How to Try eCPPTv2 w/o INE Premium (International Edition)
The road we take is more important than the goal we announced!
~Dongoth of MHU
Why I write this?
I have already shared this review in my local language version; you can read it here. Now, I aim to present the same blog in English, perhaps for a portfolio. My focus is on how to approach passing the certification exam without relying on an INE subscription. The certification examination itself offers a gratifying experience, making this write-up a valuable resource for those keen on entering the field of penetration testing. With the sincere intention of benefiting aspiring pentesters, let’s dive into the details.
How?
Prior to purchasing the exam voucher, my savings were earmarked for TCM Security’s PNPT certification. Simultaneously, I was engaged in TCMsec’s PEH course, which I acquired at no cost during my saving period. As I continued my preparations, I came across a resource shared by Ko Min Ko Ko (Thanks a lot Ko Root, xD), offering eLearn certifications at a more affordable discounted price. Intrigued by this opportunity, I decided to invest in an eCPPTv2 voucher and commenced my preparations for this certification.
Time taken?
It took nearly two months from the time of purchasing the voucher to the actual exam attempt. Due to budget constraints, I opted for the Exam Voucher at a discounted rate and couldn’t afford the INE Premium subscription, which costs $(749+200). Undeterred, I gathered valuable insights into the exam format, tips, and cheatsheets from various alternative sources. Much of this valuable information was acquired through contributions from the community on this subreddit.
How to study?
Initially, as mentioned earlier, I was concurrently enrolled in the free PEH course, allowing me to draw substantial information from that program. Having learned that eCPPT did not cover Active Directory (AD), I temporarily set aside the AD-related aspects. Another invaluable resource was the HTB Academy, where I had been actively involved for four months prior to acquiring the voucher, giving me a solid foundation. Specifically, I highly recommend focusing on the Pivoting and Tunneling module, Windows Privesc, Linux Privesc, and Metasploit module from HTB Academy. While these modules come at a cost, approximately $30, the comprehensive coverage, practical labs, and provided cheat sheets make them a worthwhile investment for thorough exam preparation.
According to my research on Reddit, the lab I employed for practicing pivoting was the Wreath Network on Try Hack Me. A crucial aspect is to initially follow the provided guidelines. If you’ve completed HTB Academy’s Pivoting and Tunneling module, I recommend undertaking the subsequent rounds using your own methods. It’s beneficial to approach the labs from different angles, completing at least three rounds with distinct strategies. Additionally, I found the guidance in the following blog post to be particularly helpful.
If you’re unfamiliar with buffer overflow, Heath Adams’ tutorial in the Buffer Overflow section of the Basic PEH course is highly recommended. This tutorial employs the traditional approach, utilizing the entire methodology with Immunity Debugger and Mona. You can practice this technique using the vuln server in your own VM. For a deeper understanding of internals and fundamentals, HTB Academy offers free Binary Exploitation Modules for both Windows and Linux, utilizing x64dbg as the debugger. If you prefer a different approach from the usual tutorials, this might be a suitable option to explore. Moving on, I recommend hands-on practice with Brain Pan and Gate Keeper from Try Hack Me. This is not just something to watch but requires active engagement, as it enhances your understanding of specific areas that prove beneficial during the exam. While the exploit part may not be too challenging for those experienced with HTB and THM Boxes, for beginners, it’s advisable to tackle THM’s Blue and HTB’s current free box with available write-ups before attempting the exam.
Here are some public resources for BOF.
Once you’ve achieved the ability to independently complete HTB’s medium box with minimal hints, mastered the Wreath network using your own methodology rather than solely relying on guidelines, and demonstrated proficiency in basic stack-based Buffer Overflow, you are ready to embark on taking the exam. xD
Unexpected problem
On the day I decided to attempt the exam, I began with a morning walk and some stretching to clear my mind. Once settled at my desk, ready to open the exam portal, I was met with a sudden shock — a realization that the exam I had purchased seemed to have vanished.
In a state of panic, I promptly reached out to support via email and also sought assistance on Reddit. Unfortunately, support remained unresponsive, likely due to it being a Sunday morning. However, a helpful Redditor shared a similar experience and suggested reaching out to support directly, assuring me that the issue could be resolved. Trying to stay calm, I waited patiently.
The following day, a Monday, around 3:30 in the evening, I received an email from support stating that the exam had been successfully restored. Fearing a recurrence of the issue, I wasted no time and promptly commenced the exam. (I think there seemed to be an error during the transition when INE fully took over eLearnSecurity.)
How is the exam?
As soon as the exam commenced on the portal, the VPN file was provided. However, it’s important to note that the open-vpn version supplied did not seamlessly integrate with the newer OpenVPN, requiring some adjustments to be made. Refer to the image below for further clarification.
The exam grants network access for a total of 7 days, with an additional 7 days allocated for report writing. The objective involves identifying all machines from the public web server to the DMZ, scrutinizing vulnerabilities, and gaining root access. Following successful penetration, a crucial component of the assessment involves producing a professional-level, commercial-grade report. This report must include comprehensive details of the vulnerabilities found, accompanied by remediation advice. The exam begins with a Letter of Engagement, outlining the terms and expectations. Conveniently, network subnets are provided to facilitate the process.
During the Exam
As I connected to the VPN and started with the first IP given, I encountered a web server. Skipping a full scan, I leveraged ffuf, wappalyzer, and Google to discover an exploit, eventually gaining shell access through Metasploit. Further enumeration on the server led me to root the machine. It’s crucial to note that the exam’s objective extends beyond rooting all machines; finding as many vulnerabilities as possible is equally important. Therefore, my focus was on identifying and documenting as many vulnerabilities as I could, capturing screenshots for thorough documentation. I even employed Nessus to scan for any remaining vulnerabilities.
With root access on the initial server, I scanned the subnet provided in the Letter of Engagement, discovering additional targets. The ability to use Metasploit was advantageous, allowing me to launch a meterpreter shell and use autoroute, socks proxy, and proxychains for efficient enumeration on these targets, eventually gaining system access. From these targets, I extracted information for the subsequent ones, including the binary and source code for the Buffer Overflow (BOF) challenge. This initial phase took approximately 6 hours, prompting me to conclude the day and reserve the BOF for the next.
While I typically exploit the binary on the local VM, a desire for more detailed reporting led me to consult ChatGPT on remediation strategies for the source code. After successfully remotely exploiting the BOF, I encountered some challenges in extracting specific information within the machine, causing panic and setbacks throughout the day. What ultimately saved me on the next day was the attention to small details from the Windows PrivEsc Module cheatsheet from HTB Academy, as mentioned earlier.
By the morning of the third day, I achieved a full enumeration and gained access to the DMZ machine through double pivoting. Once foothold in the DMZ machine was established, privilege escalation felt like a reward, providing an open path to root access. However, to ensure a comprehensive report, I utilized additional scanners within the machine. To enhance the visual appeal of the report, I established port forwardings and captured meterpreter shell sessions from all machines. As no further targets were identified, this concluded the exam phase.
I apologize if the overview seems superficial; however, in adherence to the NDA, I’ve provided information without revealing spoilers.
The hardest part
The most challenging part of the process was undoubtedly the report writing phase. While completing the exam early offered some convenience, it introduced its own set of complexities. Having continued lab access during the report-writing period allowed me to revisit and capture better screenshots if needed. To streamline the documentation process, I developed Metasploit resource scripts for the exploits discovered. Running these scripts allowed me to efficiently review and decide what to include in the report.
Despite the time-saving measures, the commercial-grade requirement added layers of complexity to the report. Incorporating elements such as a Table of Contents, classification of vulnerabilities, CVSS score calculation, writing detailed remediation strategies, and finding credible references became essential. The report-writing phase proved to be more demanding and exhausting than the actual exploitation. It took approximately 5 days to produce a comprehensive report.
On the 8th day, I submitted the report. However, post-submission, upon reviewing it once again, I discovered a color discrepancy that induced a moment of panic.
The harder than hardest part
What proves to be even more challenging than the reporting is the waiting period. I find myself checking my email approximately 285 times a day, eagerly anticipating the results. During this time, a Reddit user shared their experience, mentioning that they had been waiting for 26 days without receiving the results, intensifying my sense of anticipation. Fortunately, on the 30th day, this individual received a reply confirming their certification, providing a slight sense of relief. However, the habit of checking my email persistently, 285 times a day, remained. : 3
Finally, after enduring a prolonged 21-day wait, I received an email from INE, officially confirming my status as an eCPPTv2-certified professional. The culmination of this journey brought a mix of satisfaction and accomplishment.❤️
Some suggestions
When exploring the advice in the community, many suggest using msf4 and avoiding updates to Kali. However, my preference is to stay consistently updated and upgraded with the latest release tools, and I’ve encountered no issues during the exam. It’s important to remember that in the world of penetration testing, ‘there is more than one way to do it.’
What’s the first important thing to do when gaining access to a Linux machine? And what should you first do once you infiltrate a Windows machine? These are the two crucial aspects and you need to see them in a pentester’s point of view.
For those not new to networking, like myself in my role as a NOC engineer in an ISP, tasks such as pivoting and port-forwarding may come naturally. However, many individuals on Reddit find this aspect challenging, and I’ve even provided assistance to someone in need. To excel in this area, it’s essential to practice visualizing the network hierarchy and architecture vividly in your mind, even with your eyes closed. If you’ve successfully tackled the Wreath Network on THM with your own approach, as mentioned earlier, you should be well-prepared. A highly beneficial practice is to set up about five VulnHub machines in a home lab VM, creating subnets to simulate real-world scenarios for extensive practice.
Conclusion
The exam experience is commendable, but it might be time for an update, perhaps as version 3 (v3). The vulnerabilities seem a bit dated, and while I understand that real-world scenarios often involve legacy systems, injecting more challenging and advanced exploits could enhance the certification’s relevance. Additionally, the transition with the INE takeover has been less than ideal. The prolonged waiting period for exam results and the incident where the exam disappeared before attempting were significant inconveniences. The discontinuation of the eCPTX exam, focusing on Active Directory, is another aspect I find disappointing.
In conclusion, despite these concerns, if you’re seeking a certification that provides a blend of real-world pentest experience and professional report writing skills, the eCPPTv2 remains a valuable choice.
Disclaimer: I 60% used google translate and chatGPT converting my local version to this.
