This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Introduction

I earned my eJPT certification on 12 November, and I would like to share my experience in case it helps the community.

eJPT certificate

My Previous Knowledge

Before taking the exam, most of my cybersecurity experience came from CTFs on HTB, where I had completed around 33 machines, most of them rated Easy. I also hold an ASIR qualification, so I already had some networking knowledge that was useful for the certification. INE’s material is designed for people with no previous pentesting experience, so you do not need any prior knowledge.

INE Study Material

INE’s free Penetration Testing Student course covers all the exam content. I completed the Penetration Testing Prerequisites and Penetration Testing Basics modules, which are all you need to pass the certification without any problems. The second module, Penetration Testing: Preliminary Skills & Programming, focuses on programming. Knowledge is always useful, so it is worth looking at, but I did not complete it because I was short on time and already had a sufficient programming foundation.

Penetration Testing Prerequisites:

This module takes approximately 11 hours and 26 minutes and covers the necessary networking concepts, .pcap file analysis and web application fundamentals, among other topics. I only skimmed it because ASIR provides more than enough networking knowledge. I recommend completing every lab, but I consider the following two the most important when preparing for the exam:

  • Find the Secret Server
  • Data Exfiltration

Penetration Testing Basics

This module introduces the best-known tools and vulnerabilities used during a pentest. You do not have to use exactly the tools recommended by the course; I suggest using those with which you are most familiar.

Black Boxes

These three machines provided by INE are more difficult than the exam, so I recommend trying to complete them without help. If you need a small push, however, you can rely on the solutions. Getting stuck at some point is perfectly normal.

Advice and Tips

I did not use Metasploit at any point during the exam. This is the same methodology I use for CTFs on HTB and other platforms. Everyone can take the exam however they wish: eLearnSecurity does not prohibit any tools, and nobody is monitoring you, so you can consult the course material at any time. Here are a few tips that may help:

  • Follow your own pentesting methodology or one developed by somebody else. A good methodology saves work and makes you more effective.
  • Take notes on everything; it is always better to have too much information than too little. I use CherryTree to store network scan results, brute-force attacks, successful payloads and so on.
  • Representing the information you obtain helps you visualise potential attack vectors that you may have overlooked. For example, you can draw a diagram showing how the network is laid out, including its hosts, operating systems and routers.
  • I tried to complete the entire exam manually, but if your results do not match what a question suggests, you can use tools such as ZAP. It performs automated web application scans and can help you confirm that you have not missed anything.

Exam

Format

The exam consists of 20 multiple-choice questions, of which you must answer 15 correctly to pass. If you have successfully compromised the machines or gathered enough information, you should have no trouble answering them.

Time

You are given three days, which is more than enough. I started on a Friday night at around 10:00 p.m. By 3:00 a.m. I could already have submitted the exam knowing that I had passed, but I was in no hurry, so I returned to it on Saturday morning with a coffee and reviewed every question. I submitted the exam at around noon and received the result immediately: I scored 20/20!

Supporting Material

If you have HTB VIP, I recommend completing the following machines. If you do not have it, or need help rooting them, I have also included the write-ups I produced at the time.

Conclusion

In my opinion, the best way to approach this certification is to focus on enjoying yourself and treat the exam as a challenge. I recommend eJPT to anyone starting out in pentesting. This certification helps you take your first step into such an impressive field. My next objective will be eCPPTv2.

Contact

If you have any questions, feel free to contact me through X. I want to stress that I will not provide any answers about the exam itself; with a little effort, you can pass it on your own without any problems.