eLearnSecurity Certified Penetration Tester eXtreme (eCPTX) Review

PREFACE

I wasn’t initially planning on going this far with my eLS/INE journey, but I had access to a premium subscription and had a discounted voucher which I decided to use for this exam. Literally about 2 weeks after I purchased the voucher, INE announced (initially via an email that went to spam for me) that it would be retiring this certification exam along with several others by June 30. If you had a voucher for any of these exams, you would be required to take the exam and submit your report by June 30. The retirement date was later pushed out to October 1. I figured this was doable as my subscription was expiring before then anyway. This certification marked the end of my journey with eLS/INE.

THE COURSE

The accompanying course to the eLearnSecurity Certified Penetration Tester eXtreme (eCPTX) exam is the Advanced Penetration Testing course, which is accessible with an INE premium subscription. As of May 1 of this year, the voucher for this exam is no longer available for purchase.

The course for this exam is overwhelming to say the least. Topics include:

Social Engineering Attack Vectors
Red Teaming Active Directory
Red Teaming MSSQL, Exchange and WSUS
Defense Evasion

A lot of the modules were what I could only describe as death by powerpoint. There is undoubtedly a lot of good info in here, but the delivery method was less than favorable. The included videos did help a bit, though. The course mainly focuses on red team techniques including email phishing, Active Directory attacks, and attacks against Windows services like WSUS, Exchange, and MS-SQL. The course, however, won’t run through any basic enumeration or attack vectors as those are assumed prerequisites for this course and exam.

This course is a few years old, but I would argue that the majority of the content is probably some of the more relevant content in INE’s catalog, which makes this exam’s retirement more of a shame. Keep in mind that even though the exam/cert is being retired and the course content removed from the old eLearnSecurity platform, it will remain accessible on INE’s platform.

I must say that the labs for this course were very well-designed by the eLS folks, but feel that the course could have benefited from more labs. Furthermore, because the course was designed by eLS before its acquisition by INE, the folks at INE had no idea how to properly maintain these labs and there were a lot of stability and accessibility issues. I did not dwell too much on these labs and instead chose to supplement some of my learning with the Practical Ethical Hacker and Movement, Pivoting and Persistence courses from the wonderful folks over at TCM Security. NOTE: The MPP course is being retired from TCM Academy and after November 15, 2023, it will no longer be accessible through TCM’s All-Access Membership. However, if you purchased the course prior to TCM switching to a subscription model, you will maintain access. For those of you that wish to maintain access to this course (and I highly recommend it), TCM has opened up the course until November 15 11:59 PM EST for individual purchase.

It took me a few months on and off to get to where I felt comfortable enough to attempt the exam. By this time, I was juggling and overwhelmed by studies for both eWPTX and OSCP. Since I had a definite deadline for this exam, I just went for it. As usual, I took notes in Obsidian.

EXAM PROCESS

There is no need to schedule this exam. You can log into the members area and start the exam at a time that is best for you. This exam is different than most of the others as it is more time limited. Once you begin, you are given 2 days in the exam environment to complete the technical portion of the exam. Once you finish (or the environment expires), you are given an additional 2 days to write and submit your penetration testing report for review (4 days total). Once you submit your report, receiving your results can take up to 30 days (this can vary greatly).

THE EXAM

When you begin the exam, you are given the letter of engagement. This details what’s in scope for you to test. This also includes the necessary but not sufficient task(s) that you must complete and document in order to pass this exam. I must say that the letter of engagement for this exam was rather confusing and it wasn’t quite clear what the exact requirements were and, therefore, I failed my first attempt on this one (more on this below).

This exam was probably one of the more difficult exams I have taken to date, but I wouldn’t say it was overly difficult. There were some things that could be considered advanced, but for the most part, I think it covered fairly basic (but very relevant) Active Directory attack vectors. This exam does have some time crunch as compared to most other eLS/INE exams, but I think the required tasks are doable in this amount of time.

This was another of INE’s most complained about lab and exam environments in terms of stability, so I was a bit apprehensive considering the shorter amount of time to complete this exam and the fact that I had only until October 1 to submit the report for this exam. The exam environment actually turned out to be pretty stable and I cannot recall having to reset the environment at all.

All in all, I quite enjoyed this exam. There was a good mix of enumeration, different Active Directory attack vectors, pivoting, a bit of debugging and exploit development and there were some CTF-like elements thrown in as well. Initally, I submitted a 44 page report and it took about 17 business days to receive the results, which turned out to be a fail because I didn’t show the reading of the required flag from all 3 access paths. I had full domain admin compromise and had access to the flag, but it seems they wanted you to show that access from each path even if you abused the exact same trust method between servers. I amended this portion of my report, but was still in doubt if it was all that I was really missing, moreso because this was my last chance ever to take this exam. I submitted a 54 page report and received my pass in about 16 business days.

OVERALL THOUGHTS

This course and exam definitely presented some challenging concepts, which in my opinion, are still totally relevant and applicable, probably moreso than the rest of INE’s content. It’s really baffling that they chose to retire this particular exam, especially considering that they currently have no other course/exam covering Active Directory. Overall, I enjoyed the learning process and testing out some of these Active Directory attacks.

EXAM TIPS

I won’t bother giving out any exam specific tips for this one since the exam is no longer being offered, but some of the general tips apply here:

Do not overthink and do not let the stress get the best of you. Make sure to eat well, stay hydrated and get adequate amounts of sleep and breaks.

Make sure you have all of your notes and screenshots in order. I used Obsidian to take notes and Flameshot to take screenshots.

Never skimp out on the enumeration phase. This is vital to the success on the rest of your exam and on real engagements as well.

Focus on the report writing. As usual, it is an important part of the exam. Make sure it is professional grade and documents what you performed in detail.

Most importantly, do not give up. It’s easy to feel defeated and discouraged if you fail, but you can only do the best that you can do.