eLearnSecurity WAPT Journey (Starting December 2019)

sim20sim20 Member Posts: 1 ■■□□□□□□□□
Hi all,

Unfortunately I seem to have lost access to my account which i've had since 2014, so i've made a new one to keep you all updated! I started the eLearnSecurity WAPT course last week. There are 15 chapters and i've finished the first 3 (Pentesting Process / Introduction & Information Gathering and XSS). So far, so good. Connecting to their labs has been a complete nightmare for me - tried on Mac, Windows & Linux. The easiest setup seems to be on Linux - Mac isn't pleasant whatsoever to get working, although it can be done with some fiddling around.

Have I learnt anything new just yet? No - but i've only got through the first few chapters. There are lots of slides per topic (~200), support videos, challenges with no solutions, labs with solutions if you do get stuck. So far - i've used just one solution for one of the XSS labs. I'm intrigued to see how this course pans out. No idea what the exam will be like at this point, but i'm going to stick with it and try to soak up all the information I can.

Next steps: SQLi lab, revisit Information Gathering lab and a quick browse over the Pentesting Process slides.

I'll post an update at the weekend.

Comments

  • si20si20 Member Posts: 482 ■■■■□□□□□□
    *managed to get back into my account. I will post updates from this*
  • chrisonechrisone Senior Member Member Posts: 1,938 ■■■■■■■■□□
    edited December 2019
    Very cool, keep us updated. I am sure you will learn plenty from the course. I haven't had any issues connecting to any of their labs for any of their courses. What are you using in order to take and organize your notes?
    2020 Goals:
    Courses: VHL (3 month pass)
    Certs: OSCP (in-progress), AZ-500 (in-progress), MS-500, Pentester Academy - CRTE
  • si20si20 Member Posts: 482 ■■■■□□□□□□
    So far I'm using OneNote - not for any particular reason aside from the fact its freely available and is good with multiple pages and throwing screenshots in.

    I think SQLi should be the best lesson it can teach me - I'm really hoping I can get to grips with it. I understand it at a basic level but hopefully it will hold my hand a bit before I tackle the challenges.
  • nathandrakenathandrake Member Posts: 60 ■■■□□□□□□□
    I really enjoyed the course.  I completed it and go the certification a few weeks back.  The only complaint was the VPN issues.  If I connected from my windows box, I had 0 issues.  When I would connect from my Kali VM, I had tons of disconnection issues.  When I'd get disconnected, I'd usually have to reboot, because I'd have tons of issues trying to reconnect back.   Judging from their forums, I think a lot of people experience the same type of issues.  

    There is like a night and day difference between the regular labs and the challenge labs.  Just FYI, if you can do all the regular labs without issues, then you should be able to pass the exam.  I think I only took one concept I learned form the challenge labs and applied it in the actual exam.  But I did end up learning the most from the challenge labs.  There was only one challenge I could not complete (in the HTML5 section).  I'm sure once you get there, you'll know the exact challenge lab I'm talking about. 
  • si20si20 Member Posts: 482 ■■■■□□□□□□
    Thanks that sounds promising! I'm going to tackle the SQLi labs today. The XSS labs were very easy (including the challenge labs). I completed the labs + challenges without help (aside from one XSS lab, I would have got the answer, but I read the solution more-so to see the way the suggested it should be done).

    Agreed on the VPN issues. On Mac, the only way i've got it working is to add every single individually named <lab>.site to the resolver file. On my Linux laptop, it seems to work fine if I edit resolver.conf to only use their IP address they provide. Flaky setup really, but for now, it's running ok.

    I'm looking forward to the HTML lab now! So when would you say i'm ready for the exam? When I can tackle all the regular labs without issue? And if I can pass the challenge labs I should be really well set for the exam? Are you able to say what the exam consists of without ruining it? Is it like a pen-test? Or is it more goal orientated?
  • nathandrakenathandrake Member Posts: 60 ■■■□□□□□□□
    The exam is a full blown pen test, but there is one particular goal you have to achieve or it's an automatic fail.  Just be mindful to treat it as a full blown pen test, and not a CTF type thing when trying to achieve that one particular goal.  I got so caught up with that one goal, that my screen shots and notes started to lack on other issues I found.   So I had to spend some extra time fixing my notes for the report.

    What I did to make sure I was ready for the exam.  I went through the whole course (probably took roughly 10 weeks, but I was also juggling full time job and 3 kids that are involved with a lot of things after school).  I was only able to dedicate 1-2 hours a day on it.   After i went through the whole course, I re-did all the labs one more time, just to make sure I was ready.  Once I completed all labs a second time, I took the exam.  You have 7 days to do the pen test and then 7 more days to do the report, so it gives you plenty of time.


  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,111 ■■■■■■■■□□
    Do keep us posted. And best of luck! I've paid for this training (got it last year for 50% off), but I haven't had time to start. Hope to start in 2020 after I finish some other training.

    When I was taking eJPT, I had the hardest time connecting to the lab via Windows but almost no trouble at all via Kali Linux. It made sense to me to use Kali Linux, anyway, because so many of the tools are built-in vs. having to install them one at a time in Windows.
  • si20si20 Member Posts: 482 ■■■■□□□□□□
    Early update before the weekend - I read 140 of the 280 slides for SQLi today. I attempted the SQLi lab and had to consult the solution - the slides are somewhat useful, but it's death by powerpoint. I understand the solution, and I suppose that's the main thing. I've actually done that solution in a CTF in the past - so it was a good re-cap of something i'd forgotten. I expect to have the SQLi slides read by the weekend, and spend the weekend on the labs/challenges.
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,111 ■■■■■■■■□□
    si20 said:
    Early update before the weekend - I read 140 of the 280 slides for SQLi today. I attempted the SQLi lab and had to consult the solution - the slides are somewhat useful, but it's death by powerpoint. I understand the solution, and I suppose that's the main thing. I've actually done that solution in a CTF in the past - so it was a good re-cap of something i'd forgotten. I expect to have the SQLi slides read by the weekend, and spend the weekend on the labs/challenges.
    I did that with some of the eJPT labs. Sometimes I learn and understand more when I can reverse engineer the answer. It's more fun that way (for me), anyway.
  • si20si20 Member Posts: 482 ■■■■□□□□□□
    edited December 2019
    Has it really been 10 days since I last worked on this?! Wow. Christmas and boxing day got in the way. Well, it's good news so far. I've just completed the SQL injection section, which consisted of: 3 labs and 4 challenges. The labs do have solutions if you get stuck, whereas the challenges do not.

    I can proudly say I completed all 4 challenges - admittedly, I did use the PDF material they provide as reference, but I definitely don't consider this bad practice - that's what it's there for. You have to still understand the SQL commands and results to carry out the attack(s).

    Again: The challenge answers are NOT published - so you have to solve these alone, so I am genuinely pleased to have done these without any clues or help from other members, the forum or the admins. 


    So the sections i've now covered are as follows:

    Introduction labs [done]
    Information Gathering [done]
    Cross Site Scripting [3 labs / 3 challenges all done]
    SQL Injection [3 labs , 4 challenges - all done]

    Next up: Authentication and Authorization. 

    I have to say: the OpenVPN setup is far from reliable. I suppose it's just something I'm going to have to get used to during this course. But it has opened my eyes to how bad OpenVPN can be.
  • JoJoCal19JoJoCal19 California Kid Mod Posts: 2,808 Mod
    It's great to track your progress! I also haven't touched PWK since before Christmas  :s  I'm surprised you're having that many issues with OpenVPN though. I had zero issues when I did eJPT.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • si20si20 Member Posts: 482 ■■■■□□□□□□
    It's very easy to miss a few days - I genuinely had no idea I'd lost 10 days!

    OpenVPN on mac truly sucks. On Linux (Parrot OS) it is better, but not perfect. Not really bothered with windows. I figured a pen-testing distro would be best due to the nature of the course. That being said, I've read some of the authentication slides and I'm now 4 labs into the (5?) labs in the authentication and authorization chapter.

    If I was to rate the course so far: it's not bad. Would I recommend it? Not just yet. I think until I've completed all chapters and had an attempt at the exam, it's really hard to rate this. I don't know when I'll be ready for the exam - whereas on the CompTIA courses, or OSCP, you get a rough idea when you're ready for the exam. With WAPT, I've got no clue.

    Reading the eLearnSecurity forums, they suggest that you don't need to read anything outside of their own material to pass, so I'm hoping that by doing the labs/challenges, that's all I'll need to pass? One can hope!
  • si20si20 Member Posts: 482 ■■■■□□□□□□
    edited January 1
    A quick update: I'm not sure where I read it, but someone said the challenges are night and day compared to the reading material - and I think they're right. The challenges are pretty hard. You can get clues in the forum, but rarely is the full answer available, so you're likely on your own. I managed to clear 2 challenges from the Authentication & Authorization chapter, but wow, they're quite testing. I'm now thinking that this wouldn't be a good course for total beginners to webapp pentesting. You definitely need strong bash/html knowledge, maybe even python for some of the challenge material.

    2nd update of the day:

    So i've completed Authentcation & Authorization - Completed 3 labs and 5 challenges. I'd say they were relatively straight forward. I actually completed them before reading the material. So you guessed it... I've now got probably around 200+ slides to read.

    I spent 4 hours+ today on this part of the course. I will say this much: it's a VERY time consuming course. I really wish i'd have kept a note of the time i'm spending on it. I'd take a wild guess and say 5 hours per section. I think there are 15 sections in total. That's without going back to sections etc.
  • chrisonechrisone Senior Member Member Posts: 1,938 ■■■■■■■■□□
    I like the slides they are very thorough and give lots of content based on context. You get a broader understanding of what is going on. 

    I dont mind spending 3-6 days on a module to fully grasp it. Even if you spend a week on each module it’s around 4 months of study. I feel many of us, including myself, want to blitz through these courses within 1 month. I’m shooting for 3 months tops.
    2020 Goals:
    Courses: VHL (3 month pass)
    Certs: OSCP (in-progress), AZ-500 (in-progress), MS-500, Pentester Academy - CRTE
  • wd40wd40 CISA, eJPT, MCP, MCTS, CompTIA x 6 Member Posts: 1,005 ■■■■□□□□□□
    Any progress with your study?
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SAA, CCSK Member Posts: 462 ■■■■■■■□□□
    I just want to say I chuckled at "strong HTML knowledge."  :D  In a good way!

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SA-A, CCSK
    2020 goals: AWS Security Specialty, AWAE or SLAE, CISSP-ISSAP?
  • si20si20 Member Posts: 482 ■■■■□□□□□□
    edited January 20
    hi all - apologies for the delay in updating this. A few things have happened (in my work) which means I have to postpone WAPT and do OffSec's AWAE (90 days) then return to WAPT. So two certs for me this year. Shame really because I was 50% through WAPT. Anyway, i'll create a new thread for AWAE and return to WAPT late 2020. Thanks all.
Sign In or Register to comment.