The Port Swigger Labs
The Post Swigger Academy Labs experience
Often called the Burp Labs
Posted on June 28, 2020
Walkthrough helpers for almost all labs can be found here. In an attempt to further boost and hone my pentesting skills, I decided to spend some time in the Port Swigger Labs. What started as a simple desire to improve on my weaker points turned into a 6 week long journey throughout which I got exposed to some really interesting vectors, learned a lot and finished ranked 7th worldwide in the Hall of Fame (at the time of writing).
Initially, I started writing down a few thoughts after every week, but I think they clutter the Rants section a bit too much, so I'll just quick link them here:
Burp labs week 1: Starting the labs
Burp labs week 2: Continuining the labs
Burp labs week 3: Building momentum and my methodology
Burp labs week 4: Errors in my methodology
Burp labs week 5: Keeping busy and a screeching halt
Burp labs week 6: Done!
The labs have been one of the best, if not the best, kind of infosec related material that I have ever experienced. It keeps the same gamified experience that HackTheBox offers, but the topics are much more constrained in scope. The vast majority of the labs focus on one specific vector and how to achieve it. Generally they are pretty flexible with the payload used, but sometimes the "Lab Complete" prompt doesn't show up even if you achieved the desired exploit. Feel free to refer to the solution if this happens.
A lab instance expires after 15 minutes of inactivity or 1 hour since its creation has passed, whichever occurs first. For Apprentice and a good part of the Practioner labs, you probably won't hit the 1 hour mark, but once you start dealing with Expert labs, you'll get very familiar with the "This session has expired" message. Which can be a bit annoying and can straight up prevent you from completing a lab. Such is the case for the "2FA bypass using a brute-force attack" lab. A writeup with the correct answer is available in my github repo.
The writeups
Once I started encountering some of the more difficult labs, I figured I'd upload the payloads used in a github repo. I know there is already a video series on most of the labs, but I tend to find video as a less efficient way of doing things. If anything, my writeups will at least complement the video solutions. To the best of my knowledge, none of the labs require Burp Pro, but it does help substantially in some cases - such as the CSRF labs.
The solutions provided by Port Swigger are generally good to very good with some exceptions. I think there are 2 lab solutions that are missing some steps, one of them being the one mentioned above. My Github repo should contain the exact payloads used for almost all the labs, bar some trivial ones that I did in my first week. I hope it helps people, especially those without Burp Pro.
Besides providing a hand to other students, I used the writeups as a way to go over the attack vector again. In a way, I decided to write in order to learn. This helped solidify the material in my mind, which proved to be useful in many of my real engagements.
Recommended for all skill levels
To reiterate, the labs are fantastic. The quality is fantastic. If you have any interest in pen testing and understanding how web vulnerabilities work, go do them right now. If you already are a pen tester, even an experienced one, I'd still recommend going through at least some of the labs. Have a go at the expert ones and see how that goes. While I haven't shied away from checking the solution if stuck on a lab, I do intend to return every now and then and try to do some of the labs without checking the solution, just as a way to test my knowledge and gauge my progress.
For now, it's time to put my new skills to the test.
Update July 2nd 2020
A new section got added to the labs, deserialization. I managed to complete some of them before the solutions got uploaded, but they were really tough. I was able to snag 7th place in the Hall of Fame!