eLearnSecurity Certified Professional Penetration Tester (eCPPTv2) Review

DISCLAIMER

I will NOT be giving away any exam spoilers or answers here. Feel free to contact me, however, I am not willing to discuss any exam specifics or give any overt hints.

THE COURSE

The accompanying course to the eLearnSecurity Certified Professional Penetration Tester (eCPPT) exam is the Penetration Testing Professional (PTP) course. This is avaiable from INE at different price points with or without the included practice labs. The exam voucher itself will cost you $400, but if you purchase INE’s premium plan, you get a 50% or free voucher (depending on their deals). While the course does offer everything you need as a basis to pass the exam, it is imperative that you look outside of the course as a supplement for certain topics (some resources listed below). As many others have already said, the biggest gripe with the course is that it starts with the System Security section and gets fairly intense pretty quickly. This is not to say that you are forced to take the course sections in any particular order. The bulk of the exam pertains to the Network Security section and if you purchashed INE’s premium access, some included sections while good to know (and can be used for the exam) are not necessary to pass the exam (PowerShell for Pentesters and Ruby for Pentesters and Metasploit sections). The WiFi Security section is not covered at all in the exam. My only other gripe is that some of the commands (specifically for Metasploit/meterpreter) were outdated and did not work with newer versions of Metasploit. It is up to you to sort these out and make sure you look up what’s changed/any updated commands. This course also has no section that covers report writing, so if you are not familiar with this, you will have to do a bit of research (some resources listed below). It was a good course overall and, to be honest, I’ve been known to dive into exams headfirst and learn on-the-fly.

EXAM PROCESS

There is no need to schedule this exam. You can log into the members area and start the exam at a time that is best for you. The exam is not remotely proctored and therefore does not require you to pre-schedule an exact start time. Once you begin, you are given 7 days in the exam environment to complete the technical portion of the exam. Once you finish (or the environment expires), you are given an additional 7 days to write and submit your penetration testing report for review (14 days total). This is a very generous timeframe, provided that you use it wisely (more on that below) and is fairly comparable to what you would see on an actual pentest.

PREFACE

This is just a friendly reminder that it is absolutely okay to fail. Yes, failing absolutely sucks and leaves you feeling defeated, but it is not the end of the world even though it might feel like this at the time. eLearnSecurity/INE is good about giving you one free retake (kudos to them). In order to qualify for the free retake, you must submit your report with whatever progress you have made within the 14-day window. An exam reviewer will take a look at your report and provide some feedback to help push your progress along. Once you receive the email that your report has been reviewed, you have up to 14 days to log into the members area to look at the feedback and restart your free retake. Please note that logging in to view the feedback automatically restarts your exam retake, in which you will have an additional 5 days in the lab environment and an additional 2 days to finish and submit your report (7 days total).

I unfortunately failed my first attempt by getting inside my own head and overthinking everything instead of fully utilizing what I already knew and had in front of me. I’m going to consolidate both attempts in a continuous manner for the sake of this post, but I will be sure to note where my first attempt ended and the second began.

THE EXAM

DAY 1

I kicked off my exam at around 2300 on a Friday night. I do not recommend this as a general start time, but if you live in a neighborhood like mine, you’d know why. Anyway, I digress. I downloaded the rules of engagement pdf and the openvpn file and got started. Make sure you review the ROE a few times as it will give you all of the information needed to test that everything is working properly and where your startpoint should be. I began my initial information gathering and enumeration and immediately jumped into the web app pentesting portion of this exam. Please do not neglect this phase even if it doesn’t provide you a way to compromise the system. It is imperative that you find and report as many vulnernabilities as you can, as this is designed to simulate a somewhat realistic pentest for a company. This is pretty much all I did this first night and went to bed.

DAY 1.5

Woke up early after only a few hours of sleep to continue where I left off. By this point, the stress was already getting to me and it continued throughout the entire rest of this day and not much progress was made. I just took the rest of this day to gather screenshots and any commands to put in my notes for the report.

DAY 2

Again, I woke up super early and on very little sleep to start poking around again. After some more enumeration and a bit of research, I finally managed to get a user level shell on this first machine. I was excited, but still nervous as I still had a ways to go. Some more enumeration/research and a few hours later, I had managed to privilege escalate on this machine. I did some post-exploitation enumeration on this machine (very important) and managed to find some useful tidbits that I jotted down for future use/reference. This allowed me to do what I needed to do to see the internal network and reach the next set of machines. Because it took longer to compromise this machine than I had anticipated, I made no further progress this day and decided to call it a night.

DAY 3

Woke up early again and started enumeration on the newly discovered set of machines. Cannot emphasize how important pivoting and proxychains (port fowarding is also super useful) is for this portion and for the remainder of the exam. Make sure that you have these concepts down solidly as they are indispensible for completing the exam. Be sure to know what tools and specific commands/protocols run properly through proxychains, most notably nmap. This will save you a lot of time. Also make sure that you scan all of these internal machines, but be aware that you may not necessarily be able to compromise all of them. After some research (HINT: and information previously gathered), I was able to compromise 2 machines on the internal network. I felt good at this point because I still had plenty of time left. At this point, I let my mind and nerves get the best of me and got completely stuck from this point until my exam environment expired.

This was pretty much the end of my first attempt. I spent way too much time overcomplicating things and researching/trying a ridiculous amount of things that were yielding me no valuable results. In hindsight, I kick myself for not seeing what was right in front of me. The exam is not meant to trick you in any way and when you step away and look at the bigger picture, you’ll see the path that is laid out for you. Nevertheless, I was feeling super defeated and beating myself up. Try your best not to do this as it will only hinder your progress. In any case, I took a couple of days off to cool down and started working on my report to submit for the retake. Even though I was not able to finish the technical portion, I still took my time creating the best report I could with what I had. I submitted my attempt for review and it took almost a month to receive the results and feedback to kickstart the free retake.

After a few days, I decided I was ready to conquer this exam and logged in to review the exam reviewer’s feedback and restart my exam. The feedback provided very subtle hints, but they were helpful nonetheless (again kudos to eLearnSecurity for wanting you to succeed and not just profiting off of failure).

DAY 4

The retake obviously starts from a freshly reset lab environment, therefore, you will have to redo anything you had previously done. If you took good notes (very important) of your steps up to this point, getting back to where you were should be no problem. After regaining access to those 2 internal machines, I went in with a much cooler thought process. I didn’t stress out this time, got adequate amounts of sleep, ate well and stayed hydrated. This was the path to success. I cannot stress enough how important post-exploitation enumeration is. This will be your way forward and exactly what I focused on this time. After a short while, I found what I had missed the first time and my path to the buffer overflow machine. I decided to call it an early night and get started on this part the next day.

DAY 5

Got a good night’s sleep and had a hearty breakfast and began working on the buffer overflow. Please do not fear this portion of the exam. I know the course makes it seem more daunting than it actually is. If you’ve learned the process well enough (invaluable resources provided below), this might even be the easiest part of the exam. I downloaded the files needed to create and test the exploit locally. Make sure that you have a Windows 7 or Windows 10 system up and running in a virtual machine prior to starting your exam as this will save you a ton of time. Windows 7 did not appear to work for me, so I simply just switched over to my Windows 10 VM and got to work. Do not forget to disable any firewall/Windows Defender settings on your VM in order to properly test your exploit. This essentially went without a hitch for me and within an hour or so, I had a shell on my local Windows 10 machine. After some port forwarding magic and setting the exploit to the target machine on the internal network, I fired it off and got a shell on this machine. This felt amazing as I had not only gotten past the point I was stuck at before, but I was also one step closer to wrapping this exam up. Please be sure to try more than one payload if you are having trouble getting a shell. And if you still cannot get a shell, try to be creative with your payload (i.e. add a user, enable RDP, disable firewall, etc.). I decided to call it a night and tackle the next part the next day.

DAY 6

Woke up well-rested and with my newly obtained access, managed to initiate an RDP session and quickly discovered what to do next. With this information, I quickly and fairly easily obtained a user level shell on the DMZ. After a bit of enumeration on the DMZ, it was pretty obvious (but maybe not particularly straightforward) what the path to privilege escalation was. Be sure to take your time and be mindful of what you have already discovered. After messing around with this a bit, you should be able to figure it out and privilege escalate to root. This got me the required (but not sufficient) goal and concluded the technical portion of the exam. I was absolutely elated and couldn’t believe that I had let this get the best of me the first time around. All that was left was the report writing, so I decided to take a couple of days off before tackling it.

DAY 9

Editing the report I had initially submitted, I added all of the newly discovered parts. All in all, my report ended up coming out to 61 pages. Be sure that you have all of the proper screenshots and steps that you took to complete your pentest as these will need to be documented in your report. Your report should include an executive summary, some kind of severity rating, vulnerabilites discovered along with proof of concepts and remediation steps. How you organize this is up to you, but I have provided some publicly available reports and templates below. I submitted the report and within 2 days, received the email that I had passed.

OVERALL THOUGHTS

This was a pretty awesome and useful certification exam. It is a great practical intro into the pentesting world and in my opinion it is a fairly relevant exam and learning process. Though not quite similar, I believe it is a great stepping stone to the OSCP exam. I hope this review helps some of you guys out that are gearing up to tackle this exam. Best of luck and much success to you all.

EXAM TIPS

I know this one is easier said than done, but do not overthink and do not let the stress get the best of you. Make sure to eat well, stay hydrated and get adequate amounts of sleep.

Be sure to take good notes and lots of screenshots. I used CherryTree to take notes and Flameshot to take screenshots. There are a lot of note-taking options out there, so play around with some of them and see what works best for you.

Enumeration, enumeration, enumeration. Pre and post-exploitation. Do not underestimate this process. It is indispensible to your success.

Do not overcomplicate things. 90% of the time, the answer is right in front of you.

You have free reign to look up anything you want, so be sure to use that to your full advantage. But, remember, this is no substitute for not somewhat knowing what you’re doing. This is meant to be a supplement.

Have your Windows virtual machines downloaded and installed to test your exploits locally. This will save you tons of time.

Port-forwarding and RDP is not 100% necessary, but it is super helpful.

Do not underestimate the web application portion of the exam. This exam is not a CTF, so even if these avenues do not result in a compromise, they are still vulnerabilites that you must report.

Focus on the report writing. It is an important part of the exam, so be sure that it is professional grade and documents what you performed in detail.

Make sure you have pivoting down. You will not be able to complete this exam without this knowledge.

Most importantly, do not give up. It’s easy to feel defeated and discouraged after failure. Failing sucks, no doubt, but don’t look at as a justification to give up, look at it as a measure of success. Onwards and upwards!

RESOURCES

Other eCPPT writeups:

eCPPT video reviews: