🛣️RoadMap & My Experience

The path to becoming a penetration tester is like a winding river, ever-changing and unpredictable. To navigate it, one must be adaptable, resourceful, and always willing to learn.

The journey to becoming a penetration tester is a lifelong one. It is a journey of continuous learning, discovery, and self-improvement.

I'm writing this 'review' to assist aspiring candidates in their journey towards obtaining the eCPPTv2 certification. My aim is to share the resources, insights, and tools essential for preparation, offering advice and addressing common concerns. Unlike the eJPTv2 exam, where you have a only two days to tackle everything alongside multiple-choice questions, the eCPPTv2 certification presents a different challenge. This exam grants you a generous timeframe of 7 days to compromise the entire environment and an additional 7 days to compile a comprehensive professional report detailing all identified vulnerabilities, their criticality, and proposed resolutions.

While seven days may seem ample, completing the exam in less time is entirely feasible. Personally, I managed to conquer it within four days, allowing myself one day of respite, and dedicated two days to crafting a detailed report spanning a total of 80 pages. Is it worth the effort? Undoubtedly. The eCPPTv2 certification rigorously evaluates your prowess in pivoting, buffer overflow exploits, and, most importantly, your comprehension of the pentesting process. Success hinges not on merely reaching the root but on uncovering every vulnerability within the environment. Hence, a robust methodology and thorough enumeration are indispensable. Unlike conventional CTF challenges, you won’t find user.txt or root.txt flags; instead, you’ll encounter files containing crucial information such as passwords, IPs, or network segments, facilitating your progression within the network. I recommend using a diagram/map of the entire environment since otherwise you can get very involved and it is better to work organized, for example Excalidraw.com or Draft.io.

Not having much experience in writing reports, it was not easy and I recommend practicing beforehand. I received the positive result after just 24 hours, unlike what you read online of 15/25 working days.

Here are some tips and insights to aid your preparation:

Thoroughly Review the Letter of Engagement: Pay close attention to the “Letter of Engagement” document as it provides insights into the exam’s structure and requirements. This document must be included in your final report, along with a graphical representation of the compromised areas marked in red.
It’s Not a CTF: Unlike traditional Capture The Flag (CTF) challenges, the eCPPTv2 exam is designed to be more approachable.
Master Metasploit: Proficiency in utilizing Metasploit is paramount, as a good portion of the exam necessitates its usage.
Emphasize Post-Exploitation Techniques: Effective post-exploitation strategies are crucial for gathering information and pivoting to other machines.
Mind Your Nmap Switches: Be cautious when using Nmap with non-aggressive settings. Setting it to -T1 can prevent accidental resets and loss of progress during scanning or pivoting.
Patience is Key: Don’t be discouraged if it takes the full 7 days to compromise the environment. Persistence pays off in the long run.
Act like you’re a journalist: Take as many screens as possible during the 7 days of access to the lab, or if possible start filling out the report at the same time, because if you forgot to track something, it would be a problem.

Creating a customized homemade lab, composed of three or more network interfaces is the best training for this exam, starting with network of 2/3 interfaces and machines without vulnerabilities (direct access with SSH for example, see here), increasing the network interfaces with more vulnerable machines (including one vulnerable to BoF, such as Brainpain).

Remember that you already have an OVA machine on your VMWare/VirtualBox running on Windows 10, with ImmunityDebugger and the Mona plugin installed, to be used to test and prepare the shellcode to exploit the BoF-vulnerable software running on one of the machines on the network.

The PowerShell, Wi-Fi Security and Ruby modules are certainly important, but not mandatory for passing the exam.

Personally I didn’t follow the INE course, but I relied on the resources found online that I tried to list on my github.

Here below the path I used and which I would recommend to reach a level necessary to pass the exam. 👇

Background Information

OpenVPN 🏠 THM Room
Linux Fundamentals Module 🏠 THM Room
Windows Fundamentals Module 🏠 THM Room
What is Networking 🏠 THM Room
Intro To Networking 🏠 THM Room
Intro To LAN 🏠 THM Room
HTTP in Detail 🏠 THM Room
DNS in Detail 🏠 THM Room
Intro To Offensive Security 🏠 THM Room
Pentesting Fundamentals 🏠 THM Room
Passive Recon 🏠 THM Room
Intro to Research 🏠 THM Room
Google Dorking 🏠 THM Room
Python Basics (to understand the working of exploit) 🏠 THM Room
Active Recon 🏠 THM Room
Vulnerabilities 101 🏠 THM Room
Reverse Shell & Bind Shell 🗒️ Hacking Tutorials Article
eJPTv2 Ine Full Course 🗒️ eJPTv2 Notes
⏩ Linux Course (Italian)🤌 🇮🇹
⏩ Ethical Hacking Course (Italian)🤌 🇮🇹

Tooling

BurpSuite: The Basics 🏠 THM Room
BurpSuite: Repeater 🏠 THM Room
Hydra 🏠 THM Room
Nmap 🏠 THM Room
Nmap Live Host Discovery 🏠 THM Room
Metasploit: Introduction 🏠 THM Room
Metasploit 🏠 THM Room
More Detailed Tutorial of Metasploit 🗒️ NoobLinux Article
Nessus 🏠 THM Room
WireShark The Basics 🏠 THM Room
Tmux 🏠 THM Room
TShark 🏠 THM Room
H4cked 🚩 THM CTF 🟢 - My Writeup
Smag Grotto 🚩 THM CTF 🟢 - My Writeup
Lazy Admin 🚩 THM CTF 🟢 - My Writeup
Carnage 🚩 THM CTF 🟠 - My Writeup
Warzone 1 🚩 THM CTF 🟠 - My Writeup
Mr Robot CTF 🚩 THM CTF 🟠 - My Writeup
Anonymous 🚩 THM CTF 🟠 - My Writeup
Misguided Ghost 🚩 THM CTF 🔴 - My Writeup

Web

OWASP top 10 🏠 THM Room
Inclusion 🏠 THM Room
Injection 🏠 THM Room
Web Application Security 🏠 THM Room
Overpass2 🚩 THM CTF 🟢 - My Writeup
Vulnversity 🚩 THM CTF 🟢 - My Writeup
Basic Pentesting 🚩 THM CTF 🟢
StartUp 🚩 THM CTF 🟢 - My Writeup
All In One 🚩 THM CTF 🟠 - My Writeup
Daily Bugle 🚩 THM CTF 🔴 - My Writeup

Post Exploitation

Post Exploitation Basics 🏠 THM Room
Sudo Security Bypass 🏠 THM Room
Sudo Buffer Overflow 🏠 THM Room
Windows Privilege Escalation 🗒️ Hackersploit Article
Windows Privesc Arena 🏠 THM Room
Linux Privesc Arena 🏠 THM Room
Windows Privesc 🏠 THM Room
Bypass UAC 🏠 THM Room
⏩ MsfVenom Guide (Spanish) 🇪🇸
Simple CTF 🚩 THM CTF 🟢 - My Writeup
Blaster 🚩 THM CTF 🟢 - My Writeup
Blue 🚩 THM CTF 🟢 - My Writeup
Bounty Hacker 🚩 THM CTF 🟢 - My Writeup
Ignite 🚩 THM CTF 🟢 - My Writeup
Kenobi 🚩 THM CTF 🟢 - My Writeup
Capture the flag 🚩 THM CTF 🟢 - My Writeup
Pickle Rick 🚩 THM CTF 🟢 - My Writeup
Empline 🚩 THM CTF 🟠 - My Writeup
Internal 🚩 THM CTF 🔴 - My Writeup

Buffer Overflow

INE eCPPT BoF Material 🗒️
TCM BoF Material 🗒️
Post Exploitation Basics 🏠 THM Room
Sudo Buffer Overflow 🏠 THM Room
Tiberius Buffer Overflow Prep Room🏠 THM Room
Brainstorm 🏠 THM Room
Gatekeeper 🚩 THM CTF 🟠 - My Writeup
Brainpan 1 🚩 THM CTF 🔴 - My Writeup
🗒️ https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
🗒️ https://github.com/gh0x0st/Buffer_Overflow
🗒️ https://boschko.ca/braindead-buffer-overflow-guide-to-pass-the-oscp-blindfolded/

Pivoting

INE eCPPT Pivoting Material 🗒️
Pivoting using Metasploit 🗒️ TutorialsPoint Article
ContainMe 🚩 THM CTF 🟢 - My Writeup
Wreath 🏠 THM Room - Writeup
🗒️ https://www.offsec.com/metasploit-unleashed/pivoting/
🗒️ https://pentest.blog/explore-hidden-networks-with-double-pivoting/
⏩ Home Lab: ProxyChains - eCPPT prep
⏩ Pivoting with Ligolo
⏩ Pivoting with Metasploit (Spanish) 🇪🇸
⏩ Manual Pivoting using Chisel and Socat (Spanish) 🇪🇸
⏩ Double Pivoting (Spanish) 🇪🇸
⏩ Pivoting Manual Playlist S4vitar (Spanish) 🇪🇸

Reporting

It's a good choice use one of these source: TCM's template, Offensive Security's pentest report, the ITProTv sample report, and INE's reporting guide.

Other Resources

CheatSheet

🗒️eCPPT — CheatSheet

PreviousHow to write a PT Report NexteCPPT Cheat Sheet

Last updated 7 months ago