This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Introduction

On 21 January, I decided to take the eWPTv2 certification exam. The purpose of this post is to share my personal experience of both the preparation and the exam.

eWPT certificate

Why eWPTv2?

I had been considering this certification for some time, but a lack of time kept me from taking the exam. The main reason I finally decided to pursue eWPTv2 was the update it received in October 2023, when both the exam format and its content were revised. I will discuss those points later.

Previous Knowledge

At this point, I feel fairly confident with web hacking. I am fortunate enough to work professionally in this area, so I face these kinds of challenges constantly. Whenever I have some spare time and am not working towards another certification, I also complete the occasional CTF on HTB. These expose you to more unusual scenarios that are difficult to encounter in real environments. Combining CTFs with real-world experience gave me the ideal preparation for this exam without taking INE’s course.

The most important knowledge required to pass the exam is:

  • OWASP Top 10: essentially, knowing how to identify and exploit common vulnerabilities such as SQLi, XSS, file upload flaws, LFI and RFI.
  • Reconnaissance at both server and web application level.
  • CMS hacking: WordPress, Joomla and similar platforms.

Preparation

INE offers the Web Application Penetration Testing Professional learning path to prepare for the certification. I chose to take the exam independently using the knowledge I had already acquired, so I cannot offer an opinion on the training. At no point during the exam did I feel that I needed INE’s course. If you are comfortable with the topics mentioned above, you should be able to sit the exam without taking it.

If you are not entirely clear on how a web pentest works, I recommend looking at OWASP’s Web Security Testing Guide. It explains the different stages of a web security assessment and the tests required throughout the pentest.

Exam

INE has changed the exam format. The previous eWPT provided seven days for the lab and seven days for the report. The certification now consists of a ten-hour lab during which you must answer 50 questions. Before beginning reconnaissance, I recommend reading every question so that you have an idea of what you will encounter. There are two kinds of question:

  • Multiple choice: most questions use this format. You are given four options and must select the correct one. If you are unsure, try to eliminate enough options to leave two possible answers and give yourself a 50% chance of being correct.
  • Short answer: these questions force you to exploit the vulnerability or perform the correct reconnaissance to obtain the exact answer.

You need 70% correct answers to pass, or 35 out of 50. I answered 44 questions correctly, achieving 88%:

Environment

You connect to the lab through a web instance running Apache Guacamole. It provides a Kali machine without internet access, but with all the necessary tools installed. I am not a great fan of this kind of access and would prefer a VPN so I could connect from my usual machine. That said, because the attacking machine is connected locally to the victim machines, every scan runs extremely quickly.

I had virtually no stability issues with the lab that were not my own fault. If you find an SQLi and use sqlmap, make sure you avoid heavy queries by limiting risk to 1, which is the default, or by excluding time-based exploitation with --technique=BEUSQ. That technique can make the lab unresponsive and force you to reset it. Resetting deletes all content on the Kali machine, but the lab itself remains the same and any flags you have already found stay valid unless you change region.

Tools Used

You may use any of the tools installed on Kali during the exam, but I recommend the following:

  • Web scanning:
    • Nikto: highly recommended. I used it at the end of enumeration to check whether I had missed anything, and it found a few details that I had overlooked.
    • Nmap: essential for scanning the ports and services exposed by the target server.
  • Directory enumeration:
    • Feroxbuster: my favourite directory-scanning tool.
    • Wfuzz: another tool that you can use for directory scanning or brute-force attacks.
  • Brute force:
    • Hydra: brute forcing does not play a particularly important role in the exam, but it never hurts to try. You never know.
  • SQLi:
    • Sqlmap: time will not be abundant in this exam, so automating potential SQL injection attacks will be extremely helpful.
  • CMS hacking:
    • wpscan: essential for WordPress security assessments. It automates much of the testing, including the particularly useful detection of vulnerable plugins.
    • joomscan: recommended when scanning a site built with Joomla.
  • Password cracking:
    • Hashcat: excellent for cracking passwords. The copy in my lab did not work, so I recommend having Hashcat installed in a VM or on your main operating system.
    • John the Ripper: this works flawlessly on Kali, although it is less efficient than Hashcat.

Difficulties

To be honest, I expected a more technically difficult exam, but the time limit does make the certification challenging. Ten hours may initially sound like a long time, but the exam contains quite a few vulnerabilities to exploit. I also spent a large amount of time checking whether I had missed anything because the exam may ask how many vulnerabilities of a particular type exist. If you overlook one, you have made a costly mistake.

Apart from that, the vulnerabilities are easy to exploit. I would say the real difficulty lies in performing the right reconnaissance to find every point of exploitation.

Advice

Taking notes is essential if you want to avoid wasting time when reviewing your work during the exam. I used Obsidian and followed this structure:

  • Host 1 folder
    • Port 1 note
      • Reconnaissance
      • Exploitation
      • Questions related to the host and port
    • Port 2 note
    • Port N note
    • Host 1 note
      • Questions related to the host across all ports
  • Host 2 folder
  • Host N folder
  • All hosts note
    • Questions related to all hosts

Conclusion

Overall, the certification is good. I used it as a trial run to see how I handle an exam with a relatively short time limit before taking OSCP. At certain times of year, such as Black Friday, it can be purchased for €200, which is relatively inexpensive compared with other certifications in the industry.

Contact

If you have any questions, feel free to contact me through X. I obviously will not answer questions about the exam itself, but if you have any problems or questions about preparation, do not hesitate to ask.