September 29, 2023

A Short Review of Pentesterlabs Essential Badge

For those that don’t know, pentesterlabs.com is a website that takes you through the methods and tools used for primarily web hacking.

The Essentials badge introduces many of the popular methodologies used when web hacking. The site itself describes the badge as “ This badge aims at covering the most common web vulnerabilities with easy-to-understand examples.”

They are organised in alphabetical order, rather than difficulty, which came as a relief as I found the Code Execution part to be the most difficult. Each topic is a high level overview of the vulnerability/exploit to help you grok the subject.

I had been looking forward to the SQL Injection tutorial the most as I have ran SQLmap in the past and was both surprised and impress by what you could do. For example I could use SQLmap to generate table names, db names, users and passwords and even drop a shell. The introduction falls well short of this as it only describes a few variations on the most basic of SQLi: ‘ OR 1=1#

Thankfully a quick check of the other badges does show that there is a course called “From SQL Injection to Shell” which takes you through a more in depth process, and I look forward to completing the exercises to get the White Badge.

I enjoyed the MongoDB Injection overview the most. There is a section in which you follow along writing out a ruby script to dump the password key from within the database. I have commented in my copy of the script how it works, so I definitely expect to use and modify it for later tasks.

The last section of the Essentials Badge covers XSS (Cross Site Scripting) which has ten exercises to follow. The final exercise involves creating a request to send to a webhook site so you can grab the requester’s cookie. It was a really cool way of ending off the badge exercises.

The next badge on my list to do is the PCAP one —This goes into Packet Capture. The first lesson requires you to install Wireshark so you can analyse a packet capture file. Already I have learned something by it’s recommendation that I right-click the displayed data and ‘Follow TCP Stream’ to get information. I am looking forward to this badge a lot!

I have a great appreciation for this site and much credit needs to go the the creator of the site for spending time and effort into creating a coherent and methodological course that takes a beginner through the the various avenue that web hackers do. The lessons seem very relevant and up to date with recent examples — something that you would not get in a book.

I’ll definitely be continuing my subscription! 🙂