I wanted to take some time and review the eLearnSecurity PTP course and the accompanying eCPPT Gold exam. As a disclaimer, this is an old version of the material PTPv4, not version 5 and the older Gold exam. This course has been sitting on my to-do list for years, and I finally just got around to knocking it out.
To set the stage for this blog, I have worked as both a pen tester and an incident responder. I have conquered some of the top exams in infosec such as OSCP, GXPN, GCIH, and GCIA. I wouldn’t consider myself a “cert chaser,” but I do enjoy challenging myself and learning new things. This year after some time away in Blue Team land, I wanted to cut my teeth on some Red Team training. This will be the first of at least 3 courses I am knocking out this year.
Overall, I think the course did an excellent job covering concepts and tools that are used in the pen testing world. Some of the complaints I have seen are that the course heavily relies on Metasploit. I can confirm that. I do not necessarily think that is a bad idea in this case. Contrary to eLearn’s marketing, I do not believe this course would prepare you for a pen testing job. However, I do think it does an excellent job of being a steppingstone along the way. To me, this course seems to be one of those that are meant to get your feet wet in pen testing to let people decide if they want to keep going down the rabbit hole or hop out before it’s too late.
Conceptually, the course covers the basics of exploit development, web attacks, network attacks, and the hacker methodology. All of this material was fantastic when looked at as an introductory level course. For the web and exploit dev, don’t expect any of the techniques to work in real life without more advanced techniques sprinkled on top. But many will work in a CTF world and prepare you to learn more complicated topics such as filter bypasses and ROP chaining.
The methodology that is continuously mentioned is fantastic for beginners. I know I needed to stick to one to pass the OSCP, and I use my own that I have tweaked along the way to do pen test projects to this day.
The course also goes into Wi-Fi attack fundamentals and Ruby. Ruby is helpful for the exploit dev if you choose to use that specific language; however, you could use Python or even Golang for those hip to the latest thing. Choose what you feel comfortable with. The Wi-Fi material is pretty much for your own awareness, it would be hard to simulate in an exam format anyways.
The exam was a good time. This was the first pen test exam I have taken in a couple of years, and I had a blast. Access to the exam environment last 7 days and you are expected to treat it like a real pen test: Taking notes and documenting along the way. You have 7 additional days to write your report, which you shouldn’t need but a couple of.
In preparation for the exam, I used HackTheBox, and to be honest, most HTB’s I have done were more difficult than the exam boxes. I say that, but many of the successful attacks I used were pretty in line with my real-life experiences as a pentester. With all things in the hacker world, enumeration is always your friend.
One suggestion I have for those taking any pen test exam is to try to document along the way. If you have spare time in the end, use it to make sure you have all the screenshots you will need. Most people say to screenshot the crap out of everything and document along the way, but without a doubt, you will forget something. When you get in the zone, you just forget. It happens.
One issue I had with the material and I hope it is fixed in the current content, is that they should spend some time on the reporting process. The exam requirements say that whether you pass is dependent on your report. Luckily, I have real-life experience to lean on, but most taking this course will not. It is kind of a shame you are being graded on something that wasn’t taught well. I say that, but I honestly don’t know how hard they grade the reports. I’m not gonna lie I half-assed my report, but it was still 38 pages in the end, and I passed. I looked around at other reviews, and I didn’t see any complaints about the grading just that they didn’t teach report writing. So in preparation for the exam, make sure to hop on YouTube and look up pen test report writing. Someone mentioned TheCyborMentor had a video on it, so start there if you can’t find a resource.
Overall, I had a great experience. The material knocked some cobwebs loose in areas that have gotten stale, and the exam was a blast. I enjoy eLearnSecurity courses and think they are one of the most underrated training companies in the infosec space. No, I wasn’t paid to say that. I do have three other eLearn courses lined up to knock out WAPTv3, PTXv2, and WAPTXv1, but I have completed the eJPT and eCDFP exams in the past. I will do a writeup when I finish those other three. Until then, happy hacking.