Greetings everyone. Today I'll be writing my own personal experience and review of INE's Certified Professoinal Penetration Tester (eCPPT) exam. I'll also give some tips / advice as well as what to expect in the exam. I spent the full 24-hour exam window, with around 14–15 hours actively working on the exam after accounting for sleep, ended up passing with a score of 82%, in order to pass the exam you would need a score of at least 70%. The exam consists of 45 questions. You get your results immediately after submitting. Let's roll.
Overview of the training / Course
The course / training is a clear step-up from the eJPTv2 course. I completed the full eCPPT course / training then dived into hackthebox and finished two modules: introduction to active directory and active directory enumeration and attacks. Unfortunately unlike the eJPTv2, the training from ine is not enough to pass the exam as it contains gaps especially in the Active Directory section, but that doesn't mean that the exam would be easy, while the content may not fully prepare you for the exam, it's challenging-especially if you're new to AD pentesting and privilege escalation.
What to Study if the training is not enough?
Here's what you'll need to supplement the INE course:
Active Directory
- Introduction to Active Directory (Link — HackTheBox)
- Active Directory Enumeration & Attacks (Link — HackTheBox)
- There are also other AD Modules in the HTB CPTS path (Link)
- Learn how to use the Impacket AD Tools
Web App
What to Skip in the training
Note: read this section if you are interested in taking the exam ASAP and don't want to waste time by studying things that you will not need in the exam or are planning to study them after passing the exam.
- Client-Side Attacks
- System Security & x86 Assembly Fundamentals
- Exploit Development: Buffer Overflows
- Command & Control (C2/C&C)
Note: It's really important to come back to these sections and study them as they are very important and still relevant to this day.
The Exam Environment / lab
First, When starting the exam you will be provided with access to a pre-configured kali linux machine through the browser meaning you will not be able to use your own machine through a vpn connection. Second, the lab provides you with most tools that you would need to pass the exam, except for some like Evil-WinRM which didn't work for some reason. Third, you might notice that the lab may occasionally fail to display output for certain commands or tools (e.g., kerbrute, smbexec, hydra), in reality, the output is displayed as black text on a black background, making it seem invisible, which can be annoying. When this occurs, copying the output into your own notes or machine can allow you to see the results correctly. (Don't worry this only happens with a couple of tools).
Below are some of the tools I used in the exam:
Nmap, Kerbrute, Hydra, Metasploit, Hashcat, John, Burp Suite, rppclient, smbclient, mysql, impacket-GetNPUsers, Crackmapexec, Bloodhound, xfreerdp, PowerView.ps1, PowerUp.ps1, mimikatz.exe, searchsploit, python3.
The Exam Flaws
- Lab Stability As the exam is relatively new, the environment may occasionally be unstable. In some cases, the lab would suddenly disconnect forcing you to restart the lab. Another thing is I encountered a task requiring me to locate a specific user on a machine, but the user did not exist until I reset the lab environment. It is advisable to keep this in mind and consider resetting the lab if something seems inconsistent.
2. Password Lists The password lists provided in the letter of engagement can be misleading and are generally not effective for cracking or brute-forcing. Instead, it is recommended to use more reliable lists such as:
- xato-net-10-million-passwords-10000.txt
- seasons.txt
- months.txt
3. Tool Problems As also stated from other people, certain tools, such as Evil-WinRM, may not function properly on the provided attacker machine, even though ine stated in the letter engagement that you would need to use the docker version, which still didn't work for me, and i didn't know if i was doing something wrong (maybe it's a skill issue lol).
What to Expect
1- The exam focuses heavily on Active Directory which is no surprise.
2- Enumeration, bruteforcing and password spraying is a MUST.
3- Linux machines are also present, which you would need to exploit and escalate your privileges on.
4- A web application to exploit and test.
5- A LOT of hash cracking.
6- Advanced Windows privilege escalation. (Probably the hardest part of the exam as many people get stuck here).
7- Public exploits / CVEs. Not everything in the exam has to be done inside, you will have to perform some research for public exploits to answer some questions.
Overall Advice
- NOTES. Taking notes in this exam is a life saver, just like you should in any other pentesting exam. I made a big mistake in the last half of the exam by deciding to ditch the note taking and focus on the exam as i noticed that i wasn't answering alot of questions. Don't do that.
- Don't panic, 24 hours is more than enough for you to pass the exam.
- Enumeration and bruteforcing is key.
4. Get good and familiar with active directory by studying the modules i mentioned above.
My Own Opinion
While I stated above that there are some flaws such as not being able to use your own machine through a vpn, the lab not being stable, as well as the training not being enough, I also have to give credit to INE for the training and their exam, its decent overall and forces you to think more and outisde the box instead of having everything handed to you. I enjoyed this course alot more than the eJPT which felt very boring and repitive at that time, I also enjoyed the exposure to new areas such as Assembly and C2 frameworks. However, these sections are only covered at a basic level, and expanding on them would make the overall course amazing. Thanks to INE for giving me the opportunity to take this exam. If you have any questions feel free to reach out for me on my Linkedin:
That's it! Best of luck!