From April 1st to April 23rd 2020, I spent most of my waking moments sitting in a dark room, tapping away in an attempt to break into 28 machines on a target network and steal all of their data. After a few days of this, typing far more than I do in my day job, my fingers started aching and I had to switch from an Apple Magic Keyboard to a proper mechanical keyboard (granted, one designed for gaming). On several occasions I woke up in the middle of the night with a sudden flash of the solution, and more often than not promptly fell back asleep without making note of the requisite steps.
This happened a few times

This wasn’t an Iranian nuclear facility… It was Slayer Labs, a range of vulnerable machines designed to be hacked, much like the OSCP labs or HackTheBox. There were, however, some important differences between this and the OSCP labs:

  • Price: Slayer Labs runs $34 for 30 days of access, while OSCP is $3591 for the same amount of time.
  • Post-exploitation: Slayer Labs is a more cohesive network, in that many of the targets are dependent on adequate post-exploitation of earlier boxes. While the OSCP labs require some lateral movement, it seems like more of an afterthought than a network designed to look like a corporate network2.
  • Heavy Active Directory usage: Windows is my weakest platform in general, especially if Active Directory is involved. Despite hearing about PowerSploit many, many… many times from my good friend Chris Campbell, I had never used Powershell before in any capacity.
  • Possibly less-crowded labs: While I don’t know the numbers on either platform, it seemed like Slayer Labs were less crowded, in that I never saw artifacts of another user nor did any machine get reverted while I was attacking it.
  • No forums, IRC channel, or write-ups: Slayer is a bit more pure, in that the only resources provided are a list of (some of) the targets by name and IP address, and a “dossier” with some rules and general hints. There are no cryptic target-specific hints other than information found during post-exploitation3, and nowhere to ask for help. In no sense is this a teaching lab; connect to the VPN and either figure it out or quit.

The lab is listed as having an “overall” difficulty of Intermediate, with some targets being very easy, and some fairly difficult. I found the first ~10 targets (keep in mind the lab is largely non-linear) to be relatively straightforward, even having not done any “pentesting” since taking OSCP. The difficulty quickly ramped up from there. The hard targets (described as “boss levels”) were difficult enough to be interesting, but not so difficult as to get stuck for extended periods of time. While I also hold the more-advanced OSCE and OSEE certifications, those skills were not particularly useful as there is no requirement to do exploit development in this lab. An experienced pentester with non-zero Active Directory experience would likely have an easier time getting through the lab, but I believe it would still be challenging enough to be interesting.

One might look at this lab and assume that it’s intended for people with OSCP-level knowledge and experience, but that may be deceiving. A number of friends and colleagues are also working through the lab as of this writing with varying levels of experience, mostly closer to “never done pentesting before.” As an inexpensive prerequisite to signing up for OSCP, Slayer Labs’ value becomes very obvious: if a student is able to make progress on these targets, then the underlying research skills and try-harder mentality required are likely already in place. Many of the early targets seem to be harder than the average OSCP lab machine. I suspect my friends will be pleasantly surprised when they do enter the OSCP labs and see the progress that they will be able to make in a short period of time.

It’s worth noting that this is a very new service, and not without its hiccups. The sign-up process involves sending an email, and for payment the only option is Paypal, which seems a bit archaic. The VPN occasionally dies for 15 minutes or so, which is usually a sign that it’s time to walk around a bit anyway. The VPN profiles seem to be managed somewhat manually, as mine expired for a night before being remedied. That said, the email support is phenomenal, with quick responses clearly written by a real person.

At one point I ran a somewhat risky attack against a Domain Controller that caused a service to die, only to learn that the DCs couldn’t be reverted from the range’s web interface. Sheepishly, I emailed an explanation of what I had tried and a possible fix, worried that I had run afoul of the “don’t use exploits, they might crash the DC (but feature abuse is acceptable)” rule. The technique was deemed allowable, and the Domain Controller was added to the revert interface within a few minutes.

After 23 days and nearly 70 hours, I successfully obtained a root shell on the final box. Immediately there was a sense of “what am I going to do with all of this new free time?” much like after watching 10 seasons of a show only to learn that the next season is 18 months away. I look forward to seeing what new challenges Slayer Labs has in store for the future!

Disclaimer: This post was not sponsored by anyone, but I did receive a free trial for 16 days while they were in an introductory period.

  1. Note that this is the 30-day extension price. It doesn’t include the course materials or exam attempt, to try to compare apples with apples. 

  2. As a caveat, I went through the OSCP labs in late 2017 to early 2018. Offensive Security released a new version this year that may address this. 

  3. And references to many ’80s movies, many of which I haven’t seen.