The Good
- Practical Focus: The eCPPT emphasizes real-world scenarios rather than memorization. Every step, from enumeration to exploitation, simulates what a professional penetration tester might face.
- Flexible Schedule: You have a full 24-hour window to complete the exam (45 questions).
- Complimentary Support: When I failed my first two attempts, eLearnSecurity extended my premium subscription by an additional month. This generosity allowed me to hone my skills further.
The Bad
- Connectivity Issues: The exam is conducted in a virtual environment (Guacamole VM). Unfortunately, I faced constant disconnections during the last six hours of my exam. While the session reconnected automatically without data loss, it broke my flow and forced me to reset the lab multiple times.
- Learning Material Gaps: The resources provided by eLearnSecurity alone weren’t sufficient for the exam. To bridge the gap, I had to practice extensively on platforms like TryHackMe and Hack The Box.
- Tight Second Attempt Window: If you fail your first attempt, the second must be taken within 14 days. Despite the voucher being valid for over a month, this time constraint adds pressure.
- Time Crunch: While the 24-hour exam window sounds sufficient, it left me sleep-deprived and unable to focus properly by the end. I strongly advise taking proper breaks and ensuring enough rest to maintain productivity.
My Exam Strategy
I started the exam at 3 PM, dedicating the first day to extensive enumeration. My plan was to work until 2 AM, sleep for a few hours, and resume at 7 AM. While this worked initially, the lack of proper rest became a problem later.
One major mistake was spending too much time trying to crack a specific user password on a Linux machine. In hindsight, I should have moved on to other methods or accounts instead of wasting hours on one approach.
Preparation Beyond Provided Materials
- INE: Watched all course videos and completed labs.
- TryHackMe: Completed Jr Penetration Tester path and 80% of Offensive Pentesting path; key rooms: Mr. Robot CTF, GoldenEye, Blue, Game Zone, HackPark, Adventure Time.
- Hack The Box: Focused on Active Directory enumeration and attacks.
Tools and Wordlists Used
Tools: GTFObins, Nmap, fping, WpScan, SearchSploit, John the Ripper, Hydra, kerbrute, CrackMapExec, rpcclient, smbclient, bloodhound-python, xfreerdp, Impacket scripts, exploitdb, Obsidian.
Wordlists: Seasons.txt, Months.txt, common_corporate_passwords.lst, xato-net-10-million-passwords-10000.txt, rockyou.txt.
Lessons Learned
- Prioritize Rest: Even a few hours of sleep help maintain focus and decision-making.
- Brute Force Strategically: Avoid tunnel vision; move to alternative approaches if one path stalls.
- Test Your Setup: Familiarity with tools and virtual environment reduces surprises during the exam.
- Diversify Learning: Practice on external platforms beyond official materials to cover a broader set of scenarios.
Final Thoughts
The eCPPT exam is an incredible opportunity to test your penetration testing skills in a realistic environment. It’s tough, but with the right preparation and mindset, it’s achievable. While my experience included hurdles like connectivity issues and strategic missteps, it was a deeply rewarding journey that enhanced my skills and resilience.
Good luck to anyone attempting the eCPPT — remember, preparation and mindset are key!