I recently finished the Penetration Testing Professional (PTPv5) course from eLearnSecurity and sat the certification exam from 18 May to 28 May, and here’s my review and tips for the exam itself!
Overall experience
The exam was a decent simulation of a real-world penetration test, from the initial engagement letters to your final deliverable. I had unrestricted access to my own exam lab for 7 days, which looks to be powered by the exact same technology as the Hera labs included in the course. Meaning you’re free to start, stop, resume, and reset (4 times per day which I found pretty plenty) any time.
That said, I did have an issue with resetting my lab when I falsely believed I accidentally crashed a machine in the corporate network and had to email the support and post on the forum for help. They got back to me within one day and a bit more, during which I just sat in my home refreshing my lab controls page once every 15 minutes and slightly in fear of not getting that time back and failling the exam because of this technical issue on their end.
Fortunately, they extended my lab deadline after fixing my instance, so if you’re a student in the middle of the exam right now and are experiencing what I did, rest assured they’d reimburse you for that time!
Day by day summary
(I found these summaries on Doyler’s blog and found it immensely helpful to seek solace in the struggles of other exam takers, so thought I should include these for future exam takers too!)
Day 1 on Saturday
I started the exam while still a bit under the weather as I was bedridden with fever for days before. I had to skip ballet class day that day and thought ”what the heck, I’m already forced to be home anyway so might as well start it!” Think I rooted the web server that night.
Day 1.5 on Sunday (because the lab broke)
10 minutes into the lab, while trying to pivot from the web server into the next network, I thought I broke one of the machines with an incompatible metasploit module. Tried to reset it… and the entire lab broke. Emailed the support and posted on the forum that afternoon.
Day 2 on Monday
Got back on track when they fixed it around 5PM my time! Also finally got system on one more machine.
Day 3 on Tuesday
Got one more machine in the current network! I was feeling pretty confident so far and I had been sleeping for 9 hours and generally feeling very relaxed at this point.
Day 4 on Wednesday
This was when I seriously started to worry I might not pass the exam. I fell into a million rabbit holes with my current shells, even resorting to forensics modules in metasploit (which is completely unnecessary btw. If I could tell my past me something, it would be… to not overcomplicate everything and chase every tiny clue when all I needed was frankly obvious and easy to find). The only progress I made that day was finally figuring out why I couldn’t seem to enable RDP for machine #2 before while full-blown ranting to my best friend and having her be my duck while I attempted rubber duck debugging (she’s the best).
Day 5 on Thursday:
I got up early since I was seriously panicking, asking myself what I could’ve missed (sigh what a dummy hahaha. I didn’t miss anything at all. I really just thought there would be more to each machine. Advice: just follow whatever is right in front of you and don’t overthink it). After hours and hours of meticulously combing through every single folder and file, I gave up and decided to work on the custom exploit development part.
Tip for the exploit dev: remember to develop and test it on your local machine. Also remember what ASLR is and what that means for your exploit. If you can complete the system security lab in the course, you already know how to do it. The hardest part probably would be the payload, since the course didn’t teach which bad characters to avoid or how you should find the shellcode. My advice: use msfvenom to generate the shellcode, and search around for bad characters to avoid.
Around midnight, I finally rooted that exploit dev machine. About 3 hours later, the final DMZ machine too.
Day 6 and Day 7
I… gave myself a mini-vacation because I was so happy to have completed the objective.
Day 8 to Day 10
Completed the report with screenshots and notes I took during the exam, which in the end turns out to be 21-page long.
Tips I’d give to my past self
- No need to overthink anything and it’s probably easier right in front of you.
- Have a local Windows machine always ready and don’t waste precious exam time by forgetting about it and frantically downloading an ISO in the middle of the exam.
- If you’ve only been doing hackthebox and lab machines like me, you are probably lacking in pivoting experience, since hackthebox ones rarely require you to pivot off layers of network. So practice it more in the labs if you can!
- RDP really is the best for pillaging! Much better than snooping around in your meterpreter shells, I guarantee it.
Conclusion
As I just submitted the report 3 days ago, I haven’t heard anything back yet. I’ll update this entry once I receive my results! Good luck to all exam takers!
Update
Just hours after I posted this, I received the email that I passed! Looks like the examiner didn’t have too much to say for the feedback though, just says “Congratulations! You have been awarded the eCPPTv2 certification.”. Was hoping for some constructive criticism for my report, but I’ll happily take my shiny certificate now ;)
Apologies
To the nice people who left comments seeking help on this post, I’m very sorry to say that I’m not able to help anymore because it’s been 3 years since I passed the certification and I no longer remember enough details to give useful tips.
I wish you all the best luck! Just remember what you’ve learnt all this time and take a break sometimes.
For you who yearn for modern, fun & efficient cybersec courses
If you feel the same way we do, feel free to check out Dev Aviary.
It’s strange to come back to this post and see when I was still on all these websites despite how dissatisfied I felt with them.
It seems so obvious now that I would want to create the cybersecurity courses that I wish I had when I started. I hope future cybersec students don’t have to repeat my frustrating cybersec learning journey anymore :)
How many machines did you pwn in the exam? I'm soon going to take the exam. I'm able to solve easy to medium level machines on hackthebox. Do you think it's enough? A bit more info about the exam and any more tips you'd like to share?
Hi Sujit, I think I owned maybe a handful of machines, definitely less than 10. If you are able to solve easy to medium machines on hackthebox, I would say that's about enough. But keep in mind that (as far as I know) easy to medium machines don't really require any buffer overflow exploitation and pivoting, so my tip would be to get extremely familiar with the process of buffer overflow development and using proxychains with nmap and metasploit. Good luck!
Hi Nina, how many machines with buffer overflow did you pwn in the lab? Currently, I find difficult to completely understand buffer overflow.. in general, I've some problems in the system security part of the course.
Hi Daniele, sorry that I missed your comment. I did all of the machines in the system security part of the course, and I'd recommend Hacking: The Art of Exploitation as a solid buffer / heap / stack overflow introduction in C (also shellcoding). Generally I think studying a little bit of Assembly & how memory & CPU work in a low level context are prerequisite to mastering any kind of overflow exploit. Let me know how it goes and if you have any other questions :)
Do you have any tips for the payload in the buffer overflow? I have multiple exploits working on one of the machines in the corporate network that I'm using as a test, but on the real target nothing works.
Hi Sam, I would advise 1) making sure it's the right target, 2) sometimes your exploits might be working but sometimes other things like firewalls may be preventing you from seeing the results etc 3) make sure you get the architecture right for the exploit. I probably saw your comment too late to actually have helped, but I hope you ended up acing the exam! Good luck!
Unfortunately I did not pass (but I knew that before submitting my report). The most disappointing thing though is that the feedback is completely useless. Any chance you could email me? I just feel like I need someone to bounce my ideas off and and let me know if I'm at least on the right path.
Dang, sorry to hear that Sam. And such a shame that the feedback was useless. With this amount of cost for the exams, I’d have expected better. And yeah, leave me your email address or other contact info and let me see if I can help.
Hello Nina, thanks a lot for the review. I am taking this exam very soon and I have a couple of questions that I hope you can help me with:
1- How do you identify the buffer overflow machine? In OSCP they tell you exactly which one it is and they provide you with the binary you need to develop the BoF for, is it the same with eCPPT? 2- Is there social engineering involved in the exam? i.e. do you need to send emails/create hidden iFrames/use ARP spoof etc. in order to root some of the exam machines? I've seen contradicting feedbacks about this online.
Thanks a million! <3
Hello! 1. The BoF machine is not specified in the engagement letter, but it’s as good as spelt out in the actual testing environment. The vulnerable application and the host be pretty obvious when you reach that stage, so no worries! 2. No social engineering involved, at least not in my experience
Good luck!!
Hello Nina,
Is there a way I could email you about the exam?
Thank you for your review, -H
Hey H, you can reach me at "i at nina.coffee" (with at replaced with @)!
Hello Nina, I send you an email at (i @ nina.coffee.com) (at == @) . I would appropriate if you help me. Thank you, V.A
Basically could you give your email because the above email address is not valid? Thank you
How did you go about testing the different payloads for the buffer overflow? I have the buffer overflow working locally using some fairly basic payloads. At this point, should I just go down the list of windows payloads from msfvenom?
Hey there, what do you mean by going down the list of windows payloads? I suggest just picking the one most suitable to your target :)
I went down the list and tried of a bunch of payloads relevant to the target, but couldn't get any to work - despite working fine locally. I think there is a relatively straight-forward payload I'm overthinking.
Hope you got it in the end!!
I was able to get it working in the end. Is the DMZ machine pretty straight forward? I think I might be overlooking this machine now. There is something interesting running locally on it, though.
I see no machines while connected to the exam vpn. It must be a trick.
Hmm you might have to check with the admins if that's the case, or check that you have the right address range.
Hello Nina. Any tips or tricks you could share regarding the RDP issues you had? I'm going to start my second attempt. However, on my first try, I was unable to enable RDP on the same machine I believe you are referring too.
Hello Nina, thank u sooo much for super valuable info I was wondering about how many targets am i supposed to root in total? I know elearnsecurity doesnt disclose in details, but im trying to estimate how much time should be spent daily, i.e. if there are more than 10 machines vs only 5 like OSCP
Hello!
The ecppt is more like OSCP when it comes to machine count, so I'd say take your time!
Big fan, long time lurker, decided to finally take the plunge. Started off hot, rooted the webserver into time, but I have not made any progress really since then. I've done tons of enumeration found various sets of creds I cannot use and can view shares I cannot seem to access. I have also been able to identify hosts on the corporate network with pings and arp scans, but can't get any sort of actual Nmap scans going via Metasploit or proxy chains. Is this normal? I am very comfortable with pivoting and port forwarding, but everything I have tried so far has failed.
Any tips on the Buffer overflow I'm completely stumped. I have been successfully popping multiple exploits on local machines. I've gotten the calc to work, reverse, bind, reverse, and CMD shells. I even was able to create users and enable RDP. Both of the local boxes have ASLR disabled, I've been over the bad characters multiple times, I'm assuming that's not the case because I get the exploits to work, and the target IP and port are correct and ncat shows that its up and running. Anything would greatly help my sanity
I made it to the DMZ and am curious if the course actually covered how to exploit this box? Because nothing that I have tried works.
How did you go? Im about to start the exam process and wanted to know what resources might prepare me for anything not covrred in the course
Hi Nina, I have emailed you for some help. . I am struggling to find any details for DMZ server on the bof machine. already NT authority/system on BOF, added new user and rdp. Also, exploited all the other machines in the corporate network and webserver.
Lisa
How many machines were there altogether in the exam? I bombed my first attempt. I got the initial server, and found 6 others in a different network. The biggest frustration for me was tools failing to work despite what the notes and documentation said (arpscanner no longer supported, ms17010 exploit failing, nmap scans failing to find any host in another network, etc). Did you run into any of these? How do you overcome them?
Hi, I know this is a pretty stupid question but since INE has entirely changed the model and I could not take the premium subscription and do the labs. I am entirely new to pivoting and I have tried the things shown in the slides and video to no effect. After I got shell to the webserver, I used autoroute to add a single rule mentioning that all the traffic to that subnet should go through the current meterpreter sessions. I am able to use pingsweep, tcp scan within metapsloit and using socks4a and proxychains, I am able to use nmap, smbclient, smbmap, psexec. But I am not getting any reverse shell in metasploit. If I try to ping using the psexec shell from the remote system to my system, my system is receiving the ping request and r back but the remote system is not getting it. I am pretty sure that I have missed something in pivoting and route but I dont know what. I think that ping and reverse shell will not work under proxychains but they are supposed to work under metasploit right? if not then how are we supposed to furhter get access to the internal systems. Any help would be much appreciated.
Hi, how to get to the DMZ from the corporate network? Is it necessary to root the BoF and do the autorouting from that session? I tried to do autoroute from the meterpreter session of the windows boxes but when I perform ping_sweep , the session dies.
I just summitted my report, How many day that we know the result bro ?
My turnaround was around 3 days. So hopefully you’ll get your result back soon! Not a bro btw.