Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

eWPT Exam – Another Cert Bites the Dust

I finally took my eWPT exam this past weekend, so it is nice to have another cert out-of-the-way.

eWPT Exam

While I can’t give away too much information about exam specifics, it was fairly straightforward.

To quote NovaHax on TechExams:

  1. Here’s an App
  2. Test the App
  3. Gain Admin Access to App
  4. Document all findings

The exam starts with a wildcard domain, and the goal of finding all vulns in all subdomains. I started by performing some subdomain enumeration, but I won’t get into too many details about that.

Once all the domains are found, the test becomes a standard web app pentest. Paying attention to all information gathered, as well as ALL possible venues of exploitation is very important.

In the end, I ended up with over 10 vulns for the entire web application and a 39 page report.

Status/Next Steps

I am currently awaiting reviewer feedback on my report, but I’m fairly confident about my current status.

eWPT Exam - Status

The reviewer has 30 business days to give feedback, but I know that my eCPPT only took about seven. I will be on vacation during the holidays, but I am hoping to know how I did before then.

This was an enjoyable cert, is relevant to my current position, and surprisingly useful (even considering my experience).

Once I return from the holidays, I plan on starting the eWPTX course.

36 Comments

    • Thanks, and always glad to provide feedback on certs/course I take!

      Current job title is Penetration Tester, but a large focus is definitely on web applications.

      I didn’t expect to learn anything going into this one (figured it would be a refresher before eWPTX), but was pleasantly surprised.

      • That is my dream title 🙂 I only have the eJPT at the moment. Do you think I should focus on getting the ePPT or the eWPT?

        • Haha, yea, it’s a pretty sweet gig once you finally get into it.

          I suppose it would depend on what you’d prefer to do, as well as your current skill-set.

          The eCPPT is closer to the OSCP, which will definitely help as far as getting a foothold into a pentesting position is concerned. That said, the eWPT is far more useful as far as web applications are concerned, and this is what you will primarily run across in most organizations.

          I’d recommend eCPPT -> OSCP -> (other certs) from a general career standpoint though.

      • hey man,
        great notes on the course, good work on that.

        can I ask a question though, I have access to the mysql db but can’t get the –password option to work. I believe I should be able to get hashes from it and crack those to access a subdomain… but no luck. I have proxy’d it through burp and can see it’s running correctly… any advice would be greatly appreciated.

        • Hi Amy,

          First, sorry for the confusion, but I have to manually approve comments to avoid spam!

          That said, thanks for the feedback on the course.

          As far as having access to a database, but no hashes is concerned, that is usually a permission issue. If you don’t have high enough privileges on the database, you may not be able to dump the saved passwords. That said, the application itself might be storing passwords in a different database/table. Additionally, you may not need the MySQL credentials to move laterally.

          Good luck!

  1. Thanks for the reply! I’m going to take your advice and go for the eCPPT, followed by the OSCP. I have little experience in Pen Testing. I do it at work from time-to-time but not a lot. I don’t think my eJPT cert has any weight in the infosec world haha.

    I forgot to check the “Notify me of follow-up comments by email” box which is why I replied twice lol

  2. Hey man, first off congrats! I am a system engineer but my work has allowed me to pursue Infosec certs. Hoping one day to become a pentester like yourself.

    I am just finishing up on eCPPT and hoping to take the exam over the up and coming holidays. It’s good to hear that eCPPT is very close to OSCP as I plan on getting that cert in the near future.

    I have been “trying” to participate in bug bounties as a way to learn web app sec. From your experience, the eWPT course even taught you a thing or two considering you’re a season pentester?

    I feel that pentesting will move more into web app based testing in the near future with the adoption of cloud based technologies. Do you agree with that statement?

    Thanks and looking forward to reading about your experience on eWPTX course.

    • Hi Chris,

      Thanks for that, and good luck!

      OSCP is a great follow-up to eCPPT, especially if you really followed the material and learned. The eWPT definitely taught me a bit even as a pentester, so I’d recommend it. I’m looking forward to the eWPTX, as it should be even more advanced.

      I think that there will always be plenty of Web App Pentesting, and it is actually already in the majority.

      Good luck with the certs, and let me know if you have any other questions.

  3. Thanks for the review. I’m currently working through the WAPT course. I signed up for the course only to prepare for the WAPTX course and fill in gaps in my knowledge. I’m impressed with the course materials and I’ve definitely learned new things from it even it has only “filled in the gaps”. I wasn’t planning on taking the exam but after reading your review I’m looking forward to it now.

    • Glad you found the review useful, and it was a good course.

      That was exactly how I felt taking the course, but it was definitely more than just a refresher for WAPTX. I’d take the exam if I were you, as it never hurts to have the cert/proving the experience.

      Good luck!

  4. Hey Doyler! Hope all is well in the InfoSec world! I just got back my results for this exam and I failed :(. I wasn’t able to gain admin access and I ended up with about 10 Vulner. Any hints or tips on what I should be studying more? Any feedback would be appreciated.

    Thanks!

    Josh

    • Hi Josh, it is, thanks for asking!

      That’s too bad to hear, hopefully next time you’ll get it. I had roughly 14 vulnerabilities, so you weren’t too far off…

      As far as what you should be studying, it will mostly revolve around what you missed or think you missed. That said, I’d suggest really looking back over SQLi, XSS, and unrestricted file uploads.

      Good luck!

      • Thanks for the feedback as always Doyler! I’ll let you know once I get the cert!

        Thanks again and goodluck with the eMAPT! I bought the bundle (eMAPT, eWPT, eWPTX, and eCPPT) so I’ll be adding it to my arsenal soon!

  5. Hi,

    Great article

    I have done my first attempt of ewpt and found the userID and hashes, anyway I wasn’t able to crack the hash and get the admin access, I submitted the report and waiting for the reviewer to come back. Then I think i can start the 2nd attempt.

    Is the way I followed is correct ? I need to crack the hash to get the admin access right ?

    in that case could you please provide me any hint, that I can use to crack this hash.

    PS: Not asking the exact answer, just a hint 🙂

  6. Hey Doyler I have a question. In your opinion, which was more difficult, eWPTX or eCPPT?

    I’m trying to decide which of the two to take next. I would like to get it before the year is out.

    • Hmm, probably the eWPTX? That said, they’re different certs, so it really just depends on what you’re looking for.

      There is little to no overlap, so one isn’t really going to prepare you for the other.

  7. Hi Doyler,

    I’m doing the eWPT right now and am completely stuck on the final stage. I have access, I’ve found two good places for what I’m pretty sure is how you get admin but nothing is coming back. Both work against myself but short of being able to send the admin an email or something I’m stumped.

    Any pointers?

    • I’d keep looking around for what you have and haven’t found yet. If something works against you, maybe it is persistent and can be seen by others?

      That said, you definitely don’t need to send any e-mails, especially not to get admin!

  8. Not sure if you maintain this blog post

    But I’ve been at it for a long time

    I would appreciate a nod on the right direction regardig sqlmap tamper scripts it’s on the challenges

    Would it be possible to ask for an email exchange?

  9. “EXCELLENT, THANK YOU ! Another tip, if you don’t see Lifeframe in all programs (because mine didn’t) just type it in and it will come up on the top in a box that doesn’t look like it’s clickable, but click it. Once it opened, I right clicked the icon and pinned it to my task bar so I don’t have to hunt it down any more.

  10. Hi Doyle,

    Did the exam and got admin access but still did not pass.

    The feedback from the examiner does not make much sense. “outside scope of engagement.”

    Found a phone-related domain and included it in the report. (should I remove this part from my report?)

    Any help is appreciated.

    • It sounds like you made some decent progress, but didn’t get quite enough to pass!

      If you received a message that something was out of scope, then it likely means that you attacked something you weren’t supposed to.

      When performing any sort of penetration test, be sure to limit your attacks and report to ONLY the agreed-upon scope.

      Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.