I took eLearnSecurity’s eCPPT exam a month ago and decided to do a review on it. I’m writing from the perspective of someone who had no prior IT background, so hopefully this will be useful (and encouraging) for others who are considering taking the eCPPT!
A bit of background about myself: prior to the PTP course, I did the PTS course for 2 months and took the eJPT in Feb 2020.
I found the eCPPT exam challenging and needed the full 7 days to finish it. I read elsewhere that the PTP course covered 90% of what you needed to know for the exam but I have to disagree (This is in comparison to the eJPT, where I can confidently say that the PTS material prepares one for 100% of the exam). The PTP course teaches you the basics and gives numerous examples of exploits and payloads, but during the exam I went through plenty of trial and error and constantly googled for new methods/techniques (no doubt a good skill to hone in the InfoSec field).
Disclaimer: I did the labs once and referred to the solutions heavily when stuck. I initially planned to redo the labs again but decided to bite the bullet and go ahead with the exam.
I decided to write this breakdown of the 7 days during the practical portion of the exam, hopefully it helps someone who is planning to take the certification!
Day 1
I started the exam at 9am. After an hour, I didn’t manage to find anything and was starting to panic. I then realised that I had forgotten to go through the basic methodology and soon found something to work on. Finally, I managed to gain the initial foothold in the evening.
Day 2
I managed to root the 1st machine and discovered other hosts. I had a difficult time with these few hosts, despite the general experience of other people who took the exam, based on their reviews. Day 2 was filled with frustrations as I was getting nowhere. I decided to just jump into the BoF exploit development portion the next day.
Day 3
I started working on the BoF exploit in the morning and managed to gain root access in the afternoon. I had reached the DMZ and spent the rest of the day trying to escalate privileges.
Day 4
I decided to go back to the few machines I had trouble with and tried every exploit and payload possible, with no success. It was very frustrating and I was getting nowhere staring at the screen so I decided to take a break playing drums. Felt a lot better afterwards! Unfortunately I didn’t manage to progress much during Day 4. I was starting to get worried that I might fail the exam and comforted myself that the exam voucher came with a free retake.
Day 5
Alternated between working on the DMZ and the other machines and finally had a breakthrough on one of the machines. This was something I had not seen before so after much trial and error, I was ecstatic to finally gain access to the machine.
Day 6
Unfortunately I fell ill and had to spend most of the day resting. Thankfully, I felt better at night and managed to make some progress. All I had left was to root the DMZ server.
Day 7
I would say privilege escalation on the DMZ was the most fun I had on the exam. It was something I had not seen before but I managed to slowly figure out what was going on. The sense of accomplishment I got from rooting the DMZ was amazing. At this point, I had just 12 hours remaining before the exam lab scenario ended. Phew.
Tips
- Pivoting is extremely important. One way to get some practice is to set up your own lab with 2–3 Windows XP VMs and set each WinXP to be on 2 NAT Networks. WinXP is a good choice for practice since they are vulnerable to both MS17–010 and MS08–067. I used VirtualBox and the lab worked fine.
- Test out different payloads when using an exploit. Typically, our first instinct is to use reverse_tcp but understand when it is appropriate to use bind_tcp. You can test this out in your own lab.
- Adding on to the point above, don’t just fixate on popping shells, try out other payloads as well! Metasploit/msfvenom has tons of them.
- Create a cheatsheet so you can Ctrl+F during the exam to check for useful commands. This saves time since you can avoid manually clicking into each module to find what you need in the slides.
External resources
BoF:
- https://www.youtube.com/watch?v=1S0aBV-Waeo Computerphile’s video on Buffer Overflows offers a nice introduction if you’ve no prior knowledge of BoF. The illustrations helped me to visualise what a NOP-sled was.
- https://www.youtube.com/watch?v=qSnPayW6F7U&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&ab_channel=TheCyberMentor TCM’s BoF series was immensely helpful, especially since I had a tough time trying to understand the System Security section of the PTP course. I also used the python scripts from TCM’s videos for the eCPPT exam.
- https://github.com/justinsteven/dostackbufferoverflowgood An excellent tutorial on BoF, it’s good to go through this step by step.
Pivoting:
- https://pentest.blog/explore-hidden-networks-with-double-pivoting/ The PTP course didn’t delve too much into double pivoting so this is a good guide.
Conclusion
I enjoyed the PTP course and highly recommend it if you’re looking to learn the basics of pentesting in a structured manner. I initially took the PTP course as a preparation for OSCP, but I think it is so much more than just a “prep for OSCP” course, especially since the exam simulates a real-life pentest with multiple networks. On that note, something to be mindful of is that PTP is a metasploit-heavy course so not everything will be applicable for the OSCP, but you can also practise the manual way of exploiting in the PTP labs if you have enough lab time to spare.
Right now, I’m working on HTB machines before starting the PWK course. It’s been fun so far!
Thanks for reading this far and I hope my two cents will be helpful for someone out there.
