My eJPTv2 review

ATTENTION: In the time of publishing this post, INE has already decided to redefine the correction rules of the eJPTv2 exam. At this moment the only requirement to obtain the eJPTv2 is reaching the 70% (same as the eJPTv1 was), which makes it easier to achieve it. Take that in consideration, because this review is focused on my experience with all the previously set requirements to pass. Having this clear, let’s start with the review!

Table of contents:
» Introduction
» eJPTv1 vs eJPTv2
» Decision making
» My exam experience
» Resources and preparation
» DO’s and DONT’s
» Last thoughts & conclusion

Introduction

The eJPTv2 or eLearnSecurity Junior Penetration Tester v2 is an entry-level certification into penetration testing, were the corresponding courseware PTSv2 or Pentetration Testing Student v2 is taught by Josh Mason and Alexis Ahmed. The certification is provided by eLearnSecurity, the courseware is provided by INE and the practice labs and exam environment is set up by PentesterAcademy.

This certification and the new, bigger and more complete courseware are the organic update of the original eJPT certification (provided by eLearnSecurity) and PTS course (provided by INE). In this time, this new certification is more focused on showing the process of pentesting, a set of useful tools to accomplish this task and the commonly known services that can be analyzed and exploited.

Also, the exam has an enchanced anti-cheat system with the newly defined Dynamic Flags questions. This type of questions will change depending on the exam environment instance, ensuring the student has reached the asked objective by its own.

Access the eJPTv2 official information page here.
Access the PTSv2 course curriculum page here.

The eJPTv1 was one of my objectives on my cybersecurity learning roadmap but due to decision making, I decided to wait till eJPTv2 come available for the public in order to give it a try. I believed correctly thinking that could bring me a great skillset to step forward into penetration testing; it is a successfully accomplished milestone without doubts.

eJPTv1 vs eJPTv2

At the time of writing this post, there is still people taking the eJPTv1 exam or at least still have a valid voucher to try and take it, despite that INE has officially removed the purchase of vouchers for this certification. At some point in the near future, eJPTv2 will be the only entry-level penetration testing certification option provided by INE.

Anyways, I think it might be interesting to have clear at least what are the important differences between eJPTv1 and eJPTv2. Below clarifies the most relevant ones.

eJPTv1:

• Time limit: 72 hours
• Questions: 20
• Hand-on labs: Yes, OpenVPN (you will need your own Attack Machine)
• Difficulty: Novice
• Pre-requisites: Knowledge of linux, python and command line scripting
• PTS content: 1 section 4 courses, 32 videos, 29 quizzes, 22 labs, 80 slides, 48h 15m estimated duration
• PTS instructors: Lukasz Mikula

eJPTv2:

• Time limit: 48 hours
• Questions: 35
• Hand-on labs: Yes, Browser-Based
• Difficulty: Novice
• Pre-requisites: Knowledge of networking, linux, and windows fundamentals
• PTS content: 4 sections, 12 courses, 229 videos, 154 quizzes, 120 labs, 143h 33m estimated duration
• PTS instructors: Josh Mason & Alexis Ahmed

Further and more detailed information if you are interested on the differences, can be found in a post INE shared on April 2022 here.

Decision making

On July 2022, I got certified in another challenging certification, which I will be doing a review of it too (CCSE by Practical DevSecOps). At this point, I was thinking about doing eJPTv1, because I was feeling confident enough to give it a try, and make finally a step forward into penetration testing.

Suddenly, INE was proposing the eJPTv2 Beta for that summer (between August and September), so I tried to access the Beta program, without success.

I don’t really regret that they didn’t choose me for the Beta because it was coinciding with my summer break, which later I thought should be used to rest after the last certification. Also, in the case I was accepted, I’d have to rush all the material in a span of one month, and it probably may result in a big fail. As all these concepts were new for me (at least most of them), even having the summer break it would be insane, and of course, probably I’d ended with no rest at all. So, I took that rest before carrying on with this one. Taking a rest sometime is also important, remember that.

Take your time and don’t overlook resting

When summer finally ended, I decided to start my journey with eJPTv2, mid-september, good rested and a clear mindset. With no fear about if it could be a bit more difficult than its previous version, I was going for it anyways.

Challenge accepted!

My exam experience

On my first attempt, I felt very confident of all the concepts that I learned from the course. I felt nervous only at the beginning of the exam and at the end, despite that during the exam I enjoyed a lot the experience. Also, the new browser-based exam environment was very fluid and in my experience didn’t got any issues, downtimes or anything that could made lose the focus of the exam.

But, in the first attempt I made so many mistakes. Those were fixed on the second attempt. The most important ones were the following:

• Think that the exam is a CTF alike challenge that must be resolved.
• Taking the exam for several hours at a time without taking breaks.
• Spend a lot of time trying something that probably will never work, aka dig deep in rabbit holes.

These mistakes made me lose a lot of time and leeched most of my energy, due to not having a clear pathway of how to take the exam, nor having an structured resting routine.

Exam has a perfectly balanced difficulty so, despite that it was challenging, you can finish with enough time remaining if you are confident with the learned concepts and techniques. So please, don’t do these things and have a clear pathway when you attempt it.

Please, don’t do these things!

At this attempt, I definetely failed, but not for a great number of wrongly answered questions. Firstly, all the bad steps I made and already talked about them should be avoided, but also due to the very restrictive requirements were set on the correction sentenced me to fail. I failed with a 91% score on the first attempt.

Scored 91% on the first attempt, but failed due to not achieved one of the minimum requirements per section.

This screenshot shows what I accomplished based on the questions presented on the exam (these are not the actual questions, as they will ask you something more specific, note that).

Anyways, this wasn’t a simple fail, as I got a pretty good score, I didn’t let the impostor syndrome interfer with my objective, that was getting this certification passed. Looking the final score, in my mind, I already passed this exam. I just needed to try it a bit harder in order to accomplish the extra requirements.

So, I started fixing my methodology, checking what I did wrong and conserving what was properly done (everything, technical and non-technical operations), in order to get an even better score. Difficult stuff to accomplish, but I already accepted the challenge, right?

Come on, I am ready!

In the second attempt I was even more confident, more rested, with a calculated plan to accomplish this. There was enough time to do the exam, eat, sleep, keep the track of all the findings and improve the organization of my notes. The perspective this time was doing an actual pentest of the environment, not taking the questions and aswering them right away with the first correct answer.

Took my time to extract as much information as I could from the environment, and that definetely report me a greater view of what was going on there, and of course, easier to answer the requested questions.

Also, it took me less time to finish the exam, as I already had a plan on how to operate on this second attempt, with an improved methodology.

Everything under control, more organized and improved

When I had answered all the proposed questions, I hit the submit button. After a minute or two, the screen I was waiting for just popped up in front of my eyes. Passed the eJPTv2 with a 97% score.

Passed the eJPTv2 with a 97% score

I couldn’t believe this definetely happened, but it was right there. I hit the “Go to certificate” button to finally check it was a real fact. Definetely, that extra effort was payed off.

eJPTv2 certified

Nicely done!

Resources and preparation

In my case, the resources used for the preparation were very strightforward, described below, ordered by importance:

• PTSv2: I recommend the PTSv2 course to be used as the basics reference in order to take the exam, as is the main content that probably will give you most of the information you need to carry on with the exam. Making a shortened and indexed version of this material as your personal notes will be very handy for a successful exam attempt, so my recomendation is to take the course, pay attention to every single new concept you grab frome there and keep good notes from them.
• TryHackMe: I personally used this platform just for practice the learned concepts on PTSv2 (used machines filtered by easy difficulty, trying to not read any writeup). But definetely its also a reference if you are starting on cybersecurity, also have modules of basics that you can try in order to get that basics before carry on.
• Google: It might be pretty obvious, but if you don’t have something clear, a concept, a technique or you miss something you don’t fully understand, you can search in Google for a more complete explaination/examples. Understand how is working everything is very important, as this certification is a Novice level, that base is required to fully understood. So don’t fear to use Google whenever you have a doubt, even learning new stuff or during the exam (remember is an open book exam and you are able to use Google and any handy resource).

DO’s and DONT’s

This is in my opinion what should lead you to pass the exam in the first attempt after my experience in both attempts:

DO’s:

• Take a very good notes of PTSv2 content when studying it in order you have solid and accesible resources to check when you have doubts when practicing the content or during the exam.
• Try to understand everything that instructors show in the course. Knowledge gaps could lead you to a fail in some case, so you have to be confident enough with the concepts and techniques shown in the course before attempting the exam.
• Don’t fear to go a step back if the concepts are very complex at some point. The goal is to understand everything, not winning a race. Take your time.
• Before attempting the exam, resolving the PTSv2 labs at least twice will refresh you the concepts and techniques alredy learned.
• Get enough sleep the day before the exam.
• During the exam, keep your track of every finding effectively. A good and organized findings may help you answer the questions properly and also give you a global vision of your progress.
• During the exam, please, take breaks accordingly (set alarms if needed), this is very important because if you lose concentration due to tireness, you will lose effective exam time.
• During the exam, eat and stay hydrated.
• During the exam, please have fun!

DONT’s:

• When studying or practicing you may do your own research for specific CTFs and you may find useful resources on that research. My recomendation is to not mix it together with your PTSv2 course notes. As in most situations your PTSv2 notes are enough, in some other cases may not, and is a good approach to start the research or recover what you learned from external sources just when you don’t have nothing else to check on your PTSv2 course notes.
• Don’t go ahead with next concepts if you don’t understand something. As I said is very important to be confident and comfortable with the concepts and techniques shown in the course, and skipping one can lead you to getting lost on the next lessons.
• During the exam, don’t think it as a CTF, or you may probably fail.
• During the exam, don’t lose yourself on the Internet trying to find magical solutions to complex problems. If you are stuck, my recomendation is to go try something else. New paths to try should eventually pop up on a fresher mind.
• During the exam, don’t lose focus. Every effective time taking the exam counts, so please, avoid any distractions.
• Don’t give up if you fail on your first attempt. The worst thing you can do is to give up after all the effort put on the study of this certification. Check in the exam results resume what you did wrong and make related changes to your methodology, gain more confidence on the concepts and techniques you fail most by practicing them and take your time to improve it. Also, remember you have a free second attempt. Failing is part of the learning process.

You can do it! Keep going!

Last thoughts & conclusion

Despite this certification is an entry-level for anyone that wants to start on penetration testing, it doesn’t mean it is easy at any level. Remember that some pre-requisites are required to be met in order to understand everything.

Once with that, after reviewing all the material, practicing enough to get confident with all concepts and techniques, and getting the exam done, I might say that this certification definetely gives you all the basics and background needed as a junior penetration tester.

Also, after even passing the exam, I continue doing CTFs on THM, as my practice time I enjoyed a lot, and gained confidence to go further on penetration testing.

At the time of publishing this post, I’ve reached global 3% in THM. You can check my updated THM badge here.

My THM badge at the time of posting

In order to wrap up this post, I wanted to say that I have already set a goal for this new year. But, we will talk about that on another post ;)