eLearnSecurity WAPT Journey (Starting December 2019)

Hi all,

Unfortunately I seem to have lost access to my account which i've had since 2014, so i've made a new one to keep you all updated! I started the eLearnSecurity WAPT course last week. There are 15 chapters and i've finished the first 3 (Pentesting Process / Introduction & Information Gathering and XSS). So far, so good. Connecting to their labs has been a complete nightmare for me - tried on Mac, Windows & Linux. The easiest setup seems to be on Linux - Mac isn't pleasant whatsoever to get working, although it can be done with some fiddling around.

Have I learnt anything new just yet? No - but i've only got through the first few chapters. There are lots of slides per topic (~200), support videos, challenges with no solutions, labs with solutions if you do get stuck. So far - i've used just one solution for one of the XSS labs. I'm intrigued to see how this course pans out. No idea what the exam will be like at this point, but i'm going to stick with it and try to soak up all the information I can.

Next steps: SQLi lab, revisit Information Gathering lab and a quick browse over the Pentesting Process slides.

I'll post an update at the weekend.

Find more posts tagged with

eLearnSecurity

wapt

web application pentester

web application penetration tester

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

si20

Sounds like a great plan! Good luck!

Yep! I'll give myself a week break, then I'll get onto the AWAE. I don't think I'm at that level if I'm honest, but I'll give it a whirl anyway!

chrisone said:

That is awesome! Hopefully I clear IHRP next Friday so that I can jump into WAPT right after.

By the way are you jumping back on AWAE now? Had to ask

si20

Report has now been submitted! I'll be sure to update this thread once I get the results. Thanks everyone for following along - apologies I took 5 months with this one due to personal issues. Hopefully I get some good news and can write-up a little course review.

chrisone

If you think about it, within 5 months you cleared eWPT and had some time working on AWAE. That is impressive already, you may look back 4-5 months from now with OSWE cleared all within 1 year. From Dec to Dec, its going to be an awesome year for you!

nathandrake

@si20 Were you able to complete the HTML5 challenge lab? It was the only one I was never able to complete. I still have like 40+ hours of lab time left. I think I may try to tackle it again maybe this weekend of next. I really want to say I was able to complete everything 100% before I enroll in the WAPTX course.

si20

nathandrake said:

@si20 Were you able to complete the HTML5 challenge lab? It was the only one I was never able to complete. I still have like 40+ hours of lab time left. I think I may try to tackle it again maybe this weekend of next. I really want to say I was able to complete everything 100% before I enroll in the WAPTX course.

Were you the guy I spoke to on LI about that lab? I remember saying it was the most difficult. I did complete it in the end - although mostly because the solution was practically given away in the eLearn forums. I don't think I'd have had the javascript knowledge to carry it out. That's my next task over the coming year or so - I will start coding in html, php, javascript - even to get an entry level understanding. It has been years since I touched the coding side of things, but the ethical hacking certs all require at least a bit of scripting/dev knowledge.

UnixGuy

You're a beast mate, what an inspirational effort! Gives me motivation to work harder!

iBrokeIT

Cheers on the submission and hopefully a pass!

si20

UnixGuy said:

You're a beast mate, what an inspirational effort! Gives me motivation to work harder!

Thanks! (Thanks iBrokeIT too).

Truth be told, I'd lost the mindset for these sorts of exams. And what with lots of stuff happening in my personal life it has been difficult. But I'm motivated again! Having free time and spending it wisely is key. Onwards and upwards as they say!

Hopefully the results come in this week. And next weekend I begin the AWAE (again).

chrisone

Hey @si20 what are you initial impressions between WAPTv3 and AWAE, are they completely different? Any similarities, granted AWAE is more advanced but going through both training any similarities? do you think WAPTv3 will help you understand AWAE any better?

si20

chrisone said:

Hey @si20 what are you initial impressions between WAPTv3 and AWAE, are they completely different? Any similarities, granted AWAE is more advanced but going through both training any similarities? do you think WAPTv3 will help you understand AWAE any better?

Hey! First impressions were that they were totally different. With eWAPT it teaches more commonly found attacks such as XSS, SQLi, Xpath etc whereas AWAE teaches XSS but then wants you to essentially reverse engineer a program, find XSS and create a script/PoC to exploit it.

I think when my AWAE resumes I'll only have around 50 days left on it. Maybe less. I'll be able to give a better idea about it in the coming weeks. I truly don't expect to pass it. I've never reversed software before and never created PoCs. But I'll have a much better idea soon and I'll make sure to do an AWAE journey like I did with WAPT, although I'll keep it more regular rather than take a hiatus in the middle of it lol !

si20

WAPT officially passed! I take back what I said about a potentially long marking time. 4 working days. Not too bad!

So that's it for this journey. Next will be the AWAE journey which starts Sunday. I'll update Sunday evening (UK time).

chrisone

Dude! Epic! congrats brother! Hopefully I will soon be joining you

nathandrake

si20 said:

WAPT officially passed! I take back what I said about a potentially long marking time. 4 working days. Not too bad!

So that's it for this journey. Next will be the AWAE journey which starts Sunday. I'll update Sunday evening (UK time).

Have any interest in doing the WAPTX in the near future? I'm torn between WAPTX and AWAE, so I'm looking forward to reading your AWAE journey.

si20

chrisone said:

Dude! Epic! congrats brother! Hopefully I will soon be joining you

Thanks man! I'm certain you will!

nathandrake said:

si20 said:

WAPT officially passed! I take back what I said about a potentially long marking time. 4 working days. Not too bad!

So that's it for this journey. Next will be the AWAE journey which starts Sunday. I'll update Sunday evening (UK time).

Have any interest in doing the WAPTX in the near future? I'm torn between WAPTX and AWAE, so I'm looking forward to reading your AWAE journey.

I am tempted to do the WAPTx next year. I need to have a look at how beneficial the course material is for what I do. Once the AWAE is over, I'll take a good look at the syllabus and see whether it looks like something I should try.

usoop

Excellent mate

iNoSec

I enroll on ine.com on WAPT and im really disapointed about some exercises... The exercises statement arent clear at all or simply not related at all with the lesson!!

Before i must say, they have the good idea to ask you if you are still connected to the lab every 45min, but not on the lab page, no on the main site, and if no answer, because who look the main website when you are on burp or on the lab website, they stop the lab and you must connect again to the VPN etc, you lose the focus, and lose time... anyway that's not the worst.
I will pass on their stupid regex who dont img/src as xss payload when img src work... anyway, read the rest of the post the best come...

Let's take the exercise/lab with title "Failure to restrict URL Access"
Here the Scenario etc:

So it is not written to connect to an account to learn about what page are protected/behind the login page but the solution is to connect to an account to have all the authenticated page and after try to access them being unauthenticated...
Totally stupid to not have the credentials or at least state you must be log to retrieve the page to test for "Failure to restrict URL Access"...
When you see a "Failure to restrict URL Access" and no cred are given you try to bruteforce directories, look at source code to find the hidden URL...
it is exercise, not real world or whatever so i follow the scenario... what a mistake...

After that we have an exercise on "Bypassing authentication through SQL Injection" so for all who know web hacking and already do CTF etc we all know bypassing login with SQLi mean OR 1=1 style payload but no ine/elearnsecurity decide to use only sqlmap (which really bad teaching for me but personal POV), and they must say to solve it with only the tool but the worst is : the SQLi is an error-based where you **** the db... So where is the auth bypass here??? what the **** a SQLi error based exercise have to do with a lesson on authentication/authorization???

Before all guys here come to say im a noob etc, i must say i already found real bug on h1/bugcrowd/intigriti/yes we hack platforms, im not a beginner and i didnt paid for the course (it is a gift).
The problem is the exercise must be in relation to the lesson (see SQLi on auth bypass), they must be clearer on what we must do on the lab (see "failure to restrict access url"). Someone can say me, in real world you have no hint or exercise statement but the goal of exercise in a lesson is to practice what you just learn not to make a real world pentest...

For all of that i think they must work a LOT on some part of their course/exercise but like all is not black or white, i must say their content is really well made and you will learn tons of things, i have no vpn issue except the 45m i talk at the beginning.