eLearnSecurity Certified Professional Penetration Tester (eCPPT): Overview and How to Prepare for the Exam
The eLearnSecurity Certified Professional Penetration Tester (eCPPTv2) exam is a professional level penetration testing certification offered by INE/eLearnSecurity. eCPPT prep is important, as the exam is designed to test your skills against web applications, networks, vulnerability assessments and post-exploitation techniques.
The exam is a hands-on practical and written exam which evaluates the candidate's ability to perform a real-world penetration test in a simulated environment. This includes finding most vulnerabilities within the network.
The candidate is expected to write a professional report based on the vulnerability findings. Once the report is submitted it will take up to a month to receive the results of the exam.
Here are three experiences from the Echelon Offensive Security Team and tips on how to prepare for the exam.
Who is this Certification For?
The eCPPT is designed for people who have prior knowledge of penetration testing. This includes understanding the fundamentals of networking, Linux, web application vulnerabilities, and more.
This certification is the next level from the eJPT exam. It will teach you various techniques such as pivoting, buffer overflows, pillaging, Windows/Linux privilege escalation, how to gain persistence, and more.
We would not recommend this certification for complete beginners as there are advanced topics that need to be understood to pass the exam. It will take a lot of preparation, but if you understand most of the topics discussed in the course material, you should be ready for the exam.
Three Experiences from our Offsec TeamEvan Isaac’s Experience (connect with Evan)During the studying phase of the exam, I was mainly focused on buffer overflows and pivoting. These two vectors of network penetration testing were new to me. After practicing for about two months on both, I was prepared for the exam. The exam has you start off with some basic enumeration and gradually requires you to jump into the deep end of network pen testing. They challenge you to know the skills behind what was taught in the course material including privilege escalation, buffer overflows, web application vulnerabilities, pivoting and much more. After studying for a long period of time, I saw patterns in the exam, which led me to complete it in under 24 hours. The objective of the exam is to not only hack the network, but to write a professional report. After I compromised the entire network, I decided to go back to the start, and start it again with a different mindset. This helped me discover additional vulnerabilities in the network. Your job as a penetration tester is to find as many vectors as possible in the machine. So, if you finish the exam in a short period of time, just remember that there are probably vulnerabilities that you missed. One downside to the exam for me was the instability of the lab environment. While attempting to obtain shells on various machines, the shell you were on would die. This was a bit frustrating because I would need to backtrack and do it again. Additionally, when trying to perform a buffer overflow, it was unsuccessful numerous times. After the 5th attempt, I decided to reset the lab environment. Once the environment was restarted, I ran my script again, and obtained a shell through the buffer overflow right away. Overall, I believe this is a great certification for people to learn network penetration testing. You will learn a lot, and I suggest using a note-taking application, such as Obsidian, to write everything down. You will find stuff on the exam, where if you do not have your notes, you may get lost on what to do next. On a scale of 1-10, I would give the exam an 8 out of 10. I rate it an 8 because of the instability I faced in the exam environment. |  |
Kris Johnson’s Experience (connect with Kris)After purchasing the “BOOGO” sale in October of 2022, which is one of the greatest deals INE offers, I immediately began studying. Based on the advice I received from others regarding the test, I knew it would be beneficial for me to focus my studies on topics such as buffer overflows and double network pivoting. Gaining a better understanding of these concepts helped me understand how to move around the network and obtain a session on one of the machines. Throughout the course offered by INE/eLearnSecurity I found that a lot of the material was outdated, not to say that it is not helpful, but it could use an update. Nonetheless, I went through the entire course, took plenty of notes and then after completing the course I found plenty of TryHackMe rooms that would help me prepare for the exam. Remember, this is a practical exam. Knowing the concepts of an attack versus putting hands on a keyboard are very different, and it is always important to understand a concept in both senses. Overall, I found the exam to be comfortable, but some parts proved to be challenging, such as buffer overflow, privilege escalation, and getting certain exploits to work as intended. To overcome these difficulties, I made a conscious effort to continually research and identify potential vulnerabilities that I might have overlooked. Fortunately, the exam environment was very stable for me, with the only issue I encountered being a problem with the buffer overflow, where my meterpreter session would terminate after about five minutes. In terms of difficulty, stability, reporting, time given for reporting, and the practical section, I would rate the exam a 9 out of 10 based on my personal experience. |  |
Jake Murphy’s Experience (connect with Jake)I began studying for the eCPPT after about a year and a half of real-world pen testing experience. Most of what I’ve learned in the network pen testing field has been discovered or taught on the fly, so I was really looking forward to filling in some of the gaps that inevitably develop when self-taught. Three of the sections I really enjoyed (and took a lot from) were pivoting/double pivoting, buffer overflow, and the basics of privilege escalation. After a couple of months of studying, I felt I was ready for the exam. After starting the exam, I was able to gain access to the first server and started making some steady progress. That is until I was stumped on a very basic part of the exploit process (know your payloads!). Once I realized my mistake, I continued until I was stuck once again! As it turned out, the answer was right in front of me the whole time, as I was chasing exotic exploitation/escalation payloads. This was the break I needed as I proceeded to finish the exam. Overall, I would rate the exam a 7.5 out of 10. I learned a lot from it (especially with pivoting/double pivoting) and would recommend it to anyone trying to get their start in Offensive Security. As for improvements, I would like to see the content refreshed as some of it is currently outdated. Additionally, host stability was an issue at times, which can make exams extra frustrating for testers. In the end, the eCPPT was well worth the time invested into it and I still occasionally reference my notes on my client engagements. |  |
A Summary of Pros and Cons from Our Team
Pros:
- You learn new techniques to utilize in the environment
- You work in a real world scenario - moving around a network to find all the vulnerabilities
- You are given ample amounts of time to complete the practical phase and reporting phase
- It teaches you everything you need to know to pass the exam
- Discount codes and sales are always running - just keep a lookout for them (the most popular one is the BOOGO sale which happens near Halloween and offers a 2-year subscription to all courses on INE and two free certification vouchers)
Cons:
- The course and exam are slightly outdated
- If you are unfamiliar with reporting, it can be tricky trying to figure out what to put in it and what to leave out
- There are no public criteria on how many vulnerabilities you need to pass the exam
- The environment can be buggy and crash, meaning you must reset it to continue
- Buffer overflows are not explained properly in the course material (check the “Additional Resources” section below to see what we used to learn about buffer overflows)
Helpful eCPPT Prep Tips
When working within the environment, you may get stuck. There are times where you may not know what to do, or if you do know what to do, you wonder why the exploit is not working. You get seven full days to perform the practical part of this exam, so take your time. Try to think outside of the box and do not give up!
Google is your friend as you prep. Focus on the material that is unfamiliar to you and ensure that you have a good understanding of it before moving onto another topic. If you cannot understand it, there is probably a YouTube video that can explain it clearly with a visual.
Leverage TryHackMe – it’s a valuable resource! This hacking platform has everything you need to understand the fundamentals of penetration testing. They have a ton of Capture the Flag (CTF) challenges to help you practice various attack vectors. In the resource section, I've listed a few TryHackMe rooms to try. If you can complete them, you're on the right track for passing the eCPPTv2. Remember that these rooms are not the only resources you'll need to pass. You'll still need to identify your weak points.
Report as you go through the exam. Do not wait until the last-minute to grab screenshots. On the eCPPT, it is your responsibility to write a professional penetration testing report.
It is also important to understand the difference between a reverse and bind shell, as well as knowing the appropriate time to use each of them.
Reporting on the Exam
After having completed the practical examination, you’ll need to write a professional level report. The requirements for the report include a vulnerability assessment, executive summary, and a table of vulnerabilities found.
Since formatting in Microsoft Word could be a pain, we decided to use a tool called pandoc. Pandoc will take Markdown and convert it to a PDF format. Using a markdown eCPPT report template from 10splayaSec (located in the Additional Resources section), it was easy to format the report.
After writing the report, you can use John Hammond’s script (located in the Additional Resources section) which does the pandoc command for us. The only thing you will need is the latex file called ‘eisvogel’ and put it inside the ‘/usr/share/pandoc/data/templates’ folder on your Linux machine. From there, the usage of the script is straightforward, and it will generate your PDF.
It’s important to note that Obsidian uses a different way of displaying pictures when they are copied and pasted in. Normal markdown uses “!()[Screenshot1.jpg]” whereas, Obsidian uses “![[Screenshot1.jpg]]”, so when generating your report, make sure to have the pictures set to the normal markdown way. If you do not, the pictures will not get rendered on the PDF.
The Bottom Line
The exam will help you understand how to move around a network. The skills learned during the course will helped you during real-world engagements. Overall, the exam was fair, and the training was sufficient to pass the exam.
Good luck!
Additional Resources
- https://tryhackme.com/room/bufferoverflowprep
- https://tryhackme.com/room/relevant
- https://tryhackme.com/room/internal
- Running a Buffer Overflow Attack - Computerphile
- Buffer Overflows Made Easy (2022 Edition)
- https://github.com/10splayaSec/eCPPT-Preparation
- https://github.com/JohnHammond/oscp-notetaking
- https://tryhackme.com/room/gamezone