eCPPT - Review - eLearnSecurity
This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Introduction
On 6 November, I decided to take the eCPPTv2 certification exam. The purpose of this post is to share my personal experience of both the preparation and the exam.
Why eCPPTv2?
I chose this certification because I was looking for an intermediate step in difficulty before OSCP. In my opinion, eCPPTv2 may fall slightly short in that respect, a point I will discuss later.
Previous Knowledge
Before preparing for the certification, I already had considerable CTF experience, particularly on HTB. I am also fortunate enough to work professionally in web pentesting. Although this certification does not focus heavily on web hacking, my reporting skills were therefore already very well practised.
The most important knowledge required to pass the exam is:
- Network-level pivoting.
- Buffer overflow fundamentals, without protections.
- Privilege escalation.
- Web hacking (OWASP Top 10).
If you have a basic grasp of these topics, you should have no problem passing, but a clear understanding of network pivoting is particularly important.
Penetration Testing Professional Learning Path (Not Recommended)
To prepare for the certification, I followed INE’s eCPPT learning path, Penetration Testing Professional. In my opinion, it has both strengths and weaknesses, but if I were to take the certification again, I would prepare independently and set aside INE’s training. Its strengths do not compensate for its weaknesses.
Strengths
The material includes a range of techniques such as MiTM attacks, UAC bypasses and DLL hijacking, each with its own lab. This additional knowledge is welcome; if the course were restricted to exam content, it would be excessively short.
Weaknesses
In my opinion, the material relies too heavily on slides. They are a good approach when combined with labs, but so much PowerPoint can become tedious.
The labs run through web instances without internet access, forcing you to use the supplied tools. If, like me, you plan to take the exam without Metasploit, this can become a real ordeal. The lab also closes after an hour, forcing you to start from scratch and recover your previous position.
Finally, you need to consider the cost of an INE Premium subscription to access the learning path. In terms of value for money, I do not think it is particularly good. Higher-quality content is available online for free, so the next section lists all the resources you need to pass the exam.
External Resources (Recommended)
If you decide to prepare independently, I recommend the following resources to help you pass without difficulty.
Pivoting
If you have never worked with pivoting, this lab is essential: Basic pivoting lab (S4vitar). It explains the concept simply and practically.
Buffer Overflow
The buffer overflow in the exam is completely basic and has no protections. Once you understand the concept, it becomes as straightforward as A, B, C.
The following resources will help you prepare:
Buffer Overflow Made Easy (The Cyber Mentor)
This video is perfect for learning buffer overflows from scratch and understanding the methodology. Once you have absorbed the concepts, you will be able to exploit any simple buffer overflow without difficulty.A Step-by-Step Buffer Overflow Write-up (Juan M.R Jaymon Security) This write-up explains a basic buffer overflow step by step if you need to examine it in greater depth.
VulnServer (stephenbradshaw) This is a vulnerable Windows server that you can use for practice. Once you have internalised the methodology, I recommend attempting to exploit it independently.
Mona CheatSheet (x3tb3t) A cheat sheet for the Mona module in Immunity Debugger.
Final Lab
In my opinion, this is the most important resource. It allows you to build a lab that simulates the exam: Exam simulation lab (S4vitar). It is more difficult than the real exam, so if you can compromise it, you should have no problems during the certification.
Exam
INE gives you seven days of lab access for the practical stage, followed by another seven days for reporting, for a total of 14 days, which is more than enough. The practical stage took me two days, by which point I had compromised the DMZ server. I spent four days on the report and, because I had plenty of time, approached it calmly.
Tools Used
As mentioned earlier, I completed the exam without Metasploit to prepare for OSCP, where its use is restricted. The lab is rather outdated, so the table below lists the tools I used for pivoting and their download sources, saving you some trial and error 😉:
| Tool | sha256-sum | Source |
|---|---|---|
| chisel_1.5.0_linux_386 | 556d74402c8b40dcededa3cd27405f78f4b359082a2df37a5fff81b57dede6ba | https://github.com/jpillora/chisel/releases/download/v1.5.0/chisel_1.5.0_linux_386.gz |
| chisel_1.5.0_windows_amd64 | 3676c2365ffc117bd5cdc21503ecfd2c926201e8a7d9bc97610872590ba3ec1d | https://github.com/jpillora/chisel/releases/download/v1.5.0/chisel_1.5.0_windows_amd64.gz |
| socat-2.0.0-b8 (i386) | ce8d48e07e3d0b94dbb5456ed33fd33d1b4a05ce4de1e988e477f776e89143c7 | https://github.com/static-linux/static-binaries-i386/raw/master/socat-2.0.0-b8.tar.gz |
Day 1: Pwn, Pwn and More Pwn
I started the first day at a good pace. After two hours, I had already compromised the first machine with root-level access. One piece of advice is to run the Nmap scan several times. You do not want to compromise a machine, check the open ports afterwards and discover that Nmap missed one.
After compromising the first machine, the others followed quickly, and machines two and three were fairly straightforward. It was then time to face the buffer overflow. When I moved the binary to my debugging machine running Windows XP, it would not execute because it required Windows 7. I ended the day by setting up a Windows 7 debugging environment and left the buffer overflow for the following day.
Day 2: Enumeration, Enumeration and More Enumeration
I began the day by exploiting the buffer overflow, which was uncomplicated: follow the methodology and it is A, B, C. Once I had compromised the fourth machine, only the DMZ server remained. I then spent almost four hours enumerating. Sometimes it is better to put the terminal aside and use something more visual.
After obtaining what I needed to compromise the DMZ server, exploitation was direct. By the end of day two, I had compromised every machine.
Days 4–8
With everything compromised, I took day three off and began reporting. I knew that this would take the most time, so I used the opportunity to review every machine thoroughly while writing the report. I based it on TCM’s template, dividing each host into the following sections:
- Host
- Remote Vulnerabilities
- Privilege Escalation
- Persistence
- Local Vulnerabilities/Misconfigurations
- Enumeration
- Pivoting
Every vulnerability included its corresponding description, impact, CVSS, ID, affected system, references, PoC and remediation.
The final report was 123 pages long. Some other reviews mention reports of around 40–50 pages that passed without difficulty, so an exceptionally long and detailed report does not appear to be necessary. The review process took almost a month.
Conclusion
In my opinion, this certification is worth its price. During Black Friday and other sales, it can cost as little as €200. As preparation for OSCP, I think that is worthwhile.
Contact
If you have any questions, feel free to contact me through X. I want to stress that I will not answer questions about the exam itself, but if you have any problems or questions about preparation, do not hesitate to ask.






