Black Box Test on eCPTXv2 exam

Gustav Shen
5 min readApr 19, 2022

Hi folks, just as I promised, I am sharing my review on eLearnSecurity’s eCPTX exam from an exam taker without purchasing course material. Yes, it is a black box test for me to pass eCPTX exam. I saw few reviews on eCPTXv2 courses and exam, but almost all of them are taking exam after completing course material. So I want to share something different : P

Background and Motivation

3 weeks ago, I passed eCPTX exam on my second attempt. I will explain why I failed my first attempt later. You can check eCPTX certification on its official website: You can enroll the course and then take the exam, of course you can take the exam without purchasing course materials and preparation just like me. IMO, eCPTX is an advanced level Penetration Testing/Red Teaming certificate, and it is. Since I did not purchase course materials, I cannot share opinions on them, but I hear that course materials are deep and overwhelming. The reason why I wanted to take eCPTX exam without any preparation was that I was actively preparing for OSEP exam, I would like to check if I had already had decent AD enumeration and exploitation skills. Previously I took CRTO course and passed the exam, I must say CRTO course teach me a great methodology during a red team engagement.

Opinions on Exam

Without any delay, let’s talk about the exam, I will share some general opinions to avoid spoiler.

Before the Exam

After purchasing the exam voucher, you can start exam at any time only if it is still valid. If you decide to start the exam, you will get a Letter of Engagement and VPN config file. Just as other folks said, the LoE is confusing, you could feel confused that what do I need to do to pass the exam? After owning all DCs, you feel confident that you will pass the exam absolutely, but it is not the case. Anyway, the LoE is confusing, just be aware of it.

During the Exam

I devide this section to three more detailed sub-sections.

1: Aspect of Support and Environment

During exam, you can stop and reset the exam environment on your panel. For some reasons, I reset my exam environment after about 2 hours, but it was the most annoying part of my experience. The process of reset took about 2 hours. I thought the environment was destroyed, so I emailed and called eLearnSecurity Support. Support is nice, and fortunately few minutes after the call, my exam environment is ready to access again. I do not recommend you to reset your exam environment unless necessary.

Besides, the exam environment is so laggy for me. It is painful for me to RDP to compromised hosts. But everything works well when I operate on C2 client.

2: Aspect of Exam Itself

I guess many folks would like to know if the exam is tough. In my opinion, it is challenging. I passed CRTO and CRTP exam, CPTX is much more challenging than both of them. But the good news is that if you have passed CRTO or CPTX, you have already had most of skills to pass CPTX exam. What do I mean? All skills needed in CPTX exam are common, but you will face heavier enumeration and need more steps to compromise a user/host.

The exam environment consists of 6 hosts in 3 domains. The LoE is confusing, so let me tell you that in order to pass the exam, you need to take over a specific DC in all different attack paths like A->B->C, A->F->C, A->B->E->C, etc. On my first attempt, I took over the DC but I did not know I need to include all attack paths, so I failed it. On my second attempt, I found all attack paths and pass it finally.

The exam is challenging, I made full use of exam time on my first attempt until VPN was disconnected because I fell into a rabbit hole (you will know it when you are on exam) even though I had already owned the DC at that time. Anyway, you cannot take the exam in chill mode. The exam is also very fun, the environment is absolutely well-designed, I enjoyed it a lot. The exam covers a lot, and what to my surprise is that binary exploitation is also included. But unlike OSEP, the lack of security protection is a little disappointing for me. It does have AV enabled, but I don’t think you will be disturbed by it. For me, I did not have a chance to evade AV.

There is no tool restriction, so I used Cobalt Strike C2. But the exam has some other restrictions, it does not allow exploit like sweet potato, it does not allow using DA to access another domain to get access (You need to abuse trust instead), etc. Just pay attention to it.

3: Aspect of Myself

The exam is not based on assume-breach model. During the first 2 hours, I got nothing. I started to regret taking eCPTX exam. Then, I changed the enumeration methodology and successfully find the entry to the first host. During the exam, I rarely took a rest and made full use of time and I did a lot google searhcing and researching. It was quite intense for me.

After the Exam

Before the exam, I heard it took a long time to get exam feedback/result, but it is very fast for me. I can only see the feedback when I am on my retake, but the feedback is very instructive and detailed, exam environment is also preserved for me so I do not need to totally redo it. I really appreciate it! I can feel that eLearnSecurity hopes you make progress and pass the exam.

Final Review

I cannot comment on course materials part of eCPTX, but I will say the exam is very fun and intense. It is tough and challenging, but to be honest its difficulty still did not fully meet my expectation since it is an advanced level certification, here are my reasons.

1: It has more steps to compromise a host/user, but required skills are common. It does not involve some advanced attacks.

2: The security protection is fragile, you could choose to evade AV but it is unnecessary. Let alone some other protections such as CLM, AppLocker, etc.

Okay, that’s my opinion on eCPTXv2 exam. In general, I enjoy it and like it. I still leant a lot during the two attempts since I did a lot googling. I hope this article could be helpful for you :D