eLearnSecurity Web application Penetration Tester eXtreme (eWPTX) Review

PREFACE

I wasn’t initially planning on going this far with my eLS/INE journey, but I had access to a premium subscription and a couple of vouchers that I had picked up during a sale. With my subscription expiring earlier this year, I decided to see if I could round out my journey with this cert and the eLearnSecurity Certified Penetration Tester eXtreme (eCPTX).

DISCLAIMER

I will NOT be giving away any exam spoilers or answers here. Feel free to contact me with questions, however, I am not willing to discuss any exam specifics or give any overt hints.

THE COURSE

The accompanying course to the eLearnSecurity Web application Penetration Tester eXtreme (eWPTX) exam is the Advanced Web Application Penetration Testing course, which is accessible with an INE premium subscription. The exam voucher itself will run you $400. While the course does cover all of the concepts you need to pass, this exam felt very CTF-like (more on this later) and the labs were very hit or miss.

The course does a good job at covering relevant web app pentesting concepts, many which you will see on this exam, such as:

SQL Injection
Directory Traversal
Information Disclosure
Server-Side Request Forgery (SSRF)
XML External Entity (XXE)
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Server-Side Template Injection (SSTI)
Insecure Deserialization

It took me a few months on and off to get to where I felt comfortable enough to attempt the exam. For this course and exam, I took notes in Obsidian, making sure to jot down payloads in particular that could aid me during the exam.

EXAM PROCESS

There is no need to schedule this exam. You can log into the members area and start the exam at a time that is best for you. Once you begin, you are given 7 days in the exam environment to complete the technical portion of the exam. Once you finish (or the environment expires), you are given an additional 7 days to write and submit your penetration testing report for review (14 days total). Once you submit your report, receiving your results can take up to 30 days (this can vary greatly).

THE EXAM

When you begin the exam, you are given the letter of engagement. This details what’s in scope for you to test. This also includes the necessary but not sufficient task(s) that you must complete and document in order to pass this exam. Much like with eWPT, you are given a web app and you must test it for any and all vulnerabilities. The total amount of vulnerabilities is unknown, so I am not really sure what the exact metrics are for passing this exam.

This was a pretty rough exam and even though there were some cool vulnerabilities to exploit, I think this was the exam that I enjoyed the least in my whole eLS/INE journey. This exam was very CTF-like and had the most required tasks to pass. It took quite a bit to get into the flow of things, but once it did, the ball started rolling. Your enumeration must be strong for this exam, as you might not see certain things that are required to successfully pull off other exploits and this is where it felt like a CTF. Another thing I will say is that you are expected to dive in a bit deeper with vulnerabilities such as SQL injection, for example. While you can use any tool you like, including sqlmap, just simply proving the vulnerability exists is not enough and you must dive in deeper with customizing your sqlmap commands.

Due to my rather unpleasant eWPT experience, I was concerned with stability issues in the exam environment. Thankfully, it was stable for the most part. There was a particular instance that required logging in and it would log in once and then wouldn’t allow me to log in again. This required me to have to reset the environment a few times. But, overall not too bad.

All in all, for this exam, I found around 17 vulnerabilities (these affected multiple areas) and submitted an 81 page report. It took literally about 10 hours to receive my results for this one.

OVERALL THOUGHTS

This exam was definitely challenging. I think because of the CTF-like elements, it was somewhat artificially difficult. I think the concepts in this course and exam are still relevant and applicable and I did enjoy the learning process and testing out some of these vulnerabilities.

EXAM TIPS

Easier said than done, but do not overthink and do not let the stress get the best of you. Make sure to eat well, stay hydrated and get adequate amounts of sleep and breaks.

Make sure you have all of your notes and screenshots in order. I used Obsidian to take notes and Flameshot to take screenshots.

Once again, do not skimp out on the enumeration phase. You will not be able to complete the required tasks if you do not uncover certain things prior.

As usual, Burpsuite and/or ZAP will come in handy for this exam. I used both, but some manual exploitation is also crucial for this one.

Remember to try multiple tools that perform similar functions. Some tools find things that others don’t.

Make sure you have a good grasp of some of the concepts I listed above, in particular SQL injection, directory traversal, information disclosure, XXE, XSS, SSTI and insecure deserialization.

Make sure you are familiar with tools such as ZAP, burp, sqlmap, ysoserial, etc.

sqlmap will definitely come in handy here, but make sure that you dive a bit deeper with your commands. Think along the lines of bypassing anti-CSRF protection with sqlmap.

I saw some people had questions/issues with ysoserial. I used the latest version available here. However, I did need to switch to an older version of java for this to work properly:

sudo update-alternatives --config java

Focus on the report writing. As usual, it is an important part of the exam. Make sure it is professional grade and documents what you performed in detail.

Most importantly, do not give up. It’s easy to feel defeated and discouraged if you fail, but do your best and remember that you have a free retake and hopefully a useful hint from the exam reviewer.