How I passed PJPT (Practical Junior Penetration Tester)

Introduction

I recently passed TCM Security’s PJPT exam and earned an early adopter badge which means I’m one of the first 100 individuals to pass this new exam. TCM Security recently released their latest certification called Practical Junior Penetration Tester while I was preparing for PNPT. I decided to take a chance at it and I’m glad I did as it gauged my knowledge and readiness for PNPT. This is certification is supposed to be like the little brother to PNPT which is their more advanced certification.

Course Review

The course needed to pass this exam is TCM Security’s PEH, Practical Ethical Hacker course. The course is around Active Directory. From Enumeration to Post Compromise. I was able to go from knowing nothing about Active Directory to having a decent understanding of what it is, how it works and how I can attack it using various methods and tools. Although not necessary, it’s recommended to do your own research on the tools and methods being used, look at github repos or read blogs about the attacks demonstrated.

Exam Review

From the official certification page “The Practical Junior Penetration Tester™ (PJPT) certification is a beginner-level penetration testing exam experience. This exam will assess a student’s ability to perform an internal network penetration test at an associate level. Students will have two (2) full days to complete the assessment and an additional two (2) days to write a professional report.” The exam environment was extremely stable, I recall having one hiccup and all I had to do was reset the environment. You have full control of the environment meaning you can start whenever you’re ready without scheduling a date and time, pause the exam or reset the environment yourself. The support team was efficient and effective in responding to emails.

Things I did wrong:

1. I went into the exam thinking it would be easy seeing that it was a step below the PNPT and I should be done within maybe 5 hours. This caused me to get frustrated when stuck because I told myself the exam should be easy. Try not to go into the exam with preconceived ideas about the difficulty.
2. I rushed the exam because I wanted the early adopter badge so badly. As of the time of this review the early adopters badges are done so you don’t have to be obsessed with being the one of the first 100 individuals to pass like I did.
3. I treated the exam as a CTF initally. Do not make this mistake, there are no flags. The exam is to mimic a real world engagement. CTF experience did assist in my thought process however.
4. When I got stuck I would use methods outside of the methods taught in the course. As cliche as it sounds, all the information needed to pass the exam is within the PEH course. If you find yourself down the Google rabbithole you may need to dial it back a bit and think simpler.
5. I didn’t pay attention to all the output from my tools. Take the time to look through all the outputs your tools report. Don’t assume, you may miss important information.

Things I did right

1. Just doing it. I put off this exam for days because I thought I wasn’t ready. Have more faith in yourself, the worst case is that you fail. Still take pride in your report and submit it as you’ll get a hint for your next attempt.
2. Did a few CTFs around Active Directory from HTB (Hack the Box)
3. Take breaks. Whenever I felt stuck I would go for a walk or go to the gym. It’s funny how the brain works, when you’re not focused on the task that is stressing you out your brain will continue trying to solve problems and you’ll have that eureka moment when you least expect it.

Conclusion

Shoutout to the TCM Security team for this stepping stone to PNPT. The course was easily digestible and the exam was fun. I recommend this exam to anyone looking to brush up on internal penetration tests or PNPT.