PNPT Exam Unofficial Lab Prep
All About the Practical Network Penetration Tester cert and how I am prepping to crush the exam
# About Me
I’m a SOC analyst well on my way to achieve my goal of becoming a pentester. Before becoming a SOC analyst and studying for this exam, I earned the CompTIA A+, Net+, Sec+, and Pentest+ certifications. Now before getting those certs under my belt, my passion for cyber security started with rooting Android phones to customize whatever I wanted, and doing mischievous things to my local Wi-Fi networks.
When this post was initially created, I had not earned my PNPT, but I am happy to say that now I have. I credit this to the support of my family, friends, and all the work and studying that I put in.
# About the PNPT
The Practical Network Penetration Tester exam from TCM ( The Cyber Mentor ) is exactly what it sounds like. It’s an exam that mirrors a real-world pentest and tests your ability to perform under those conditions.
Unlike it’s major competitor the renowned OSCP from Offensive Security, you get five whole days to perform your penetration testing instead of 24 hours and then an additional 2 days to write your report instead of the 1 day you get from Off-Sec. They both test the same skills, while OSCP is additionally testing your ability to perform under extreme pressure. The cost is also a major difference, with 399$ for the PNPT and coursework and $1599 for the exam and coursework for the OSCP.
Now, enough about the OSCP, this is about my journey towards earning the PNPT, although it will be a stepping stone towards achieving the OSCP in the future. The coursework, is amazing and budget-friendly since they put out promotions and discounts all the time if you follow their Discord. Even after getting my Pentest+ and doing a ton of labs on TryHackMe and HacktheBox, I learned a ton through Heath Adam’s courses. The material is straight forward and provides a strong foundation for all the tactics and techniques you should need to start testing real world environments and cracking boxes on both THM and HTB.
# Prep
Obviously, first thing you should do, and what I did, is enroll in TCM’s courses and go through that material. There are 3 courses that are considered a must-know, in order to pass the exam.
# PEH (Practical Ethical Hacking)
At a high level view, this exam will teach you good note-keeping skills, basic networking, an intro to Linux/Python/Scripting, the Hacker methodology, reconnaissance skills such as hunting for breached credentials or enumerating subdomains, initial scanning and enumeration, exploitation basics, buffer overflows, Active Directory fundamentals such as building up your own lab and attacking it both pre/post compromise, exploiting the OWASP Top 10, wireless pentesting basics, and even report writing and career advice.
For a price of 29.99$ without any discounts or promos, that’s a ton of material. The first 12 hours are even available for free on YouTube so you can see if it’s something you want before committing.
# OSINT Fundamentals
This course is all about doing passive recon on a target from an external standpoint, in order to enumerate an attack surface and research information that may provide your way into a target environment.
It will teach you how to enumerate information from images, utilize search engines, websites, and social media. You will learn how to hunt for hunt breached credentials, email addresses, phone numbers, and other personal information that can be exploited during an engagement to get initial access and even how to build an OSINT lab and write a report.
# External Pentest Playbook
The main course, the PEH, has a heavy focus on attacks and techniques you can perform with the intent of breaking into a network. This course, is all about figuring out HOW to get into a network. It will briefly go over OSINT fundamentals, attacking login portals such as o365 and OWA, bypassing MFA, and all the common pentest findings that can lead to this initial access. It also provides other useful information such as the importance of checklists, client communication, and how to write a report and wrap up an engagement with a client.
# Linux PrivEsc and Windows PrivEsc Courses
Now neither of these courses have officially been stated as being needed to pass the exam, but the material they both teach you is still important and worth going through. They will teach you how to go from that lowly user “www-data” or “bob-not-an-admin” to that oh so satisfying “root” or “NT Authority/System.” If you don’t know what a cronjob, a SUID bit, or an unquoted service path is and a Potato attack makes you think of french-fry abuse instead of sweet sweet victory, these courses will be for you.
# MY PREP
Finally what the title of this post is about. My prep for this exam. I started by doing all these courses, at least once. Next, I found an unofficial list of Active Directory, Linux, pivoting labs that were recommended in the TCM Security Discord. My plan? PWN them all! As of now, I have done most of them and am working on the last one’s as I get ready for the exam. I found the list on the r/PNPT subreddit, but it is quoted as being from the Discord. If any one wants to ping me the original poster’s details I will update this post with credit to them.
Most the boxes in this list, are on the TryHackMe or HackTheBox platforms. Both platforms offer a gamified way to learn and attack real machines to test your hacking skills. They both offer guided labs, networked machines that require pivoting skills, and stand-alone boxes where you get no hints and just need to figure out how to exploit the box and escalate your privileges.
For HTB since a lot of these are retired boxes, you will need a subscription and for some of the THM boxes you will need one as well. Even if you aren’t going to do older boxes, but plan on working on some of the labs on these platforms, I recommend doing the paid plan instead of the free one so you can have a dedicated VIP VPN connection just for stability purposes.
At the bottom of the PNPT CTF list, there are two unique items. Building your own AD lab and attacking, and OWASP Juiceshop. In the PEH course mentioned above, you will learn how to build a lab and it’s a GREAT way to practice all the attacks you learn through the course. OWASP Juiceshop also will be shown in the course, and its an intentionally vulnerable web app to practice attacks against with multiple difficulty levels and cool challenges.
# Up Next
Complete all the labs in the list and pass the PNPT :)
# Resources
OWASP Juice Shop | OWASP Foundation
*** All Images in this post are property of TCM Security**
