🛣️RoadMap & My Experience

The path to becoming a penetration tester is like a winding river, ever-changing and unpredictable. To navigate it, one must be adaptable, resourceful, and always willing to learn.

The journey to becoming a penetration tester is a lifelong one. It is a journey of continuous learning, discovery, and self-improvement.

I'm writing this 'review' to assist aspiring candidates in their journey towards obtaining the eCPPTv2 certification. My aim is to share the resources, insights, and tools essential for preparation, offering advice and addressing common concerns. Unlike the eJPTv2 exam, where you have a only two days to tackle everything alongside multiple-choice questions, the eCPPTv2 certification presents a different challenge. This exam grants you a generous timeframe of 7 days to compromise the entire environment and an additional 7 days to compile a comprehensive professional report detailing all identified vulnerabilities, their criticality, and proposed resolutions.

While seven days may seem ample, completing the exam in less time is entirely feasible. Personally, I managed to conquer it within four days, allowing myself one day of respite, and dedicated two days to crafting a detailed report spanning a total of 80 pages. Is it worth the effort? Undoubtedly. The eCPPTv2 certification rigorously evaluates your prowess in pivoting, buffer overflow exploits, and, most importantly, your comprehension of the pentesting process. Success hinges not on merely reaching the root but on uncovering every vulnerability within the environment. Hence, a robust methodology and thorough enumeration are indispensable. Unlike conventional CTF challenges, you won’t find user.txt or root.txt flags; instead, you’ll encounter files containing crucial information such as passwords, IPs, or network segments, facilitating your progression within the network. I recommend using a diagram/map of the entire environment since otherwise you can get very involved and it is better to work organized, for example Excalidraw.com or Draft.io.

Not having much experience in writing reports, it was not easy and I recommend practicing beforehand. I received the positive result after just 24 hours, unlike what you read online of 15/25 working days.

Here are some tips and insights to aid your preparation:

1. Thoroughly Review the Letter of Engagement: Pay close attention to the “Letter of Engagement” document as it provides insights into the exam’s structure and requirements. This document must be included in your final report, along with a graphical representation of the compromised areas marked in red.

2. It’s Not a CTF: Unlike traditional Capture The Flag (CTF) challenges, the eCPPTv2 exam is designed to be more approachable.

3. Master Metasploit: Proficiency in utilizing Metasploit is paramount, as a good portion of the exam necessitates its usage.

4. Emphasize Post-Exploitation Techniques: Effective post-exploitation strategies are crucial for gathering information and pivoting to other machines.

5. Mind Your Nmap Switches: Be cautious when using Nmap with non-aggressive settings. Setting it to -T1 can prevent accidental resets and loss of progress during scanning or pivoting.

6. Patience is Key: Don’t be discouraged if it takes the full 7 days to compromise the environment. Persistence pays off in the long run.

7. Act like you’re a journalist: Take as many screens as possible during the 7 days of access to the lab, or if possible start filling out the report at the same time, because if you forgot to track something, it would be a problem.

Creating a customized homemade lab, composed of three or more network interfaces is the best training for this exam, starting with network of 2/3 interfaces and machines without vulnerabilities (direct access with SSH for example, see here), increasing the network interfaces with more vulnerable machines (including one vulnerable to BoF, such as Brainpain).

Remember that you already have an OVA machine on your VMWare/VirtualBox running on Windows 10, with ImmunityDebugger and the Mona plugin installed, to be used to test and prepare the shellcode to exploit the BoF-vulnerable software running on one of the machines on the network.

The PowerShell, Wi-Fi Security and Ruby modules are certainly important, but not mandatory for passing the exam.

Personally I didn’t follow the INE course, but I relied on the resources found online that I tried to list on my github.

Here below the path I used and which I would recommend to reach a level necessary to pass the exam. 👇

Background Information

• OpenVPN 🏠 THM Room
• Linux Fundamentals Module 🏠 THM Room
• Windows Fundamentals Module 🏠 THM Room
• What is Networking 🏠 THM Room
• Intro To Networking 🏠 THM Room
• Intro To LAN 🏠 THM Room
• HTTP in Detail 🏠 THM Room
• DNS in Detail 🏠 THM Room
• Intro To Offensive Security 🏠 THM Room
• Pentesting Fundamentals 🏠 THM Room
• Passive Recon 🏠 THM Room
• Intro to Research 🏠 THM Room
• Google Dorking 🏠 THM Room
• Python Basics (to understand the working of exploit) 🏠 THM Room
• Active Recon 🏠 THM Room
• Vulnerabilities 101 🏠 THM Room
• Reverse Shell & Bind Shell 🗒️ Hacking Tutorials Article
• eJPTv2 Ine Full Course 🗒️ eJPTv2 Notes
• ⏩ Linux Course (Italian)🤌 🇮🇹
• ⏩ Ethical Hacking Course (Italian)🤌 🇮🇹

Tooling

• BurpSuite: The Basics 🏠 THM Room
• BurpSuite: Repeater 🏠 THM Room
• Hydra 🏠 THM Room
• Nmap 🏠 THM Room
• Nmap Live Host Discovery 🏠 THM Room
• Metasploit: Introduction 🏠 THM Room
• Metasploit 🏠 THM Room
• More Detailed Tutorial of Metasploit 🗒️ NoobLinux Article
• Nessus 🏠 THM Room
• WireShark The Basics 🏠 THM Room
• Tmux 🏠 THM Room
• TShark 🏠 THM Room
• H4cked 🚩 THM CTF 🟢 - My Writeup
• Smag Grotto 🚩 THM CTF 🟢 - My Writeup
• Lazy Admin 🚩 THM CTF 🟢 - My Writeup
• Carnage 🚩 THM CTF 🟠 - My Writeup
• Warzone 1 🚩 THM CTF 🟠 - My Writeup
• Mr Robot CTF 🚩 THM CTF 🟠 - My Writeup
• Anonymous 🚩 THM CTF 🟠 - My Writeup
• Misguided Ghost 🚩 THM CTF 🔴 - My Writeup

Web

• OWASP top 10 🏠 THM Room
• Inclusion 🏠 THM Room
• Injection 🏠 THM Room
• Web Application Security 🏠 THM Room
• Overpass2 🚩 THM CTF 🟢 - My Writeup
• Vulnversity 🚩 THM CTF 🟢 - My Writeup
• Basic Pentesting 🚩 THM CTF 🟢
• StartUp 🚩 THM CTF 🟢 - My Writeup
• All In One 🚩 THM CTF 🟠 - My Writeup
• Daily Bugle 🚩 THM CTF 🔴 - My Writeup

Buffer Overflow

• INE eCPPT BoF Material 🗒️

• TCM BoF Material 🗒️
• Post Exploitation Basics 🏠 THM Room
• Sudo Buffer Overflow 🏠 THM Room
• Tiberius Buffer Overflow Prep Room🏠 THM Room
• Brainstorm 🏠 THM Room
• Gatekeeper 🚩 THM CTF 🟠 - My Writeup
• Brainpan 1 🚩 THM CTF 🔴 - My Writeup
• 🗒️ https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
• 🗒️ https://github.com/gh0x0st/Buffer_Overflow
• 🗒️ https://boschko.ca/braindead-buffer-overflow-guide-to-pass-the-oscp-blindfolded/

Post Exploitation

• Windows Privilege Escalation - Notes
• Post Exploitation Basics 🏠 THM Room
• Sudo Security Bypass 🏠 THM Room
• Sudo Buffer Overflow 🏠 THM Room
• Windows Privilege Escalation 🗒️ Hackersploit Article
• Windows Privesc Arena 🏠 THM Room
• Linux Privesc Arena 🏠 THM Room
• Windows Privesc 🏠 THM Room
• Bypass UAC 🏠 THM Room
• ⏩ MsfVenom Guide (Spanish) 🇪🇸
• Simple CTF 🚩 THM CTF 🟢 - My Writeup
• Blaster 🚩 THM CTF 🟢 - My Writeup
• Blue 🚩 THM CTF 🟢 - My Writeup
• Bounty Hacker 🚩 THM CTF 🟢 - My Writeup
• Ignite 🚩 THM CTF 🟢 - My Writeup
• Kenobi 🚩 THM CTF 🟢 - My Writeup
• Capture the flag 🚩 THM CTF 🟢 - My Writeup
• Pickle Rick 🚩 THM CTF 🟢 - My Writeup
• Empline 🚩 THM CTF 🟠 - My Writeup
• Internal 🚩 THM CTF 🔴 - My Writeup

Pivoting

• INE eCPPT Pivoting Material 🗒️

• Pivoting using Metasploit 🗒️ TutorialsPoint Article
• ContainMe 🚩 THM CTF 🟢 - My Writeup
• Wreath 🏠 THM Room - Writeup
• 🗒️ https://www.offsec.com/metasploit-unleashed/pivoting/
• 🗒️ https://pentest.blog/explore-hidden-networks-with-double-pivoting/
• ⏩ Home Lab: ProxyChains - eCPPT prep
• ⏩ Pivoting with Ligolo
• ⏩ Pivoting with Metasploit (Spanish) 🇪🇸
• ⏩ Manual Pivoting using Chisel and Socat (Spanish) 🇪🇸
• ⏩ Double Pivoting (Spanish) 🇪🇸
• ⏩ Pivoting Manual Playlist S4vitar (Spanish) 🇪🇸

Red Team & Active Directory (only for v3)

• CRTP Notes 🗒️
• Windows Privilege Escalation - Video EN 🇬🇧 🎦
• OSCP Guide 10/12 – Active Directory - Video EN 🇬🇧 🎦
• The Cyber Mentor (TCM) - Hacking Active Directory for Beginners - Video EN 🇬🇧 🎦
• The Cyber Mentor (TCM) - Windows Privilege Escalation for Beginners - Video EN 🇬🇧 🎦
• Cisco and Pentester Academy Attacking Active Directory Class with Nikhil Mittal - Video EN 🇬🇧 🎦
• Active Directory - John Hammond Series - Video EN 🇬🇧 🎦
• Active Directory THM Room Walkthrough - Esadecimale - Video ITA 🇮🇹 🎦

Reporting (only for v2)

It's a good choice use one of these source: TCM's template, Offensive Security's pentest report, the ITProTv sample report, and INE's reporting guide.

• 🗒️How to write a PT Report — My Notes
• ⏩ Writing a PT Report — TCM
• ⏩ ITProTV Report
• ⏩ OSCP — How to Take Effective Notes
• ⏩ OSCP — How to Write a Report

Other Resources

• eCPPT Field Manual: https://drive.google.com/file/d/1wC7RMTrWjt74rO8u4X-zM89T_hZzF_A5/edit
• https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/
• https://www.sans.org/posters/pivot-cheat-sheet/
• https://medium.com/@dev-angelist/learning-path-my-experience-for-the-eccptv2-ptp-certification-april-2024-15ddf6b29a8f

CheatSheet

• 🗒️ eCPPT — CheatSheet
• 🗒️ Windows Privilege Escalation Cheatsheet
• 🗒️ CRTP (Active Directory Notes) Cheatsheet