Published on

Certified Professional Penetration Tester (eCPPTv2) Review

Authors
  • avatar
    Name
    Nicholas Chong
    Twitter
ecpptv2

Coursework

A variety of topics were covered, from system security to network security to the usual topics of Linux, Windows, web exploitation/post-exploitation.

Some labs were about client-side attacks, others involved LMNR poisoning, SMB/NTLM relay, ICMP redirect, bypassing AV, privilege escalation via DLL injection/shared object library and XSS to domain administrator. You can either do the labs with or without Metasploit.

Exam

My approach was to do it in Metasploit first, so I know what I need to do to “pass” the test. Note that unlike the OSCP, there is no scoring point system for the eCPPT. Examinees taking eCPPT are expected to identify as many vulnerabilities as possible in their targets, include them in the report and provide the corresponding remediation actions and CVSS score. To obtain eCPPT certification, one must essentially compromise all targets in multiple subnets specified in the letter of engagement.

The exam spans across 14 days. The first half is for the actual penetration test, the second for writing the report. There are no restrictions on the tools used in the exam.

Day 1 & 2

Spent about 4–5 hours per day and managed to get foothold in almost all the subnets via Metasploit.

Day 3

Hit the wall with buffer overflow (it’s tricky when there are multiple subnets). But managed to solve it. I then proceed to compromise the rest of the remaining hosts which took about 10–12 hours.

Day 4

I decided to challenge myself to do it manually without Metasploit.

Managed to complete most of the exam without Metasploit except one part. In retrospect, maybe I could have gotten it, but I may have had wrongly set up my foothold and controlling network traffic during certain phases. This resulted in spending almost the entire day to complete.

Day 5

During this point in time, I was honestly burned out from not having a proper break since the start of the year, due to school assignments, till the point of time (which is about 11 months). I decided to finish up the report and stop the exam.

Final Thoughts

While all tools are allowed, meaning you can literally run through the exploitation phase on the fly with C2 frameworks like Metasploit, you need to know the network you are dealing with. Understanding pivoting, proxychains, and how traffic can be routed (via HTTP, TCP, etc.) is very important to the exam. If you have managed to compromise the entire network with Metasploit and still have a few days left, you can try to challenge yourself to do the exam manually.

Although you are allowed to use Metasploit for the labs and exam, I would like to emphasize that you should always do this without Metasploit first, as it will help you develop a better understanding of exploitation and the techniques you are using. The coursework covers more than enough of what you need to pass the exam.

Ultimately, the PTP (Penetration Tester Professional) course builds a good foundational methodology and trains you to critically think of the target(s)/system you are performing a penetration test on.

ecpptv2-result

External Resources

https://tryhackme.com/room/wreath https://tryhackme.com/room/bufferoverflowprep https://tryhackme.com/room/internal https://pentest.blog/explore-hidden-networks-with-double-pivoting/