going to! But I think it'll help to pull me over the line.

I started in December of last year and 4 weeks into the study I got sidetracked. My work insisted I did the AWAE. Of course, work didn't understand that the WAPT is difficult enough (e.g it won't be the first cert someone ever picks to do). Doing AWAE too?!? Insane!

I decided to pause AWAE (they do allow you a single pause if you provide a solid reason why they should). And then I picked up where I left off at the end of April, putting approx 12-15 hours of study in each weekend until now. So approx 30 hours over the past 2 weeks. All in all, I reckon I've done 60 hours of study.

What should you study more of? Without ruining the exam, I'd study all forms of injection, and understand it as much as you can because the exam is no joke. I heard one or two people say this is a beginner/entry level course. In many ways, I found this harder than the OSCP. Once you've done the exam I'd love to get your opinion on it!

There are a few very obscure things that the WAPT covers and it would be a very good idea to study these in detail too.

chrisone

That is awesome! Hopefully I clear IHRP next Friday so that I can jump into WAPT right after. 

By the way are you jumping back on AWAE now? Had to ask