I would recommend using at least 5 hours on the first 4 labs. (Use them in hourly sessions, take a break after 1 hour.) Some of the tasks in these, can be quite time consuming, and if you don't have infinite credits I suggest making a "max time spent"-rule on the different objectives, e.g, 10-30 minutes each, as you can easily use more with some of them. (I wouldn't suggest using more than 60 minutes on one objective (within a specific lab), not even on the hard ones, which you can always come back to later on.)
Currently I'm also going through the labs, while taking notes, including how much time I spend. If you get stuck on one objective for a longer period, move to the next and try that instead.
The first two labs, can be completed in a relatively short amount of time, but lab 3 and 4, requires a bit more work, especially if you haven't tried out all the features in Burp Suite (free) yet, such as bruteforcing which I hardly ever do. I did learn something new, which I had to "instant-research", which was ViewState.
I had seen it before, but I didn't know exactly how it worked as I've mostly tested PHP sites where it doesn't exist. (So in that sense, it was interesting, especially to test ASP(x) scripts which is not something I do often. Of course the attack methodologies are almost the same, but there are a few key differences that are important.)
Note / Edit: Keep in mind there's ~330 objectives in total. At least from what I read, didn't count it myself. So if you plan on using 10 minutes on each objective, that's 3300 minutes, aka 55 hours. I would like to note, that some tasks will be very easy (e.g., 1-5 minutes), and others will be a lot harder (e.g., 10-15 minutes or more, there's a few I didn't finish as I was unsure whether my answers were right or not). :)
Last edited by MaXe
on Wed Feb 29, 2012 4:39 pm, edited 1 time in total.
I'm an InterN0T'er