BreachLab | Ghost Track

Over the past week I’ve been spending my time on a site I came across that promised to help in security training, zero hand-holding, and other security concepts.

I’ve studied with Capture The Flag sites like TryHackMe or HackTheBox which has you VPN your attack box to the same network your victim machine is on then find how to take over the machine then either submit a flag at the end when you’ve gotten root or at stepping stones along the way.

This platform changes this dynamic by having you SSH into a machine and focus on certain lessons then submit a flag once you’ve completed the lesson. This allows them to make sure you’ve built up the needed skills to get your footing and continue to build on those skill sets on other Tracks.

“The most comprehensive offensive security training platform in the world. 13 tracks, 320+ levels, zero hand-holding. From Linux basics to red team operations, container escapes to darknet OPSEC, web exploitation to AI/LLM attacks. No other platform covers this range in one place.” - BreachLab

The platform doesn’t allow direct write-ups about it’s levels to ensure it puts students through real life research and exploration. Instead, I’ll be writing a general review of the Ghost Track. It starts at the very basic of learning the CLI and common tools such as nmap, nc, curl, ssh, git, and even has you start thinking about how to write your own tools during an engagement or audit.

Between the website level information and then the SSH MOTD (see above) there’s usually enough information to put you on the right track without hand holding. I got stuck more than a couple times and needed to use the recommended help pages that would sometimes have a possible solution to the challenge. Meaning you have to know what you have available to you, research those options or tools, and find a way to overcome the challenge. Don’t be surprised if you don’t even have access to text editing binaries at points.

One of the things BreachLab does well is making you keep notes on each level. Since each level you complete has a flag to capture and the flag is the password to the next level you will need to work through all the previous levels until you get the password to your level back. You wouldn’t think it but documentation is such a crucial step when running an engagement or audit but sometimes we get through a wall and forget to write down what worked or what didn’t.

“Tracks are live but still hardening — flags can rotate, points can be recomputed after integrity audits, levels can be patched.” - BreachLab

Where I haven’t seen it happen yet BreachLab says that the Flags can be swapped out and recalculated so if you don’t finish a track fast enough you may lose a level or you may lose an entire track.. I hate to say I’m curious to find out.

All in all the Ghost track took about 8 hours in total with 3 or 4 specific levels taking up a majority of that time. The final level where everything is tied together is a great test of the track skills