The ramble before the content
So for the last few days, I have been working my way through Elearnsecurity’s Web Application Penetration Testing eXtreme (WAPTX v2) course. Today is the last day of the exam and it’s clear I’ve not passed. For the ones of you who know about Elearnsecurity will be thinking “It’s all good, you get a free retake”, for people who don’t know about Elearnsecurity let me clear that up for you, Elearnsecurity provides you with one FREE retake should you fail on your first attempt:
“Should you fail the first attempt, the instructor will provide you with valuable feedback. Armed with this information you will have a free retake to be used within 4 days to upload a new report.”https://www.elearnsecurity.com/certification/ecptx/process
Yep, you read that right, they not only give you a FREE retake but they also provide you with feedback on your first attempt, pointing you in the right direction to nudge you on your way. Well, this is already my second run at this if you can call it that. For the majority of my first attempt I was ill and as such didn’t really get to put many hours into it.
While coming to accept that I had fail I was talking to a friend who runs rossmarks.co.uk, he suggested I make it a blog post, write down my thoughts about the course and exam, spread some information about the course and Elearnsecurity as a whole, as he hadn’t heard of them until I brought them up in conversation.
At first I was very much up for the idea, then as the day went on I started to think about it more, did I really want to put it out there how I had failed this course, publicly displaying my “short fall”, would this make people disregard me for a opportunity because they searched my name and found this post? So I went on with my day, spent some time with the kids, spoke with my better half about the exam and how I hadn’t passed and during that conversation I made a passing comment without thinking about it:
“Oh well can’t pass them all. Just means I have more to learn which isn’t a bad thing xxxxxxxxxxx”Ricky Birtles
That comment struck a cord with me that rang true and made me decide I would make this blog post.
About the training material
So what is the eWPTXv2? Well I will let Elearnsecurity tell you in their own words:
“eLearnSecurity’s eWPTX (eLearnSecurity Web Application Penetration Tester eXtreme) certification is the most practical and professionally oriented certification you can obtain in web application penetration testing.
Instead of putting you through a series of multiple-choice questions, you are expected to perform an actual penetration test on a web application. This penetration test is modeled after a real-world scenario.
Not only do you have to try different methodologies to conduct a thorough penetration test, but you will also be asked to write a complete report as part of your evaluation. These are the same kinds of reports that will make you a valuable asset in the corporate sector.”https://www.elearnsecurity.com/course/web_application_penetration_testing_extreme/
The training syllabus spans 15 modules:
- Module 1 : Encoding and Filtering
- Module 2 : Evasion Basics
- Module 3 : Cross-Site Scripting
- Module 4 : XSS – Filter Evasion and WAF Bypassing
- Module 5 : Cross-Site Request Forgery
- Module 6 : HTML5
- Module 7 : SQL Injection
- Module 8 : SQLi – Filter Evasion and WAF Bypassing
- Module 9 : XML Attacks
- Module 10 : Attacking Serialization
- Module 11 : Server Side Attacks
- Module 12 : Attacking Crypto
- Module 13 : Attacking Authentication & SSO
- Module 14 : Pentesting APIs & Cloud Applications
- Module 15 : Attacking LDAP-based Implementations
Thinking back, I took a bit of a poor approach to studying for this exam, maybe poor is the wrong word but I wasn’t as dedicated as I should have been and didn’t use everything available to me. Each module comes with a pdf slide deck covering the topic and some modules come with one or more accompanying videos.
I went through said pdfs and videos, once. Rereading only one or two sections again before moving on.
Elearnsecurity also provides sixteen labs, covering the modules and giving you something real you can dig your teeth into and practise the topics you are covering in the slides. This will allow you to really confirm your understanding of the topics and see where you have any sticking points or at least they would have if I took the time to do them … yer I know, I am kicking myself too. I for some reason wanted to just jump right into the exam and as such skipped passed these. That was a mistake.
They also have a forum where you can ask questions, exchange ideas or ask/search for others who have asked for help if you find yourself getting stuck on a lab. It’s well worth using this resource as well.
Tell us about the exam you fool!
So as is standard with all Elearnsecurity’s exams (at least from my understanding), when you kick the exam off you get a “letter of engagement”, this details your scope for the test, outlining your targets, goals and what you need to produce as a result of the exam. They also provide details on how to get the VPN connection setup and working (DNS over openvpn can be a pain at times with network manager doing you over).
The first step for me was to take a look at the targets just using a browser (I had my traffic going through Burp), and have a click around, get a feel for the functions available to me, take note of anything that stuck out as warranting a more detailed look at, such as any place with clear user interaction (input fields, pages that passed parameters etc).
After getting a feel for the app it was time to kick off some active recon before poking things. As such I set off a few tools running in the background, Burp’s discovery feature is always a good one, I supplement this with the use of ffuf, relaying anything with a status code 200 into Burp to help full up the site map and maybe find some interesting files/directories.
Hack the planet!
Unfortunately, I’m not going to be able to go into much detail at all about the exam and its content, so I will be very vague.
Now we get to the fun bit, breaking things. During this phase I was going through all the interesting looking things I had already found, poking them to see how they responded, going off initial assumptions and seeing if they were correct. One example being a page with multiple user inputs, they looked like most of them could be reflected within the application after the interaction. It turned out I was correct. This resulted in me playing around with the input fields seeing if I could get them to do anything interesting.
This type of finding something interesting, poking it with a stick to see if I could get it to do something strange continued for the majority of the test. At times I would get as far as I could with one thing at that time and switch to something else, just to free my mind from it and see if I’d get a bright idea while not focusing on it.
Reviewing the items found by the active recon also yielded some interesting results. Such as file names that caught my eye or output that seemed a little strange and warranted further investigation. Some of these things may have not been out of place at all but purely based on a feeling I had to take a look and dig in a little. Some times it resulted in nothing and at other times it paid off.
This whole process was rinsed and repeated resulting in a broad number of findings BUT they were all shallow, what do I mean by that? During the exam I found an SQLi, I was able to get very basic output from it such as the current user and database name but more complex queries were just failing. This could be due to some form of filtering or character limit, unfortunately, I didn’t get to the bottom of it. This theme carried over to a lot of my findings, I had a broad range of issues I had found but the depth of exploitation per issues was too shallow and not enough to be useful. As the exam end got closer I found myself bouncing between issues spending less time on them and more time moving to something else just trying to get that next step, it didn’t help.
I really didn’t make full use of all the training Elearnsecurity provided me with, could that be the reason I failed? Maybe or I just didn’t have the skill to complete this particular exam at this particular time.
Am I upset I didn’t pass? Not really, I mean sure I would rather I passed, who wouldn’t rather they passed an exam they attempted but I aim to not let things like this bother me, all I can do is learn from it.
Advice to myself? Go through the training docs again, take your time with each topic and follow it up with the labs to ensure you fully understand things. Also, practise more SQL injection and filter evasion by hand.
For the moment I am going to take a break from this exam and look at something else.
- I took the WAPTX, I failed it
- I personally found the training (that I completed) to be of a good standard
- Would I recommend this course to others? Yes, yes I would!