Open in app

Sign in

Write

Sign in

Review Certified Penetration Tester eXtreme (eCPTX v2)

Edo Maland
10 min readMar 1, 2022

Background

Hi folks! I hope all of you are doing well. This time, I will discuss again some courses and certifications related to Red Teaming, Active Directory & Enterprise Security.

It doesn’t feel like a year has passed since my previous review related to the Red Teaming certification, namely Certified Red Team Expert (CRTE). So, in 2022, I decided to rechallenge myself and improve my red team skills by taking certification “Certified Penetration Tester eXtreme (eCPTX v2)” from eLearnSecurity.

Then this article was also written to share and provide an overview for people who want to take this certification and deepen the world of Red Teaming, Active Directory & Enterprise Security.

Introduction

https://elearnsecurity.com/product/ecptx-certification/

Certified Penetration Tester eXtreme Atau eCTPX is the most advanced offensive certification offered by eLearnSecurity. However, it is not an introductory course on Black box Penetration Testing, Red Teaming, Active Directory & Enterprise Security. Therefore, if you are not familiar with this. I highly recommend taking the Penetration Testing Student (eJPT) and Penetration Testing Professional (eCPPT) path courses from eLearnSecurity or Attacking and Defending Active Directory (CRTP) from Pentester Academy first before continuing to Penetration Testing Extreme (eCPTX).

Then this certification is not multiple-choice but a hands-on practice to gain access to a Domain Controller (DC) in an Active Directory (AD) environment within 48 hours. After that, we will also be given an additional 48 hours to make a detailed professional report, including a description of the vulnerability, impact, Proof of Concept (POC), remediation, and others.

Materials & Labs

The materials and labs are not included with this certification, we need to buy an INE training subscription which costs $750 per year, and usually, every month there will be a discount promo of up to $250.

eLearnSecurity also offers the option to get certified directly by purchasing an exam voucher without purchasing an INE subscription for $400. So, if you feel that you are ready and have some experience, this can be an option for you.

https://elearnsecurity.com/product/ecptx-certification/

Although in the past year, I have had several experiences and certifications related to Black box Penetration Testing, Red Teaming, and Active Directory such as OSCP, CRTS, CRTP, and CRTE. I’m still not confident enough to take this certification right away without studying the material and the lab. That’s why I still buy a premium subscription to INE training at the cost of $450 (Promo) for one year.

In my opinion, the cost is cheap and worth it, because what we get here is that we can access all materials, labs, and learning paths for any Cyber Security such as Penetration Testing Student (eJPT), Penetration Testing Professional (eCPPT), Web Application Penetration Testing Extreme ( eWPTX), Threat Hunting Professional (eCTHP), Exploit Development (eCXD) and many more.

https://my.ine.com/area/3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa

Not only that, here we will also get a 50% discount for one exam voucher.

Receive a coupon code for a discount off of eLearnSecurity certificates. 25% discount available to Professional Plans and a 50% discount for Premium and Enterprise plans.

In preparing for the eCPTXv2 exam and certification, we can choose the learning path “Advanced Penetration Testing.”

https://my.ine.com/CyberSecurity/learning-paths/154876ad-ae9f-43d6-add4-f635cab537a7/advanced-penetration-testing

There are four (4) sections with seven (7) modules accompanied by a lab that includes 100+ challenges and 11+ Active Directory (AD) attack scenarios . We will be given video material, a PDF module, and VPN access to the lab. We will also get a walkthrough to complete the lab with various attack vectors in the lab. Here is the material that I try to summarize from each section.

  1. Preparing The Attack: In this section, we will be given the material on how to attack Human factors through advanced social engineering attacks such as doing Client-Side Attacks, Spear Phishing, URL Spoofing, Macro Attack (Development, Obfuscation & Embedding), Abusing Office capabilities, Spoofing Parent Processes, VBA Stomping and many more.
  2. Red Teaming Active Directory: In this section, we will be given the material on how to perform advanced reconnaissance, enumeration, abusing, attacking, and lateral movement techniques against an Active Directory (AD) environment by utilizing Powershell and C2 (Command & Control) such as Covenant and PowerShell Empire.
  3. Red Teaming Critical Domain Infrastructure: In this section, we will be given the material on how to use or abuse MS SQL Server, MS Exchange, and WSUS services to gain access to a system.
  4. Evasion: In this section, we will be given the material on how to bypass and avoid the perimeter that has been made by the blue team or defender.

For a more detailed summary, you can read directly from the syllabus.

Comparison

The differences between Certified Red Team Expert (CRTE) and the Certified Penetration Tester eXtreme (eCPTX v2) are as follows:

  1. The material provided by CRTE is not as comprehensive as that provided by the eCPTX module. For example, CRTE does not cover Social Engineering Tradecrafts and Evasion techniques
  2. CRTE uses more Powershell and does not teach us how to use the Command & Control (C2) server to perform Lateral Movement and Post Exploitation
  3. The CRTE lab is Windows-based only, while the eCTPX lab is Windows and Linux based (Join Domain)
  4. The lab approach or CRTE methodology focuses more on Insider Attack/Internal Black-Box Attack (Assume Breach), while eCPTX focuses more on External Black-Box attacks.
  5. CRTE labs are more numerous and quite challenging than eCPTX, because we won’t get a walkthrough to complete the lab. So here, we have to explore more new topics, tactics, and techniques while working on the lab..

Exam

In this course, we do not need to set a date for taking the exam. All information regarding the exam can be viewed and controlled via the eLearnSecurity portal. For example, when we are ready to take an exam, we only need to press “Begin certification process” on the dashboard. After that, we will be given details about the scope of engagement to take the exam with specific rules.

Here there is no minimum score or machine that we must get. The main point is to make sure we identify all attack paths and gained all machines to pass the exam. In the exam, we are not allowed to use any exploits here. Instead, we only focus on attacks on security misconfiguration in Active Directory (AD), such as abusing insecure configurations, abusing applications, trusts relationships, and so on.

The exam will last for 48 hours, and when finished, the whole lab will stop. After that, we will also be given an additional 48 hours to make a professional report in detail, such as a description of vulnerabilities, impacts, POC, remediation, and others. The report can be submit uploaded via the eLearnSecurity portal, and examiner will review it within 30 business days (although usually much sooner).

https://elearnsecurity.com/product/ecptx-certification/

If we fail in the exam, the instructor will give us a review or feedback and give us one more chance to take the retest for free.

Story

I started the exam on the weekend of January 15th to be more relaxed and focused. As usual, the first thing I did was gather as much information as possible about the target (External Recon) here. I spent about 4 hours getting access to the first machine.

After successfully gaining access to the first machine, I collected more information from the internal side (Internal Recon) to understand the flow and know what configurations we could abuse later. The time I used to gain access to the second and third machines was not too much because some of the attack paths provided were quite common and not much different from the previous labs or exams I had taken.

The thing that is quite interesting and becomes a challenge here is when doing Post Exploitation and Privilege Escalation. In this section, we must perform several techniques such as Reverse Engineering to get the highest user to access another system.

On the last day, I have successfully gain access to some domain controllers and have also got the flags. With the remaining time, I immediately wrote the report so that if there were screenshots or evidence lacking or missing, I could still access the lab. After completing the report with enough evidence, the next day, I sent a fairly detailed report with a total of approximately 70 pages and mitigation through the eLearnSecurity portal.

After 30 days of waiting, unfortunately, I received an email that I didn’t expect that I would fail in the first exam because, at that time, I was very confident that I would pass. However, I still feel confused about why I failed, even though I have completed all the challenges and objective exams.

Cause I’m curious what the cause is, on the same day, I immediately to retake and started the lab exam to see feedback from the instructor. After I read and look at my recon logs, it turned out that there was one machine and missed attack path.

When the second exam started, it turned out that there was no change in the challenge in the exam lab. Here I immediately focus on identifying other attack paths to get to the last machine, and in approximately 2 hours, I have completed it.

After that, I continued to fix my report and sent it the same day. Less than 6 hours, my report was reviewed by the instructor, and I received information that I had passed.

For your information, this certification has no expiration date, so we don’t need to re-examine it to extend it.

In my opinion, this is one of the most challenging exams I’ve ever taken, and the exams are also more challenging than previous certifications I’ve taken, such as Certified Red Team Expert (CRTE), Certified Red Team Professional (CRTP) and Offensive Security Certified Professional (OSCP).

Exam Tips & References

  1. I highly recommend taking the “Certified Red Team Professional (CRTP)” or “Certified Red Team Expert (CRTE)” certification and also the “Abusing SQL Server Trusts in a Windows Domain” course from Pentester Academy first before continuing to Penetration Testing Extreme ( eCPTX).
  2. Do not take this certification on weekends because the support team from elearnSecurity/INE only replies to messages on working days. At that time, I tried to contact the support team via email on Sundays because there were some problems with the VPN connection, which was very slow, and it was replied to on working days when my exam was finished.
  3. Use some C2 (Command & Control) such as Covenant, Cobalt Strike, and Powershell Empire to make it easier to do Post Exploitation or Lateral Movement. Then make sure you are familiar with several other automation tools such as BloodHound, SharpHound, SharpView, PowerView, PowerUpSSQL, Impact, Rubeus, Mimikatz, SharpGPOAbuse, CrackMapExec, and so on. All these tools are your best friends.
  4. Don’t be rash. Get all machines and identify all available attack paths such as abusing insecure configuration and Active Directory domain/forest trusts relationship.
  5. Make sure our report is written in detail, such as a description of the vulnerability, impact, POC, remediation, and others.

Here are some additional labs and resources that might help you prepare.

Blog and Article:

Lab and Course:

Red Teaming
Active Directory
Penetration Testing
Advanced
Cybersecurity

--

--

Edo Maland

Written by Edo Maland

134 Followers

Information Security Consultant | Penetration Tester | Bug Hunter | Public Speakers | OSCP | OSWP | CRTP | CEH (Master)

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams