Note: This article is intended for Enterprise and B2B customers.

Professional Labs offer interactive, hands-on experience with complex scenarios that simulate a real-world red team engagement. Professional Labs are comprised of encapsulated networks of Machines that utilize various operating systems, security configurations, and exploit paths to provide the perfect opportunity to level up your red-team skills.

This is a very different experience from pentesting individual Machines. When working on a Professional Lab, you'll have to scan entire subnets, pivot between hosts, and think about how different nodes on the network relate to one another.

Each Professional Lab has an Overview that contains all of the information you may want to know before starting the lab. At the top of the Overview, you can view how many Machines and Flags the lab contains, its difficulty rating, and which Penetration Tester Level it is considered to be.

Further down on the page, you'll find a description of the lab's premise, an explanation of its target audience, as well as some details about what type of skills you'll learn and technologies you'll interact with.

The Lab page also includes an Introduction that covers much of the same material in the Overview tab.

Since Professional Labs are comprised of entire networks, as opposed to a single Machine, they specify an entry point for your initial enumeration. Typically, this entry point is an entire subnet.

Most often, the first action you should take when starting a Professional Lab is to perform a scan on this subnet to see what hosts you can find.

You can find this at the top of the same page that contains the lab overview.

Alternatively, you can figure out which subnet you to begin scanning by viewing your routing table after connecting to the VPN. The destination subnet that corresponds with your VPN connections gateway is the subnet you initially have access to.

If you aren't sure how to get connected to your Professional Lab's network, be sure to read the following article:

Click the button below to learn how to connect to your Professional Lab:

As you submit flags, your progress in the lab will increase. In the flag list provided on the Lab page, each flag will be marked as owned as you submit it.

While the flag order indicates the normal progression through the lab, it's not necessary for you to follow this exact sequence. Depending on the path you take, you may find yourself occasionally submitting flags out of order.

Different flags have different quantities of Points associated with them- some flags are worth more than others. The amount of Points you have determines your position within the lab's Leaderboard.

Assuming your Admin has enabled this feature, you will be able to view how many Points each user has in the Members panel on the right.

Depending on your lab's settings, you may be able to view a writeup that documents each step of completing the lab. This document is confidential and should not be shared.

If available, you can view the lab's writeup by clicking on the Expand button in the top right of the Lab page.

Scrolling down in this side panel, you also find a list of each Machine present in the Professional Lab, as well as an icon representing the operating system each Machine uses.

Every lab is different, and figuring out how to tackle it is a part of the challenge! If you get stuck, you can consult the write-up if it's been made available to you. However, if you don't have access to the writeup, and are new to the concept of a Professional Lab, knowing how to begin can be daunting.

While this article can't give any specific information on any particular lab, there are a few steps that are generally good to use as a kick-off point.

Every Professional Lab (excluding Cloud Labs) starts by giving you access to an initial network. While there are usually multiple networks, this is where you need to gain your first foothold in the lab.

Scanning this entry network for any online hosts is a good idea. Something like the following will work: sudo nmap -sn 10.10.110.0/24 (if 10.10.110.0/24 happened to be your initial subnet). Make sure you run nmap with sudo, by the way, as nmap requires privileged access.

The above will do a quick ping scan of the entire network, and let you know which hosts are online. This narrows your focus from an entire subnet to a small list of IP addresses.

Now that you have some IPs to scan, the next logical step is to check for any exposed ports and running services that you can access on those hosts.

To get some extra information, you'll likely want to use the default scripts and service enumeration options nmap provides. A classic, go-to scan to start with is the following:

sudo nmap -sV -v -p- <IP>

At this point, you should have a decent amount of starting information. You know what hosts are accessible on the entry network and what ports/services are accessible on those hosts. It's probably a good time to start taking some notes.

Professional Labs are big and often complex. You'll want to take detailed notes describing each subnet, each host, what ports are open, interesting bits of information you find, etc. Found a search parameter that might be injectable? Write it down. Is there a port open that you aren't familiar with? Add it to your notes.

Keep track of what you've looked into, what exploits you've tried, and what you have decided to ignore. All too often, we make an implicit assumption or choose to ignore something because we don't think it's relevant, only for that to come up again later. If you document yourself at every step, you'll be able to come back to it later and analyze your own work.

If you are looking for a good notetaking app, Notion, Obsidian, and CherryTree are all great options that are popular with our users.

The Restore Point enables you to regain root access to previously completed machines in each of the Professional Lab scenarios. Upon successfully submitting a root flag for a Professional Lab machine that supports Restore Point, the platform stores this information, allowing you to restore root access at your convenience in the future.

Once you Enter the Lab, you can see the flags that support Restore Points once you own them, this feature is available by default for all supported labs.

Once you own that flag, you can now use it as a save point to get back on speed faster after a reset of the Professional Lab scenario instead of replaying the whole scenario from the beginning.

In order to receive the shell for that Restore Point, follow these two simple steps:

Step 1: Once connected to the VPN, you need to run a listener using the command nc -lvnp 9001 on your terminal.

Step 2: With the listener running, Click on the “Restore” action to receive the shell on that machine.

You can now use the shell you received to continue working on the lab from where you left off.

Once you have submitted all flags for a Professional Lab you will be awarded a Certificate that will include the date, location, length, subject areas covered, and CPE credits, you can use this certification to acquire CPE credits from any organization.

You can download this certificate from 'My Profile' and choose the 'Certificates' tab.