mrtns blog


a real human being writing about infosec, coding and other stuff. maybe.

View My GitHub Profile

eCPPT certification review

29 May 2021 - mrtn

It’s been a while since I blogged, which had several reasons. One of the reasons was, that I wanted to (finally) tackle the eCPPT Certification. I’ve started to study for it in 2019, but didn’t manage to go through all the material and especially the labs, to feel comfortable taking it before my daughter was born. So I’ve postponed it.

So I’ve always had it in the back of my mind. When work became a little bit relaxed, it was time to start going at it again. I started to study for the cert again - and luckily, due to the amount of penetration tests and CTF challenges that i did since the last time, it went better than expected (but not faster). My biggest enemy was, as I had already anticipated, the Chapter on Buffer Overflows. I really had a lot of problems wrapping my head around it for a long time. Thanks to Heith Adams aka The Cyber Mentor (@thecybermentor) and his Practical Ethical Hacking Course, I was able to finally get it done.

The material provided by eLearn security was also good, but the change of perspective really did it for me.

After this obstacle was out of the way, I kept working away and it really was a great course. The labs are very well designed, the materials are plenty and provide everything you need to pass the exam. Nevertheless, follow the links in the end of each chapter and use the opportunity to learn even more - you’ll maybe not need it in the exam, but the real world is cruel and loves to chew through new penetration testers ;)

The exam itself is different than the eJPT exam. For the eJPT you have to answer 20 multiple choice questions. To answer these, you need to hack through a lab - which was pretty neat when starting out in the cybers. For the eCPPT you have to provide a detailed, written and professional report about the vulnerabilites you have found in your exam-engagement. You have seven days to complete the assessment and additional seven days to produce the report. Yes, 14 days in total.

The network you have to penetrate is modeled after real world companies (albeit the tech could use a refresh) and provides you with lots of attack surface and different paths to achieve root on every box.

After I finished the exploitation of the lab and compiled my report the waiting began. Although it was much faster than the maximum of 30 business days that the grading can take time, the week of waiting felt like an eternity. And despite being very confident that I passed, I was extremely happy when I received the email with the information that I have passed.

So since a week I’m finally a eLearn Security Certified Professional Penetration Tester (eCPPT) :]