The Ultimate eCPPTv2 Writeup
Here are my thoughts on the eCPPT certification.
Published: May 16, 2021
Reading Time: 13 minutes
Who am I?
I decided to take this exam when I was six months away from graduating college with a bachelor’s degree in Cyber Security. The reason I wanted to take this exam was that I was dying to get a job in Cyber Security as a penetration tester and I did not feel like my degree gave me the knowledge or experience needed to get into the security role I wanted. I had just completed eJPT in December of 2020 and around the beginning of January 2021 I felt like I was ready to start on another certification.
With the exam lasting 7 days, I think it would be helpful to break down how the exam went by day.
I started the exam around 8:30 AM. eLearn exams are unique in the sense that you don’t need to schedule a time or date to take the exam, you simply press start exam. After reading the rules of engagement letter it is fairly obvious the correct path forward. Around 11:30 I got an initial foothold and around 1:00 I had rooted my first machine. This is easy! I took a break to grab some food and go for a walk, only to come back to a brick wall that I would then proceed to bang my head against for the next 24 hours…
I should have followed a more methodical method of testing. I was throwing everything I had against the wall to see what would stick. I should have tested everything starting from the most obvious solution first.
I did not get any machines on Sunday and around 5 pm decided there was still plenty of time to take a break so I went out to dinner and called it a night. While I didn’t get any more machines, I made a lot of progress in terms of conceptually understanding what I was doing.
I think I would have made progress on day 2 if I had spent more time learning the limitations of proxychains and tools used with it.
After getting home from work I finally had a realization that I was WAY overcomplicating things. The principle of Occam’s Razor should have been a part of the course objectives. Machine number two rooted around 7 pm, only to hit another wall for the remainder of the day. I went to bed around midnight.
I did not make much progress on day 4. This was super frustrating but keeping a level head is half the battle. I was obviously missing something very simple…
I was getting a bit nervous, instead of being methodical and taking the time to understand what was going on, I just started trying whatever came to mind. Probably not a good strategy for an exam, or really for anything in life.
I got home from work with a fresh mind and finally rooted the third machine… wow. Not at all what I was expecting, I could have gotten this machine and the last machine if I had just started with the simplest solution instead of dramatically overcomplicating it. Remember, if the front door is locked and someone gives you a set of keys, don’t give up and resort to busting down the door, try the other keys!
Ah, the dreaded buffer overflow machine. I knew that this machine was next up and I was fairly confident that this would be a piece of cake. Lots of people are scared of buffer overflows because they are very low-level exploits, but the difficulty means lots of people have very good instructions for how to get your exploit working. I spent the rest of the day setting up my windows 7 virtual machine and testing my exploit. Finally getting it working on my local test environment after some tinkering. I decided to go to bed and launch the exploit the next day since it was already 2:00 am and I had to be up for work soon anyway.
I think getting out of my house and going to work HELPED me take my mind off the exam (which forced me to forget about all the rabbit holes I had fallen down). While I would recommend getting as much time off as you can, I would make sure if you’re stuck to get out of the house for a couple of hours. However, In hindsight, I should have tested my exploit in the exam before going to bed for the night but I was very confident that it would work in the exam since it had worked on an identical virtual machine. Also, be sure to set up a windows 7 machine beforehand. Don’t waste your precious lab time doing this.
Got home from work, made some coffee, and fired my exploit, fully expecting to get a shell. After all, if it worked in my identical virtual machine there is no way it would not work in the exam machine. Boom easy machine. Right? Wrong. I didn’t get a shell… Huh? I tested again on my local environment and it worked as expected. Tested again in the lab and it failed again. From a technical standpoint, I knew exactly how to exploit the buffer overflow. Spike, Fuzz, Find the offset, Overwrite the EIP, find bad characters, generate shellcode, and run the exploit. What was going wrong? I knew that there was a certain twist that makes this buffer overflow a little different than something you would practice on such as vulnserver, but what was it? I went to bed super late and got terrible sleep knowing I was running out of time.
Looking back, I’m not sure there is anything I could have done to better prepare for this. The preparation I had done was enough to get the exploit working, the problem I was running into wasn’t that my exploit wasn’t working, it was that I wasn’t receiving a shell. Why was is that? Hmmm…
I woke up around 6:30 am and luckily I was able to take the day off work and just focus on my exam. This was by far the most frustrating day. I finally figured out why my exploit wasn’t working around 8:00 pm. Looking back, it’s clear to me that my lack of sleep and dwindling confidence that I would pass the exam played a massive role in me taking so long to figure it out. I wasn’t just thinking outside the box, I was thinking outside the scope of the exam with 95% of the stuff I was trying. For the exploit development part, if it’s not covered in the course, you don’t have to learn it for the exam… An unexpected hurdle I encountered was simply getting from this now rooted machine, to the final DMZ machine. I got laser-focused at this point and luckily I was able to figure it out around 1:00 am. 7.5 hours left to go in the exam and one final box left. I finally got root on the last machine around 6:00 am with only 2.5 hours left in my lab time. Way too close for comfort but luckily this machine reminded me of a lot of hack-the-box machines. It was very CTF like and the path forward was very obvious from the instant you got onto the machine. With that, I was done.
Wow, that buffer overflow was annoying. If something is working on a local test machine but not in the exam, work backward to figure out why you could be failing to receive a shell.
I finished my exam on Saturday around 6:30 am so I gave myself the weekend to catch up
on some much-deserved sleep and relaxation on school work. I used a template I had previously created to start my report on Monday. I ended up not finalizing it until Friday morning because I had so much other stuff going on. (Preparing to graduate, working, moving apartments). In the beginning, I was manually taking screenshots using flameshot and using obsidian for note-taking. I would highly recommend this if you already know markdown formatting (it’s not that hard, just takes some getting used to). On day 4 I was getting sloppy with taking screenshots and decided instead to try something new. I used OBS to take a screen recording of my entire desktop. That way I could focus more on the exam and less on taking notes and screenshots. This was super helpful but was also very tedious as I had to go back through the HOURS of video to grab screenshots. If I had to do it over again I would screen record from the get-go but only use it as a backup for any missed screenshots. In total, my report was a little over 30 pages of mostly attack narrative (how I exploited each machine). When you get to the reporting phase you have already done the hard part, make sure you put equal effort into the report. There is no downside to writing a killer report.
I have heard that it takes some people the full 30 days to get their report graded. I submitted my report on Friday at 11:00 am and it was approved within two hours at 1:00 pm. I was in shock with how fast it was approved.
How I studied
I would not recommend studying the way I did. I started studying around the beginning of January and blasted through the network security, Linux exploitation, and web app portion of the exam within probably three weeks. This was a terrible idea. I was studying upwards of 3-4 hours a day and while I was taking notes, I wasn’t retaining a lot of information. This ended up hurting me in the long run because I had to go back and re-learn some of the material which was made much more difficult by the fact that I already knew some of it which made re-reading super boring.
I decided to go through all the PowerPoint before I touched the labs. My reasoning for doing this was based on the idea that I wanted to optimize for speed rather than retention since I would be able to use my notes on the exam. It is very hard to switch gears from taking notes on PowerPoint slides to applying that knowledge to a lab environment, so my idea was to get all the information in notes and my head, then apply it in the labs. This was also a terrible idea. By the time I finished the powerpoints I had forgotten how to do the labs which led to going back to the powerpoints anyway.
Make a note, mental or otherwise, of all the powerpoints and their corresponding labs. Then go through the material. Break up your studying into 1-2 hour sessions over a longer period. It will take a few months to get through all the material but when you are done you will know you are ready for the exam.
I ended up taking about 78 pages of notes during the studying part of the exam. I would recommend taking as many notes as you can.
Pros and cons of the exam
- 1 week to take the exam and 1 week to write the report which is plenty of time
- Great training material
- A ton of practical experience
- Great practice for report writing
- Frustrating, but rewarding exam
- Insanely fast turnaround time for report feedback
- 1 week to take it (Lots of mental resources go into a week-long exam, you never really stop thinking about it until you pass)
- Some parts of the exam feel like “gotcha” moments
What concepts were on the exam but not covered in the course?
Overall I think the course did a good job of covering what was expected of you in the exam. In fact, I think it way over-prepared you. There is a LOT of material that is very useful to know for the real world, but not covered on the exam. While this is good from the perspective of learning different tools and techniques, it makes it difficult to narrow down which technique you need to use on the exam. This means just knowing the material is not enough, you need to understand when to apply it. The only area of the course that I don’t think was covered enough was pivoting. Proxychains was essential to do nearly anything in the exam. While it WAS technically covered in the exam, it was not super helpful content.
It should also be noted that while there are sections in the course for powershell, wifi hacking, and ruby, they are not needed in the exam.
Why did you choose eCPPT over OSCP?
There are a few reasons I decided to get eCPPT over oscp. Obviously OSCP is more well recognized in the industry, however, I was less concerned with having the resume fodder and more interested in getting the best training. A few people out there have said that eCPPT is more realistic than OSCP both in terms of the exam and the training. That being said, OSCP is still on my todo list as its kind of the industry standard right now. (Although I think that is going to change over the next couple years). Another reason I decided to get my eCPPT over OSCP comes down to having a great experience with the eJPT exam. I knew that the eCPPT was next in line on the elean side of things and really enjoyed everything I have seen from them.
How does eCPPT compare to eJPT?
The eJPT is a great introduction to penetration testing and I am really glad I got it. However, the eCPPT is not just the next step up, is a massive leap in terms of practical knowledge. It is possible to go from eJPT to eCPPT but it is not as simple as just learning more tools and techniques. While eJPT introduces these tools and techniques, eCPPT introduces much more and tests you to ensure you can apply them to a real-world network. The eJPT is like running a 5k, you should have some practice before attempting it but you will still make it if you know what you’re doing. The eCPPT is like a marathon, you need to have put the time in preparing for it and you probably won’t make it in time if you didn’t put any effort into training. Even if you’ve run multiple marathons before, it’s still going to be hard, time-consuming, and a (mental) workout.
Where do we go from here?
Now that I have this certification under my belt, I want to focus more on getting some real world pentesting experience at my current position. I think I will be going after the eWPT next since the SANS GWAPT training is $7500 and they seem to cover a lot of the same content. I also would like to get OSCP at some point this year since it seems to be a right of passage for a lot of people.