INE eJPTv2 Exam Review (July 2024)

Hi! I am Yasir Mehmood and I recently completed the eLearnSecurity Junior Penetration Tester (eJPT) certification on July 24, 2024. Before embarking on my eJPT journey, I strengthened my foundational knowledge through the course material provided by INE's Penetration Testing Student Course (167 hours & 17 Minutes) and TryHackMe’s Jr Penetration Tester path — a step I highly recommend for building a strong base in penetration testing. I also pwned about 7 machines on HTB and 8 machines on TryHackMe to strengthen my knowledge. I must say it was absolutely worth it, as all of this knowledge helped me zoom through the exam within just 10 hours well ahead of the 48-hour deadline provided.

The eJPT certification equips individuals with core skills and hands-on training necessary to start a career in penetration testing. It covers essential topics, including information gathering, reconnaissance, information security, programming, Assessment Methadologies, and pentesting fundamentals. In this blog, I will share my experience and tips on how I successfully passed the exam. Remember, it’s not just about solving Capture The Flag (CTF) challenges but adopting a penetration tester’s mindset.

Exam Overview

The eJPT exam is a hands-on, practical certification focusing on core penetration testing concepts. The exam consists of 35 questions and takes place over 48 hours. The questions are based on a network of around 5-6 machines (6 machines in my attempt), requiring candidates to perform enumeration, exploitation, pivoting, and sometimes privilege escalation. The exam environment is a browser-based Kali machine, and while some may find it unfamiliar compared to their customized VMs, it’s manageable with practice.

Exam Objectives

The exam is structured around four key domains:

1. Assessment Methodologies & Auditing (25%): Identifying vulnerabilities, assessing impact, and enumerating services.
2. Host & Network Pen Testing (35%): Brute-force attacks, exploitation, and use of tools like Metasploit.
3. Web Application Pen Testing (15%): Exploiting web vulnerabilities, locating hidden files, and more.
4. Host & Network Auditing (25%): Hash/password gathering and network information enumeration.

A passing score requires at least 70% overall and specific minimum scores in each domain.

Setting Up for Success

1. Don’t Rush, Stay on Schedule

While the INE's Penetration Testing Student (PTS) course offers approximately 165+ hours of video content and over 120+ labs, it’s crucial not to rush through it. Take your time to understand each topic thoroughly and practice within the labs. Setting a realistic study schedule and sticking to it is key. Consistency and deep comprehension will help more than just skimming through the material.

2. Take Thorough Notes

Taking notes throughout your eJPT journey is essential. Document concepts, methodologies, tools, and any unique findings. These notes will be invaluable during your preparation and the exam itself. Consider organizing notes by topics for easier reference. While it’s beneficial to take your own notes, some online resources can complement your efforts:

• SysElement Notes -- Highly Recommended Course Notes
• Cocomelonc eJPT Notes -- Important Commands to know
• n0y4n eJPT Resources -- Important eJPT Exam Resources
• 0xv3r4x eJPT Cheatsheet -- Comprehensive eJPT CheatSheet

3. Developing the Right Mindset

One of the best pieces of advice I received was to think like a real-world penetration tester rather than just solving CTFs. The eJPT exam is practical and mimics real-world scenarios. The labs, particularly the Windows and Linux Blackbox penetration testing labs, are invaluable. Approach each lab with curiosity, explore different vectors, and experiment with tools. Real-world problem-solving will help you succeed.

Practice Makes Perfect

Hands-on practice is crucial. While the PTS course alone suffices, adding practical exercises solidifies knowledge. Here are some recommended free labs:

• Ignite (Free)
• Startup (Free)
• RootMe (Free)
• Blog (Free)
• Blue (Free)
• Erit Securus I (Free)

Engaging in these labs deepens your understanding and prepares you for the practical aspect of the exam.

HTB, THM and CTF Preparation

I supplemented my learning with HTB Machines, TryHackMe challenges and CTFs. These resources were invaluable in practicing enumeration and exploitation, especially challenges focusing on network services and privilege escalation.

Exam Day Strategy

• Start the day well-rested take the exam when you have 3 days off consecutively
• Have a nutritious breakfast and coffee and freshen you mind.
• Carefully read the Lab Guidelines and Letter of Engagement.
• Utilize the full 48-hour duration wisely. (Don't be like Me unless you know what you are doing!)
• Keep detailed notes of every lead (open ports, users, versions).
• Take breaks to maintain focus especially when feeling stuck.

My Exam Approach:

• At the start i.e first 2 hours: Completed 8 out of 35 questions.
• After a quick 15 minutes break: Solved 13 more questions in about 3.5 hours.
• Another quick 15 minutes break: Solved about 29/35 Questions in 6 hours total.
• Final submission & exam Result: Spent another 2 hours to do some questions just to be on the safe side.
• Finally, Became eJPT Certified: Submitted the Result, held my heart, Recited Ayat-ul-Kursi and got the eJPTv2 Certification after a few moments.

Tips for the Exam

• Take the exam when you have 3 consecutive days off work and plan to use them all. You will probably finish in much less time, but having that much makes it a low stress event. It is meant to be hands-on, educational, and fun.
• Take copious notes during the INE and THM labs. I saved mine in simple *.txt files, named by topic, such as ‘upgrading a Linux shell’ or ‘webshells’.
• Do not be ashamed to ask CW6 Google for help during the exam! Much like CRTP, eJPT is open book, open notes, open Google, hell some people even said they pulled the INE labs back up looking for something they missed in the walkthroughs. eJPT is about actually putting your hands on the keyboard and finding the answer in an environment, not rote memorization.
• INE recommends using Kali and they show you how to use specific tools, however you are not limited in what you can use. Conceivably you could take the exam from a Windows VM if you really wanted to. The exam is about understanding the concepts, not memorizing a specific tool.
• There is no IDS, SIEM, etc in the exam environment. Being sneaky does not get you extra credit. The focus is on host discovery, scanning, enumerating, finding vulnerabilities, etc. Don’t be afraid to use the intrusive nmap scripts or throw Metasploit payloads at things that you find.

Conclusion

Passing the eJPT requires a mix of a practical mindset, organized note-keeping, and consistent practice. Engage with the cybersecurity community and approach the exam with a calm and focused mindset. More than just passing, the goal is to develop a solid foundation in ethical hacking. Good luck on your journey!