I have been quiet for a while now, trying out some new things but I can’t seem to get away from the power that is markdown.
Also I need to use markdown more (which powers this blog BTW) for my report writing on the OSCP, so I figure I may as well get reaquainted and also tell the story of how I conquered fear, found my path and really kicked my learning up a notch,
This is the story of how I became eLearnSecurity Junior Penetration Tester (eJPT) Certified.
Firstly I need to wind the clock back a little more on myself.
I’ve hacked at things my entire life but I didn’t truely realise this till much later.
What I mean by this is I found ‘ways’ to make my life easier. An example of this is when I began ‘humanising’ and automating responses to customer raised queries at an UK based ISP I worked at. The existing system was garbage (IMO) and didn’t have any compassion to the end user. Their responses read exactly like the scripts scammers try to get you with when cold calling. It didn’t sit well with me so I found a way using GreaseMonkey to build some buttons that would only appear on the Ticketing screen and would be used to correctly respond or map out a detailed response to a customer as well as (if needed) open relevant tabs with suppliers to raise faults or submit queries.
I didn’t find my origional scripting but I did manage to find a picture I snapped during the testing phase:
All the relevant faults and processes as well as the SMS responses if the customer is opted in. As time went on and my average call handle time went down I shared this with my team (whos AHT went down also) and then with everyone else who asked about it, even going as far as to make custom layouts and options for other departments.
To my knowledge (and as per employees that have left since) My GMScripts still live on and are heavily relied upon - Score one for Dan!
From this I have edited config files (#leethax) and made a few projects from boredom but nothing major.
My career in Cybersecurity started at the beginning of the pandemic lockdown in the UK (March 2020) when I found that the International Cyber Security Institute (ICSI) were offering their Certified Network Security Specialist (CNSS) Certification for free (Trainiing/Exam) with a digital copy of the certification.
Natrualy I snapped this up, promptly passed, and this was the magical shot I needed to realise that I could turn security into my passion.
Since then I have learned, improved, discovered CTF sites and as such taken down just about everything on TryHackMe, I’ve plowed through HackTheBox but CTF-ing isn’t the be all and end all, it’s a mindest.
Due in part to the pandemic I have been out of work and job hunting like a madman.
Now we can expand a little on how I became the luckiest human being on the planet.
Being unemployed when you have worked since you were 16 is a bit of a kick in the teeth, as I said the pandemic didn’t help here as employers weren’t ‘actively’ looking for people while trying to figure out how to do ‘those jobs’ that they have told you for years you need to be in the office for, from home.
However, just because I have been unemployed during this time does not mean that I have been doing nothing and because I’ve not been idle I scored a lucky break.
Now there are some very specific conditions that need to be met for this amazing thing to happen. I had to not only prove that I have been applying for jobs and improving myself but, you need to live in a specific area that actually supports job seekers in their quest to secure a role.
The District Housing Association in my area actually has a system for long term unemployed to get them back into work via training and courses. I had all the paperwork so decided to take a chance a look into it.
Speaking with their representative at great length via calls and email we talked about my past, aspirations and the future.
They could see that I am not just some looser who can’t get a job; I have my head screwed on, I have been actively looking into the profession I want to work in, I have been going after the specific things I need to do to get to where I want to be.
During the discussion that debate of Experience over Certs came up.
“In a society of gatekeepers, there will always be gatekeeping.” - no idea so I’m going to say its Me - 2022
This is the great dividing sea between security professionals, there are very valid points on both sides of the fence and it’s something that everyone eventually comes to.
While it is true I don’t have the commerical experience that some companies would be looking for, this person said to me that the best thing I can do is ‘see what happens’.
I mean yeah that is true but what am I to do about getting these finnicky peices of paper worth (in some cases) as much as an used car.
This was also about the time that my laptop died, my ONLY laptop died.
I may go into this as a seperate story but as a more condenced block this was actaully my first ‘lucky break’ and considering where it came from I am going to classify it as an actual ‘act of god’.
I emailed the representative I had been working with and told them essientially I was SOL (Shit Outta Luck) till I could afford a replacement machine.
2nd hand hardware didn’t bother me, that Lenovo X240 I had been decemating CTFs with and passing endless certifications and courses was a £100 machine from the local Cash Converters, It was an I3 with 8GB of RAM but I made it sing! (also linux helps here).
They told me that they would reach out around the area to see if anyone could help and after a little back and forth as the person offering assistance understood my situation and that I wasn’t just going to use it to ‘surf the internet cheaply’ (as I was running multiple Virtual Machines and cracking hashes etc etc all the grunt work) They knew I would need something suitable BUT It had to be brand new.
I understand why this is with things like accountability, taxes, VAT, securing repiration funding for the exact amount. But It did kill my ebay full of 2nd hand cheap Lenovos, Dells anything ‘business class’ as easy upgrade and repair.
I digress, the org who purchased my new laptop came out to hand it to me and I honestly had a tear in my eye, it was REAL, someone actually understood and helped in a way I didn’t think would be possible.
Now back on track and to the certifications, this part took some time. The oppertunity available to me was a grant of up to £1500 that I could use directly on Cybersecurity related certifications as a way of breaking down the barriers I was hitting with hiring managers and HR.
The reason this took some time is because (I’m pretty sure anyway) I am the first ever person that has done this with them with a focus on Cybersecurity. Most of the people applying for this grant are looking at beginner programming courses or training for other things, possibly even people getting into a trade like a builder or something.
Nobody had approached them to say, essentially, “Hi, I can do these cool things with computers and if I can get some certifications behind me it could result in a well paying job doing something I love.”
This is where I was at.
Going in I had a good idea of certain certifications I could apply for, things like the OCSP which is a staple of any pentester in this day and age.
I had done my research, there are 1000’s of jobs on LinkedIn if you search ‘CEH’ but then you look at the CEH and what it is, what it stands for, the exam.. oh and the gender inequality stuff, never forget that part…
You realise that; while everyone and their mum is wanting you to have the CEH, it’s kinda pointless (IMO, and only exists because of that ISO certification factor, if that dropped everyone would bin the CEH).
So I spent a good chunk of time going over certifications, reaching out to industry contacts for advice and guidance while I had to build my case to the DH Association for it to be essentially voted as a yay or nay for full/part funding.
After much back and forth between them and the person I was speaking with they wanted to know more about the field and other certifications.
I helped as much as I could and I completely flooded the mail thread between us with certifications and my opinion on them and where they would stand in the ‘pecking order’.
For those who haven’t seen it this is a really good guide on certifications and their ‘overlap’.
With this as a rough guide and again going over this with the representative we chose to try our luck with:
- eLearn Security Junior Penetration Tester (eJPT).
- Offensive Security Certified Professional (OSCP).
- ZeroPoint Security Red Team Operator (RTO / CRTO).
- TCM Security Practical Network Penetration Tester Certification (PNPT).
We figured this was the best coverage of ‘entry level’ and would open the most eyes from recruiters.
Now some cyberboffins in the field will quickly realise that these 4 certifications bust that £1500 limit, and, you’re not wrong.
It broke it by about £160 from memory, however if you have the passion and the drive when making your case, a miracle can happen.
During the process of reviewing my case the ‘team’ doing the review branched out and asked if organisations in the local area could also step in and assist to which one did indeed ‘StepUP’ and assist, they offered to go 50/50 with the DH Association to lessen the strain on both parties which in turn also allowed me to ‘technically’ break the budget by having the certificatios paid for by the two entities, meaning all 4 will possible.
Releived was the first emotion I had followed quickly be a fire burning in the learn motors in my brain.
So with a fully working (and powerhouse) laptop and funding sorted for all the certifications I began my adventure.
The DH Association immediately bought and paid in full the OSCP Exam + 60 days labs access (Actually super handy as Offensive Security come March 2022 are scrapping 30 and 60 days lab access bundles).
I knew that was the real ‘main course’ of this dining experience, getting the OSCP. I had read all the stories, all the struggles and the success stories (shoutout to @Sogonsec for his OSCP Journey) but I knew that I wasn’t quite ready for it, there is a lot to the OSCP and it includes creating of a Pentesting Report, something I have no experience with at all.
So I set about my ‘plan and timeframe’ for learning, taking and (hopefully anyway) passing these examinations.
Since I have a whole year to begin the OSCP process I have the time necissary to sure up my confidence and tackle some of the other examinations to get my self better suited and in a better position to take it.
I chose to do the eJPT firstly.
It had a lot of strong reviews, training was free thanks to INE making the Penetration Testing Student path free on their site and if I did screw up, I would have a free retake that I could do immedaitely.
Done! Thats the one I’ll go for.
So early January I sat down, popped my headphones on and started going through the material.
Now the way my head works it remembers the things it sees, not photographic but ‘good enough’, though now I’m getting to be older and the grey hairs are coming through, I decided to roll my own note taking ability and booted up Notion.
Notion is super handy and I do love it, but, that cloud syncing… Its annoying. Hopefully they let you locally sync in the future or I may have to avoid (damn clouds and their scanning of our data!)
I took an entire copy of the course material, word for word transcribed into Notion, the labs/exercise notes copied and pasted so I could go through it at my own leasure as well as referring back to it as needed.
That process itself took weeks as I have to balance my learning between school hours when my son isn’t home.
But with that out the way and some googling for ‘how to do cheetsheets’ for one liners etc I put my own together and went forwards with it.
I planned to start the exam the week prior (Thurs 27th Jan through to Sunday Morning as its 72 hours) but my Kali Virtual Machine wouldn’t boot up so I had to rebuild it and reinstall all my apps.
It doesn’t take long but made me realize about making a weekly backup and restoring from it etc (I will buy an external hard drive for this also but that can be when I have actual money haha)
So cut forward to the following Thurs (3rd Feb) I pulled the trigger on the exam BUT around 9:30am when I was about to start it, School called saying my son is telling them he’s unwell and was warm to the touch (temperature checks were fine though) So I popped down to give him some Calpol and he went back about his day so I got home and pressed ‘begin exam’, at 10:58am (I took screenshots):
It was a fun experience and I began planning how to take it down.
I knew going in to it that it was a multiple choice answer exam but the answers are discovered by doing the penetration test, so if you wanted to you could complete the pentest first then check the answers but after making hand copy of the questions being asked I ended up going back again to school to bring him home just before dinner as he wasn’t eating :(
He did eat at home, I think he was tired and wanted to be comfortable, either way he was a well behaved and let me crack on with the exam - Thank you Youtube as a distraction haha.
After 8 and a bit hours on day one and 9 questions answered I called it a day and settled for a movie night and bed.
The next day (the 4th) I got bolt up at 6:30am, I realized something about the exam and that there might be –SPOILERS REDACTED–, so I tried something new and found the answers to more questions.
I spent 16 hours on Friday connected and going through the exam, getting stuck for a while but after talking it out with people I figured where I was going wrong and corrected my methods getting a confirmed 15 questions right (enough to pass) 2 I was a little unsure about and 3 remaining that I spent a few hours on and clicked at.
After checking with my Mrs. she covered my eyes and hovered the mouse over to ‘submit quiz’ around 11:56pm. I clicked it (and then had to readjust to click the confirm window haha) and I did it, I passed!
After a little dance I also grabbed this screenshot just after midnight:
I’ll take that, it’s a pass and I did it :D In fact the only person a little annoyed is my Mrs. because she wants to know what questions I got wrong haha.
So yes, after a full month of revision between school hours, practice labs and blackbox tests I nailed it first time!
Since I’ve done my first ‘actual’ exam in about 15 or so years I’m looking forwards now to the other exams.
It’s been a wild ride and I have really enjoyed it (I’m sure from the outside looking in, me racking my brain and shouting at my fingers for typing commands wrong, looked terrible hahaha) and I can’t wait to get on with more.
Since I updated my LinkedIn I’ve had an outpouring of support and even recruiters asking questions and availability so I guess it really does show that getting all of these will net me a good job doing the things I love.
- Daniel Lowrie’s Journey to eJPT
- Mikhail Zhivoderov - How i passed eJPT exam with 100% score
- Andrew Roderos - Passed eJPT
- KentoSec - How to Pass the eJPT
- Sakshamanand.com - eLearnSecurity eJPT Review
- m0u53z - My eJPT Exam Review
Resources/cool stuff to check out: