eLearnSecurity WAPT Journey

Hello everyone,

Yes, I know, I have an active topic on my journey through OSCP. I start PWK in 3 days but my employer graciously also paid for eLearnSecurity's Web Application Penetration Tester course. I bought the "elite" version, so the documentation and certification voucher does not expire, and I have 130 hours of lab time that I can use whenever. Since they don't expire, I decided to enroll anyways, despite knowing my plate is already full with OSCP/PWK. PWK will still be my main focus over the next 3 months, and WAPT will just be something to fall back on during work when I have down time, as it's not as intensive as PWK/OSCP. I've been told from eLearnSec that it takes usually people a month from start to certification.

Just a bit of background on me first: I really don't know a whole lot about web pentesting. I know the basics of XSS, SQLi, RFI, LFI, etc. and I have a few walkthroughs on my website http://www.hausec.com for Mutillidae, but I felt like I needed formal education on it instead of just watching Webpwnized's Mutillidae Youtube series (although he does a great job!).

eLearnSecurity's format is similar to PWK. I have access to their documentation which covers several web pentesting modules as well as videos, labs, and the certification exam that I can take whenever. The modules covered are:

1. Penetration Testing Process
2. Introduction (Cookies, Session mgt)
3. Information Gathering
4. XSS
5. SQLi
6. Authentication and Authorization
7. Session Security
8. Flash Security and Attacks
9. HTML5
10. File and Resource Attacks
11. Other Attacks
12. Web Services
13. XPath

So far I've made it through the first two modules, which were very simple introduction to things like cookies, session management, same-origin policy, etc.

As far as content goes, so far, I'm pleased with it. The slides are not overly-difficult to follow, but I did notice a few typos. Nothing world-ending but if you're paying $1300 for a course, you'd expect proper grammar. The videos clear up any confusion quiet well, as the presenter is very clear and articulate in his explanations (Yes, he speaks clear English). I have not started the labs yet, but it's similar to PWK where you have to VPN in. I plan on doing that once I wrap up this next module. Overall, the presentation is very nice. You're not jumping all over their website to find videos or references or the lab guides, etc. It's all in one place that is easy to navigate. The labs have walkthroughs as well, so if you're stuck, you can ****, which is the opposite of PWK!

This thread will be updated once I get more into it and can give better feedback, but I thought it would be worth sharing as eLearnSecurity is starting to become more popular. So far so good though!

Find more posts tagged with

eLearnSecurity

Comments

p@r0tuXus

Grammer? *ahem* "quite" :P

Great write-up of your prep, I found it helpful all ready. I wish you the best of luck and will continue to follow your progress!

JasminLandry

Good luck on this journey! Unfortunately, the PWK course doesn't go too deep in web app pentesting so you'll learn a whole lot with the WAPT course. I suggest buying a copy of the Web Application Hacker's Handbook as it has helped me a lot learning web app stuff and it also helps with bug bounties

JoJoCal19

Good luck! I have PTS and PTP courses and I love their material.

Hausec

I'm finished with 4/13 modules. The one I just finished was on XSS. Webpwnized videos covered them quite well before this course, so I had a good idea on what to expect but this course did a very good job on going more in-depth, especially regarding DOM XSS which is something I was not sure of how to do initially. The BEEF section was also great. I knew about BEEF before, but never really tried it out. The videos are very well done and clear up any confusion on the slides. Right now I plan on doing a module a day since I have quite a bit of down time at work next week, then I'll do PWK stuff when I get home.

Hausec

So I've been in it for a little over a week and I'm still on the SQL Injection one. Comparing this to PWK is really not fair as PWK blows it out of the water. The format for this is backwards from Offensive Security's format in the sense that Offsecs format is: Watch videos first>read PDF>do exercise which is the same one in the video

eLS is: Read PDF>Watch a video that might cover what you read>Do exercise and then do more exercises without a guide

While the challenge exercises are nice, they're way more difficult than the "Lab" ones that have a walkthrough. The "Lab" exercises are extremely easy and really do not need a guide for them. If anything, I'd like a guide for the challenge exercises instead.

Now this is where the real problem in the course comes in: The lack of support. From OSCP/PWK, I've ran into issues in the labs that were answered immediately by either a forum post or an admin. That is not the case with eLS. I posted a question on the forums 3 days ago and so far It's gotten 11 views and no replies and there's no option to contact an admin. I've emailed eLS support to see if there's another option but it's almost as if you can't figure something out, then good luck. I find that a very awful business model for a $1300 course.

That leads to the second problem I have with the course. The "challenge" exercises are of course more difficult, but they'll base the challenge off of 1 slide with 2 sentences so you get a vague sense of what is going on but have no idea how to actually fix the problem or, in my case, properly inject the SQL statement. This of course leads to more questions than answers which results in Googling stuff, but I didn't pay $1300 to get ushered into Googling stuff. I could've done that for free. The difference here is that in PWK, the videos clearly cover the exercises and the labs encourage you to think of out the box. Of course you'll have to Google things as it covers many more topics, but at least you know what to Google and how to accomplish what you want to do, instead of taking random shots in the dark.

Overall I'm not too thrilled with it when comparing it to Offsec's stuff. I think if Offsec opened their web pentesting course to an online model they'd make a killing. I'll post an update in the future and if I ever get help from eLS support.

chrisone

I agree with you^

I had some stuff posted months ago and I got nothing. I have my own personal experiences with the format and quality of this course, but I will reserve that after I am done with eCPPT. I have the WAPT and ERES courses too but I do not see myself going for the certifications. I am just going to use those courses for educational purposes. After reading your experience it seems similar to my own.

I feel there is a lot of jargon at times and sometimes the bigger picture is missed. I did get the sense of a lot of misunderstanding or unclear intentions of a specific topic. For instance.....was this topic/subject used for the exam or additional supplemental information only to further clarify or to teach the history of background of something? how will we experience said topic/subject in in the exam? how should we approach such a topic on the exam? I think clarity and structure perhaps is lacking on purpose? There could be many purposes and nothing is perfect. I will continue to say this on my comments of elearnsecurity, they have good material I have learned A LOT! I do not question their quality, it could just be frustrating to get around their structure. One has to wonder if there were trying too hard not to seem "noobish" because they throw in a lot of jargon to make it seem elite and miss out on structure.

By no means am I bashing elearnsecurity its just a sense I get with my own experience and what other like the OP constantly say.

Hausec

I definitely learned a lot so far and their quality is very good, but I definitely agree with you and think they lack clarity and structure on a lot of things. I think the most frustrating thing is, once again, the lack of support they offer. I got an email back from eLS who said that all questions should be posted to the forums but they'll forward my question to the instructor. I might hear an answer today, but who knows. That, as well as the fact (for example) in the SQLinjection module, they make a video showing the basics and stuff, then they just have a few slides on "Advanced" SQL injection & SQLMap with no video and the challenges are of course based off of the Advanced section slides. It just seems backwards for this section at least. I'll attempt the eWAPT, as it's already in my voucher and I get a retake as well if I fail, but if I fail both I doubt I'll pay for it unless they revise their content & include more support.

I'm not saying it's a waste of money, because it's far from that, and again, the quality is good and the labs are very challenging & well-built. I'm learning a TON and I'm only half way done, but I would just expect it to be much more refined for the price.

jamesleecoleman

I've been looking at the WAPT off and on and I think it would be helpful. I would be super confused by this stuff since I'm not a webguy and I suck at learning websec anyways.

Thanks for posting about this course. I wish more people did different courses through eLS.

chrisone

Hausec wrote: »

I definitely learned a lot so far and their quality is very good, but I definitely agree with you and think they lack clarity and structure on a lot of things. I think the most frustrating thing is, once again, the lack of support they offer. I got an email back from eLS who said that all questions should be posted to the forums but they'll forward my question to the instructor. I might hear an answer today, but who knows. That, as well as the fact (for example) in the SQLinjection module, they make a video showing the basics and stuff, then they just have a few slides on "Advanced" SQL injection & SQLMap with no video and the challenges are of course based off of the Advanced section slides. It just seems backwards for this section at least. I'll attempt the eWAPT, as it's already in my voucher and I get a retake as well if I fail, but if I fail both I doubt I'll pay for it unless they revise their content & include more support.

I'm not saying it's a waste of money, because it's far from that, and again, the quality is good and the labs are very challenging & well-built. I'm learning a TON and I'm only half way done, but I would just expect it to be much more refined for the price.

Good luck on the response, I posted my issue back in may for lab6....

https://community.elearnsecurity.com/topic/4171-blind-penetration-lab-6-another-one/

bedpankh

i completely agree with you, challenges and labs are totally on a different level. I am googling stuff too, i am really scared about the exam while i struggle with the labs. Want to discuss challenges, labs so that we can probably help each other.

Jove

I have completed all of the WAPTv3 labs and most of the challenges except for: HTML 5-Powerplant.

I can find an active user in the chat room (chat.php) by using a simple javascript code: <img src="x" onerror="send();"> (to get the only active user).

I performed a beef xss on the popular.site website that allowed me to see the ip address of one active user, but I am not sure what to do with this information.

I ran nikto on the powerplant.site, which told me the COR headers are vulnerable, but I am not sure how to bypass the login page to access the management interface.
I found the config.php file that would allow me access to the apache server, but it is the local address (127.0.0.1), which has the db name, user,password, but I am not sure how to remotely connect to apache.

Can anyone who has completed the HTML 5 Powerplant challenge provide me with some tips or recommendations.

ansionnachcliste

Yo!

I'm enrolled on the course but haven't put too much time into the challenges, so it's nice to see where other people are on this.

So you now have the username? Maybe it's time to brute-force the password somewhere on the site?
Perhaps they have scripts to make this active user navigate through different pages, so you could perhaps steal a cookie on an exploitable form? Have you practices cookie stealing on your own created labs?
This link may be useful? https://medium.com/bugbountywriteup/stealing-user-details-by-exploiting-cors-c5ee86ebe7fb
It sounds like you just need to connect to the DB through SQLi? Using the DB name, user, and password, etc. can allow you to infer where you need to inject; which tables, columns, etc?

With that said, I'm not sure if eLS expect us to create our own servers for stealing cookies, etc.
It's mentioned in the course how to do it, so maybe it's necessary to do so and may appear in the actual exam.

Jove

Thanks for the tips.

I found a post on elearnsecurity's wapt forum where the administrator provided the user with the ajax csrf code, so I followed their steps and it worked.

I felt like the challenge statement in the pdf document is confusing and I spent 20 hours doing recon work (nslookup, nmap, netcraft), reviewing source code, performing a beef injection on popular.site, using burp suite and dirbuster, but if I focused a little better on the source code in the main site, I would have noticed the username of one active user was displayed in red. This would have clued me in on one of the active users of the site.

ansionnachcliste said:

Yo!

I'm enrolled on the course but haven't put too much time into the challenges, so it's nice to see where other people are on this.
So you now have the username? Maybe it's time to brute-force the password somewhere on the site?
Perhaps they have scripts to make this active user navigate through different pages, so you could perhaps steal a cookie on an exploitable form? Have you practices cookie stealing on your own created labs?
This link may be useful? https://medium.com/bugbountywriteup/stealing-user-details-by-exploiting-cors-c5ee86ebe7fb
It sounds like you just need to connect to the DB through SQLi? Using the DB name, user, and password, etc. can allow you to infer where you need to inject; which tables, columns, etc?
With that said, I'm not sure if eLS expect us to create our own servers for stealing cookies, etc.
It's mentioned in the course how to do it, so maybe it's necessary to do so and may appear in the actual exam.

I created my own site and wrote a xss cookie stealing script and CSRF bank transfer script just for the session security labs and challenges. It was an excellent learning experience on how "hackers" might use a combination of phishing and CSRF to retrieve or steal someone's information.