From the moment I had woken up on test day my thoughts were towards one thing and one thing only – crushing the EJPTv2 exam. After 3 months of on and off study mixed in with a month of cramming, my preparation wasn’t the most structured, or the most efficient to say the least. I was going into this certification with literally ZERO prior knowledge about computing and cybersecurity – save for some stuff I’d learned through a few HackTheBox CTFs and being a first year cybersecurity student at university.
Put simply, I was flying in blind.
My preparation wasn’t the most complete either, and I stupidly decided during my final month of cramming that learning how to exploit web applications was something that could be left to “common sense.” Whatever that meant…
Opening up the eJPTv2, you could only imagine my reaction as I realised all of the questions I had received had primarily involved web application penetration testing. Sinking into my chair, I knew I was in for a LONG 48 hours.
My game plan for pacing myself in this exam was simple: solve the low hanging fruit, and if you can’t solve the harder ones, keep enumerating until you can. If all else fails, take a break and touch some grass. By the end of the first 24 hours, I had answered the first 65%-70% of the exam. With an amazing lightbulb that I had been super excited about, involving a misconfigured “find” binary that I had been able to use to escalate my privileges to run a root user bash session (GTFOBins saved me)! This allowed me to obtain a few flags and ultimately allowed me to move laterally to other accounts to further enumerate the system.
By the next day the final piece of the puzzle was the last machine which was hosting a WordPress site. After I had found a way to crack through this tough machine, I was sure to pass!
I was dead wrong.
After spending the entirety of the next day trying to exploit and figure out the secret behind the WordPress site, I was bewildered and didn’t have a clue how to unlock it. I had been able to enumerate the version, and even found a few subdirectories that were interesting, but each one had led me to a dead end.
I was getting red herringed and there was nothing I could do about it…
By the end of the exam, I wasn’t able to make a breakthrough, and I had realised that I had failed to compromise the internal network thatI had been informed about through the exam documentation that I had read prior. My path to victory had been sealed shut by a stupid WordPress site.
By the time I had received the results, I realised that my single decision at the very start to skip Web Application Penetration Testing section cost. And to put salt into the wound, I missed out on a pass by only 5%.
Moving forward, I aim to thoroughly study the web application section that the Penetration Testing Student pathway on INE offers. And more so, maybe even try practising Web Application techniques on intentionally vulnerable open source web servers. Although, I have yet to research an appropriate one to practise on. Overall, while I did end up failing, the experiences and atmosphere that I felt during the “penetration test” was invaluable and helped me contemplate better ways to approach this exam for the second time.
Leave a Reply