Professional Labs offer interactive, hands-on experience with complex scenarios that simulate a real-world red team engagement. Professional Labs are comprised of encapsulated networks of Boxes that utilize various operating systems, security configurations, and exploit paths to provide the perfect opportunity to level up your red-team skills.

This is a very different experience from pentesting individual Boxes. When working on a Professional Lab, you'll have to scan entire subnets, pivot between hosts, and think about how different nodes on the network relate to one another.

Each Professional Lab has an Overview that contains all of the information you may want to know before starting the lab. At the top of the Overview, you can view how many Boxes and Flags the lab contains, its difficulty rating, and which Penetration Tester Level it is considered to be.

Further down on the page, you'll find a description of the lab's premise, an explanation of its target audience, as well as some details about what type of skills you'll learn and technologies you'll interact with.

The Lab page also includes an Introduction that covers much of the same material in the Overview tab.

Since Professional Labs are comprised of entire networks, as opposed to a single Box, they specify an entry point for your initial enumeration. Typically, this entry point is an entire subnet.

Most often, the first action you should take when starting a Professional Lab is to perform a scan on this subnet to see what hosts you can find.

You can find this at the top of the same page that contains the lab overview.

Alternatively, you can figure out which subnet you to begin scanning by viewing your routing table after connecting to the VPN. The destination subnet that corresponds with your VPN connections gateway is the subnet you initially have access to.

If you aren't sure how to get connected to your Professional Lab's network, be sure to read the following article:

As you submit flags, your progress in the lab will increase. In the flag list provided on the Lab page, each flag will be marked as owned as you submit it.

While the flag order indicates the normal progression through the lab, it's not necessary for you to follow this exact sequence. Depending on the path you take, you may find yourself occasionally submitting flags out of order.

Different flags have different quantities of Points associated with them- some flags are worth more than others. The amount of Points you have determines your position within the lab's Leaderboard.

Assuming your Admin has enabled this feature, you will be able to view how many Points each user has in the Members panel on the right.

Depending on your lab's settings, you may be able to view a writeup that documents each step of completing the lab. This document is confidential and should not be shared.

If available, you can view the lab's writeup by clicking on the Expand button in the top right of the Lab page.

Scrolling down in this side panel, you also find a list of each Box present in the Professional Lab, as well as an icon representing the operating system each Box uses.

Every lab is different, and figuring out how to tackle it is a part of the challenge! If you get stuck, you can consult the write-up if it's been made available to you. However, if you don't have access to the writeup, and are new to the concept of a Professional Lab, knowing how to begin can be daunting.

While this article can't give any specific information on any particular lab, there are a few steps that are generally good to use as a kick-off point.

Every Professional Lab (excluding Cloud Labs) starts by giving you access to an initial network. While there are usually multiple networks, this is where you need to gain your first foothold in the lab.

Scanning this entry network for any online hosts is a good idea. Something like the following will work: sudo nmap -sn 10.10.110.0/24 (if 10.10.110.0/24 happened to be your initial subnet). Make sure you run nmap with sudo, by the way, as nmap requires privileged access.

The above will do a quick ping scan of the entire network, and let you know which hosts are online. This narrows your focus from an entire subnet to a small list of IP addresses.

Now that you have some IPs to scan, the next logical step is to check for any exposed ports and running services that you can access on those hosts.

To get some extra information, you'll likely want to use the default scripts and service enumeration options nmap provides. A classic, go-to scan to start with is the following:

sudo nmap -sV -v -p- <IP>

At this point, you should have a decent amount of starting information. You know what hosts are accessible on the entry network, and what ports/services are accessible on those hosts. It's probably a good time to start taking some notes.

Professional Labs are big and often complex. You'll want to take detailed notes describing each subnet, each host, what ports are open, interesting bits of information you find, etc. Found a search parameter that might be injectable? Write it down. There's a port open that you aren't familiar with? Add it to your notes.

Keep track of what you've looked into, what exploits you've tried, and what you have decided to ignore. All too often, we make an implicit assumption or choose to ignore something because we don't think it's relevant, only for that to come up again later. If you document yourself at every step, you'll be able to come back to it later and analyze your own work.

If you are looking for a good notetaking app, Notion, Obsidian, and CherryTree are all great options that are popular with our users.