my experiences on pentesterlab

In 2020, I started doing exercises on the PentesterLab (PTL) platform. To date, I’ve earned 16 badges (certificates) on the site, and have completed 440 exercises with only 13 currently available exercises left to tackle. Last night I became the 4th completion of the Brown Badge, and I realized I’ve never really shared or posted about my efforts or thoughts on the site.

PentesterLab is an online platform founded by Louis Nyfenegger which aims to teach students web application testing skills using hands-on curated labs that require practical skills to solve exercises. You know, for web pentesting and bug bounty hunting! The lab exercises are largely performed on a web application that the platform spins up, and students attempt to find a hidden key or achieve execution of a scoring binary on the target system to get the exercise completed. A huge section of code review challenges is an exception to this formula where students provide the file name, line number, and type of vulnerability present in order to score the exercise as completed.

All exercises include an introductory description, though some are quick and throw students right into the challenge, while others provide lengthy in depth discussions of the techniques and exploits utilized. I’ve always found these to be at the right level of detail for me to see success on the platform, with a nice mix of research, reflection, and rote practice.

Many exercises have video solutions posted by Louis, but if you play along early enough before they get posted, you don’t have the luxury of a solution key to fall back onto. Plenty of the exercises still today do not have solutions posted, adding to the challenge of completing some of the badges. But, most of them do, which allows students to challenge themselves at their own tolerance levels before peeking at the videos. Also, those videos don’t actually give you the scoring key. To score a completion, students still have to go through the practical steps to exploit and solve the exercises.

Overall, it’s been an excellent platform I’ve been on for a few years and has helped me learn a ton of things relating to web app security.

Surprisingly, the exercises have a decent replay value to them. With so many, by the time six months pass, I won’t remember all the solution details if I revisit something. But, more importantly, I can solve them in different ways. A good example is the HTTP badge, which can be entirely solved using curl commands, but I also have chosen to solve them with Python and Ruby scripts as well. Many solutions can be derived using a scripting language of choice, providing additional opportunity to hone new skills. The platform accommodates this as you can run the scoring binary again, and the site will tell you it was a fresh score. And obviously you can just retrieve the correct key from the site for those challenges.

Another thing I like about the platform is how it dances between the line of being a platform of exercises versus a platform that is just a course. It really ends up doing both, which I appreciate and fits into the way any penetration tester should be learning and tackling these things. Courses are great to teach things, but practical exercises are irreplaceable hands-on opportunities. And leaving some details out or fuzzy will cause the student to do some outside research, think a little, try and fail at things, and then try harder. And this is ultimately the mindset a tester needs to have, since they won’t normally have access to hints, nudges, or answers out in the real world of testing.

Much like almost any pentesting lab or series of challenges, there are also some very specifically vulnerable entries that are unlikely to be found in the wild, but they do act as ways to think about things differently, or open creative avenues that may be useful in the future, even if today that particular vulnerability is solved or just so derived that it’s not realistic.

My scripting skills have markedly improved in Python and Ruby during this course. Coming into this, I was passable with Python and had 0 experience with Ruby beyond maybe running an exploit of EDB or something. But, during this course I’ve had the chance to write more Python and Ruby scripts, or edit and adjust existing ones or those from the answer videos, that I feel comfortable digging into deeper topics and weaponizing exploits. In addition, students can walk away with scripts that can act as frameworks for future endeavors. Maybe a script to generate a tampered JWT will work in other engagements, or maybe that deserializer can be used the same way for a test a year from now.

Likewise, I’ve used Burp Suite for many years, but like any complex tool, that skill only sticks around as long as one greases the wheels on a regular basis and uses it. I get to drop into Burp on most exercises, and poke and prod and learn new things.

And just like any pentesting learning platform, all of this is often about three important things: exposure, experience, and practice. PTL ends up providing all three, which is great for building a body of experience and confidence in the skills.

For someone looking to prep for something like the OSCP, I’d say there’s no real hand-holding here to get your testing platform up and running or for easing into understanding and using Kali, Linux, Burp, HTTP, or other possible tools. Still, the badges I suggest below to start out will still be helpful to anyone going for their OSCP, as there is still plenty of web application exploits and targets present in the OSCP course and exam.

For someone looking to get into we app pentesting or bug bounties or even pentesting in general, I’d say do everything here! As far as skill level expected, I’d say something like the SANS SEC542 course and GWAPT exam probably can act as a more introductory-friendly way to dive into web app testing and understand the essentials, but I’d immediately follow that up with running through PTL. OSCP courses and things like eCPPT probably similarly can ease students less comfortable with things like Linux and Burp and web coding concepts.

Students who find the most success, though, should come to this platform with a comfort level in operating Kali Linux, web server architecture (most specifically Apache server operation), using Burp Suite (proxy and repeater, nothing intense), maybe a fuzzer like wfuzz, reading packet captures, and definitely have some comfort level in or ability to learn web code and scripting. Good examples will be some php, javascript, and java, but mostly python and ruby. This may sound daunting, but most of this is about exposure and being in a position to take the next steps and not be hung up on what Python is or what cat /etc/passwd means or how to intercept using Burp. I’m not sure PTL is good for “My First Reverse Shell From a Web Server,” but it’ll be the next steps after the first one.

The platform is not entirely clear what order to tackle the badges in. I’ll attempt to provide some guidance here, but generally speaking, tackle the ones that have the most completions first, and the ones with less completions later on.

I would suggest students or those with newer skill levels in the topics tackle these badges first: INTRODUCTION, ESSENTIAL, UNIX, RECON, HTTP, PCAP. These all really hone in on specific tasks and other foundational concepts that will be useful at all levels. And for those who know these topics, you may still learn something new of have an opportunity to solve them in different ways. For example, maybe parse the PCAP programmatically instead of in Wireshark. Or in the HTTP badge, script the solutions rather than use curl. The Essential badge is where you find your beginner types of web app topics.

From here, you can honestly go anywhere else, but continue on for general guidance.

The API badge could be something to tackle next. This badge isn’t totally released at the time of this writing, but the exercises are pretty basic to date and follow the ESSENTIAL badge topics pretty well.

Going down the rabbit hole of the other badges, here’s a good route to follow: WHITE, YELLOW, BLUE, SERIALIZE, GREEN, BROWN. Most of these progress naturally, though the BROWN badge sometimes feels like it has exercises that could be slotted into the other badges, but those badges were already complete when these new CVE’s or attacks came out, and just needed a place to land. Still, several BROWN exercises directly suggest solving some others scattered elsewhere first.

The INTERCEPT and ORANGE and AUTHENTICATION/AUTHORIZATION badges are more intense as far as requiring more work on the student to host things like a DNS server or a public endpoint to perform XSS or other reflection attacks. These definitely present a different set of challenges. The AUTHENTICATION/AUTHORIZATION badge is all about SAML and OAuth, but again often require you to host an endpoint that is part of the exploitation path.

The CODE REVIEW badge is a weird one in that you’re reading code and identifying the problems in that code. There are also tons of videos separate from the exercises. Some of these give a half-dozen lines making them kind of easy, while others are long sections of code across multiple files which increases the difficulty of finding the needle in the haystack, as it were. Since this badge is super long and not completed yet, I suggest tackling these in between other badges to keep things fresh. Also, I consider this badge super unique in that I’ve not really seen exercises elsewhere before that specifically target code reviewing skills.

The ANDROID and CAPTURE-THE-FLAG badges are sort of one-off badges students can do whenever. ANDROID is specific to Android applications, and I have no idea how difficult these really are. Java and Android are well outside my comfort zone, so I leaned heavily on the videos to progress through these. The CAPTURE-THE-FLAG badge contains some common CTF-like challenges that involve web or crypto-related topics. They’re fine, but definitely not common fare for web app pen testers.

To date, I have done none of the JAVA SERIALIZE or MEDIA badges, so I can’t comment on those.

Overall, my time in this platform has been good and I’ve learned a ton and gained lots of confidence when it comes to understanding and even walking through various web exploits and weaknesses. I’m no developer, but I think I can hold my own discussing security topics on a practical level like one, though.