0x01. PNPT Journey

Prelude

Back in 2022, I took an interest in the PNPT (Practical Network Penetration Tester) exam after discovering it through Heath Adams’ YouTube channel, TheCyberMentor. What caught my attention was that unlike traditional Capture the Flag (CTF) style exams, the PNPT focuses on real-life assessments. The exam structure includes OSINT —> External Assessment —> Internal Assessment —> Reporting —> Debriefing. This was a novel approach for me, as I was then in university, engaging with platforms like Hack The Box (HTB) and TryHackMe (THM), where we only had to capture the flags as we moved along the box.

Fast forward two years to January 2024, I decided to purchase the PNPT exam after gaining some work experience in penetration testing. The PNPT resonated with me because its practical approach mirrored what I did at work. “For preparation, I used my knowledge in Linux and Windows Privilege Escalation, focusing more on the Practical Ethical Hacking (PEH) course, OSINT, External Pentest Playbook, and Movement & Pivoting” —> For Exam Preparation Section

The Practical Ethical Hacking course was bundled with knowledge. The extensive information provided by Heath was invaluable, particularly the notes I took on Active Directory, which proved crucial during an onsite project and allowed me to compromise Domain Controllers ;) [Cue Happy Dance 🕺]. Heath Adams’ teachings laid a solid foundation for understanding and attacking Active Directory, a skill that seasoned pentesters would recognize as fundamental, even though it didn't cover every advanced topic like ADCS attacks or forest attacks. It laid the foundation to build upon the methodologies taught by Heath and advance to more sophisticated techniques.

The course structure imparts essential knowledge, allowing one to think like a pentester while also equipping them to produce reports that convey technical findings in a managerial context. This dual approach is vital because as pentesters, we often need to translate technical details into executive summaries that address both management and technical perspectives.

Heath Adams has crafted the course meticulously, covering all necessary aspects to transition and think like a pentester from start to finish. The skills taught in this course are immediately applicable to real-life penetration tests, making it a valuable resource for anyone in the field.

About the PNPT Course

The PNPT course is divided into five sections, each providing the essential knowledge needed to excel as a penetration tester.

1. OSINT Fundamentals

2. External Pentest Playbook [EPP]

3. Practical Ethical Hacker Course [PEH]

4. Windows Privilege Escalation [WPE]

5. Linux Privilege Escalation [LPE]

1. OSINT Fundamentals: This course teaches how to gather extensive data using Open Source Intelligence (OSINT). It demonstrated how easy it is to collect information from various sources and how passwords can be harvested and created.

2. External Pentest Playbook: This course provides an overview of external penetration testing, including the tactics and strategies needed to assess and secure external systems effectively.

3. Practical Ethical Hacking: This course focuses on the fundamentals of ethical hacking and Active Directory. I highly recommend thoroughly reviewing this course until you fully grasp all the concepts, as it provides a solid foundation for penetration testing.

4. Windows & Linux Privilege Escalation: This section was invaluable not only for the PNPT but also for any testing I conducted, whether on Hack The Box or TryHackMe. It offered a comprehensive understanding of privilege escalation techniques and served as a strong foundation for building upon various other methods

Preparation for the Exam

1. Take Detailed Notes: Document as much as possible in detail. I used Notion for my notes, but tools like Sublime, OneNote, or any other note-taking app you’re comfortable with will work. The key is to be thorough in capturing information.

2. Use TryHackMe & Hack The Box: Engage with these platforms to learn and practice specific techniques. Useful labs include:

   1. Wreath [TryHackMe]: This lab teaches pivoting techniques.

   2. Sauna [Hack The Box]: This lab covers the essentials of Active Directory attacks.

3. Create Custom Labs: If you have a good workstation, set up custom labs as suggested in PEH. Test various attack methodologies until you fully understand Active Directory concepts.

4. Develop a Methodology: As you learn each concept, create a methodology for it and adhere to it. This structured approach will provide a solid foundation for penetration testing.

5. Prioritize Enumeration: Focus on thorough enumeration before exploitation. Effective enumeration is crucial as it helps you understand the environment and avoid potential pitfalls. Remember: Enumerate, Enumerate, Enumerate —> Exploit —> Enumerate, Enumerate, Enumerate —> Exploit. Your enumeration skills are more important than your exploitation skills because understanding the landscape is essential before exploiting vulnerabilities.

Exam Experience

I started the PNPT exam on the morning of the 25th. The exam spanned five days, with an additional two days allocated for reporting. I aimed to complete the exam before the 29th due to travel commitments. Without further delay, I accessed the exam portal and clicked "Play Button." Within about 10 minutes, I received the rules of engagement and the VPN credentials. Everything was very efficient, and the machines were stable, with no issues at all.

I began with OSINT and, using the gathered information, was able to assess the external network and transition to the internal network within 2 hours. However, I encountered several rabbit holes in the internal network, which caused me to lose 6-7 hours before I finally found a way into the Active Directory. After that, progress was smoother for a while, but I got stuck on one machine for about 3 hours before I could bypass it. I decided to take a break, had a good night's sleep and woke up early 5am on the 26th. 2hrs in and I managed to compromise the domain [Danced for 5 minutes because why not haha].

Following this, I started working on the report, aiming to make it as comprehensive as possible. I spent about 4-5 hours on the report but, unfortunately, in my excitement, I overlooked including some screenshots and submitted the report without them. Shortly afterward, I received an email from the TCM staff indicating that I had missed the screenshot for that section. Initially, I thought this might mean I had failed, but they offered me the chance to fill in the missing part and resubmit. After completing this, I passed the exam.

The TCM support team was incredibly responsive and supportive throughout the process. They genuinely want you to succeed and are not just there to take your money. Their customer service is exceptional—I only wish other companies had such efficient support. After resubmitting, my report was reviewed within about 4 hours, and another 4 hours later, I was informed that I passed and it was time for the debrief.

Post Exam & Debrief

I scheduled my debrief for the evening of the 27th. Since I was also working, I didn't prepare a separate presentation and used the report I had submitted as the basis for my presentation. When the debrief started, I had my video on and met with one of the TCM staff members, who was very kind and asked me to explain my findings.

I provided a detailed explanation of the entire document from start to finish, which took a bit more than 15 minutes. The debrief felt very much like a client meeting after a pentest, where I outlined all the important points, discussed remediation strategies, and offered advice on how the client could improve.

After the formal debrief, the conversation continued as the TCM staff and I discussed red teaming and penetration testing in general. They were really friendly and engaging. Finally, they confirmed that I had passed and issued my certificate.

Added the new one ;)

Conclusion

The PNPT is one of the best certifications available, and it should be considered a standard due to how closely it resembles real-life penetration testing. It challenges you to think outside the box and approach problems from a pentester's perspective. One of the greatest aspects of the PNPT is that once you achieve it, you can immediately apply the skills in real-world scenarios with clients or in other pentesting activities. The methodologies used are directly applicable to real-life situations, making the certification highly practical.

Here are some tips to help you pass:

1. Enumeration > Exploitation: Focus on thorough enumeration before moving to exploitation. Understanding the environment thoroughly will lead to more effective exploitation.

2. Understand Concepts: Learn the underlying concepts and the reasons behind why certain techniques work. This foundational knowledge will enhance your problem-solving skills.

3. Think Like a Hacker: Look for loopholes and think creatively about potential flaws in applications that could be leveraged. Approach problems from both a technical and human perspective.

4. Learn Pivoting Techniques: Understanding various pivoting techniques is crucial for navigating complex networks and systems.

5. Avoid Overthinking: While it's important to be thorough, overthinking can lead to rabbit holes. Stay focused and practical in your approach.