I have been doing some minor hacking since Secondary 4 (16 years old), participating in CTF competitions, being in the top 3% of TryHackMe (whatever that means), learning the basics of Penetration testing. Now I’m 19 years old, and with a sizeable amount of free time, so I thought I’ll try to get a Cyber Security Certification.
Why eLearnSecurity Junior Penetration Tester (eJPT) ?
I wanted a hands-on certificate that doesn’t expire (I mean, I still have 6 years before I enter the working world). Also, a certificate that teaches me useful skills. Certificates like Certified Ethical Hacker and CompTIA Security+ were therefore ruled out.
The most obvious cyber security certification that I see is Offensive Security Certified Professional (OSCP), which is a super hands-on certificate. Unfortunately, it is also quite expensive, at about USD$999 for the course, 30 days of lab access and the exam. Not to mention that it is also very hard and requires a significant time commitment.
On some googling (as well as looking on my LinkedIn feed), I discovered this company eLearnSecurity, which provides certificates that are more in line with what happens in the real world. The INE Penetration Testing Student Course happened to be free, and the examination fee for the eJPT is much less at USD$200, so I figured I’ll give it a go.
The Course
The INE Penetration Testing Student Course is made up of 3 parts
- Penetration Testing Prerequisites
- Penetration Testing: Preliminary Skills & Programming
- Penetration Testing Basics
I mainly read (1) and (3) in 2 months or so. I skipped (2) since I already learnt programming in a formal setting, and it doesn’t really help with the exam. (1) helped with improving my foundation of networking, which was something I lacked. This includes things like IP addresses. However, (3) was the most important for the exam, as it involved the basic methodologies and tools for penetration testing.
I mainly read slides, made some notes, and did the Labs. The videos felt redundant to me, but you should try watching some to see if they fit your learning style. The slides are rather comprehensive and good.
I feel the hands-on resources are quite good. The Labs are mainly for you to get used to the tools and are well guided. The Black Box Penetration Tests include some concepts which I feel are not well taught with the Labs, such as Pivoting, setting up a PHP reverse shell, etc. The Black Box Penetration Tests are very useful for the actual exam. However, don’t be too worried if you cannot complete the Labs/ Black Box Penetration Tests entirely on your own. I feel the Black Box Penetration Tests are more guessy and complicated (need to guess the password, somehow guess the directory), which is good for practice, but also harder than the actual exam. Feel free to get some reference (and learn from it of course).
For me, I could do about 70% of the Labs on my own, the rest requiring some sort of referral. I could only do 2 Black Box Penetration Tests (Box 1 and Box 3 (Pivoting)) on my own/ with very minimal refererence. I could not do Box 2 (Virtual Hosts) at all and needed to refer to the entire guide.
The Examination
I took about 7.5h to finish the exam, excluding the time I take to sleep, go out with family and have lunch, etc.
I was stuck in some places, but I enumerated harder, got creative, and found the answer.
Not every exploit in the lab will lead to an answer to the MCQ questions. For example, even though you may manage to exploit an SQL injection, it does not necessarily lead to the answer. I myself managed to use some exploits which were redundant/ unnecessary in answering the questions (they were fun though). Just try to keep an open mind and look at all possibilities, instead of focusing on one.
This also means that you don’t have to try to exploit everything, just the ones which help in answering the question. Admittedly, I didn’t do the complete penetration test (get shell access to all the machines). It is still good to follow the penetration testing framework though, to follow a set methodology.
The nice thing about this exam is that once you are done with the exam, you get instant grading. I ended up with 19/20, which I was satisfied with, since one of the questions needed a super long time for network enumeration, and I just gave up on it lmao.
Some Tips
- If nothing else, go through the INE PTS Course, at least the Penetration Testing Basics Part. It is a good course that prepares you sufficiently for the exam, especially the labs.
- Make Notes!!! I ended up writing my notes in markdown, but you can use apps like CherryTree and Joplin to help. Make notes on your methodology, and what you have done to the machine so far.
- When stuck, enumerate harder. This includes things like: Checking the webpage source code, enumerating all the ports, seeing if you can access this service, or accessing the parent directory that you are not supposed to be able to access. Think out of the box, just keep trying things (preferably not repeating the same things too often but that also helps, eg. in my exam attempt I had to repeat a scan to get the answer I needed)
- Relying on a methodology helps. It gives you a sensing of what needs to be done. That said, you also don’t have to be too rigid.
- Pivoting is important. Learn at least how to pivot using autoroute in Metasploit.
Future Steps
I got what I wanted out of this certification. I filled in my knowledge gaps on cyber security and built some confidence in myself if I want to continue pursuing certifications (as a stepping stone).
I’m still not sure if a career in Cyber Security is the way to go, but hey, doesn’t hurt to pile up Cyber Security Certificates if I can right? I’m probably aiming for OSCP due to its name recognition, but maybe I’ll take the eCPPTv2 as a stopgap.
eJPT is a good certification for anyone who has some experience in Cyber Security and wants to fill in their knowledge gaps/ prove themselves. I highly recommend it to anyone who wants it.