eJPT Review; The Hands on Compliment to Pentest+

TL;DR Does the Internet really need another eJPT review? Probably not, but here is mine anyway. Please note that the exam format is changing soon. This is about the 20 Question version, circa May 2022.

Disclaimer

I am not a pentester. I have worked everything from service desk to change management & procurement to junior admin to auditing. I am an unashamed Windows Guy. I have passed one other 100% hands on exam before the eJPT. I will invariably end up comparing eJPT to the other hands on exam I took, so bear with me there.

Background

I had been meaning to write a review of eJPT since I took it in May 2022, but I got busy labbing and studying for another exam. The exam is going to version 2 sometime in summer 2022. Nevertheless it appears from INE’s site that the preparation will still be much the same as I used. The price is not changing either.

I first heard about eLearnSecurity and their eLearnSecurity Junior Penetration Tester (eJPT) certification on Reddit. That is also where I first heard about Pentester Academy’s Certified Red Team Professional (CRTP).

First off, the eJPT is an incredible deal at $200 for the exam voucher. This includes a free re-take if needed. The training is free from INE. They give you 3 days to find the answers to 20 questions. Therefore it is a low stress test, which is probably by design. It is meant to be an intro level hands on exam, sort of an OSCP for Dummies if you will.

My personal reasons for this exam

If you have skimmed even a few articles of mine then it is probably obvious that I am a ‘Windows Guy’. I suck at webapps and am mediocre at nmap, Metasploit, and BASH in general. Therefore I figured that eJPT would be a great, interesting, hands on way to learn more about those topics.

Should you take eJPT?

IMHO anyway, you should take eJPT if:

  • You took CompTIA Pentest+ and you want to do a hands on complement to it

You should not take eJPT if:

  • You are just trying to fluff a resume

eLearnSecurity in general and the eJPT certification in particular do not seem to be well known yet. Therefore this exam is more for those who just want to learn or those who want to ‘get their feet wet’ before attempting better known certifications such as OSCP.

Preparation

I used INE’s free training, however I liked Try Hack Me’s (THM) Jr Penetration Tester path better overall for eJPT study. THM was great practice for another reason; they have you VPN into their lab environment using OpenVPN from your own Kali VM. INE does this as well, but not until near the end of their training. I found THM’s lab environment and VPN more seamless and user friendly overall.

Additionally THM’s training has you find the answers to questions, much like the eJPT exam itself. INE’s labs were more ‘find the flag’ focused. THM also does a better job of keeping score as you go, showing you how many days in a row you have answered questions, questions answered per day, and other ‘gamey’ ways to keep students engaged.

This was just my personal preference. THM is only $10 a month, or $7.50 a month if you sign up for a whole year. 2 months is sufficient to get through their Junior Pentester pathway, so figure $20 total for training.

However you go about studying and labbing for eJPT, you will want to be familiar with the following:

  • Kali in general (how to get around in BASH, modify files, set permissions, etc)

Basically you will want to have some hands on time with the tools that are tested on in CompTIA’s Pentest+ exam. INE’s training and THM’s Junior Pentesting path will get you familiar enough to pass the eJPT. If you did not do THM’s Pentest+ path already then I would recommend that one as well. I did it after passing eJPT, but IMHO it would greatly benefit one as eJPT prep.

The exam

I started the exam around 09:00 on the first day of a 3 day weekend. Many others said that they finished the exam in 3–4 hours, but I am not a Linux guru and wanted to use the full 3 days if needed. eLearnSecurity provides you with instructions, an OpenVPN file for access to the exam environment, and 20 questions. You need to find the answers to at least 15 to pass.

Unlike the CRTP, you have to perform host discovery on the eJPT exam. In fact I found that this was the most important part of the exam. After all, you won’t find the answers to the questions on the systems if you can’t find the systems in the first place.

Obviously I cannot say too much about the exam, but the questions were not ‘CTFy’, which was great. You can approach the exam environment like it is a pentest, scan & enumerate everything, find all vulnerabilities, etc. However you can also use the questions to guide your approach to the environment and simply focus on finding the answers. IMHO neither approach is wrong. After all an attacker is normally after something specific.

I ended up getting 17 out of 20 correct and passed the exam with a score of 85%. I spent roughly 12 hours on the exam. I took frequent breaks and went running after I got really stuck at one point.

There is no report for eJPT, just find the answers to the questions and submit the entire thing when you are ready. They let you know your score immediately.

Tips

  • Take the exam when you have 3 days off work and plan on using it all. You will probably finish in much less time, but having that much makes it a low stress event. It is meant to be hands on, educational, and fun.

Summary

eJPT from eLearnSecurity is an incredible deal at $200 for the exam voucher with a free re-take included just in case you need it. The training is free from INE or $10 a month from THM. You can study up for and take this exam for $220–230. The exam is 100% hands on and stresses understanding network, webapp, and OS security rather than rote memorization.

References

eJPT version 2 changes: https://ine.com/blog/new-ejpt-coming-soon?utm%5C_source=linkedin&utm%5C_medium=organic&utm%5C_campaign=NeweJPTComingSoon&utm%5C_content=blog

eJPT information: https://elearnsecurity.com/product/ejpt-certification/

CRTP review: https://happycamper84.medium.com/certified-red-team-professional-crtp-exam-course-my-experience-4907dd6f5edc

Free INE eJPT training: https://my.ine.com/CyberSecurity/learning-paths/a223968e-3a74-45ed-884d-2d16760b8bbd/penetration-testing-student

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.