As previously mentioned, the PNPT includes 5 different courses for study material. Each course includes several hours of clear instructional videos to follow along with, as well as several capstone exercises that will test the skill you learned in the course.

1. Practical Ethical Hacking – The Complete Course: This is the same PEH course used for the PJPT. It provides a broad overview of ethical hacking skills and methodologies from basic bind shells and reverse shells to Active Directory enumeration and attacks to post exploitation and basic web application vulnerabilities. One thing I love about this course is its use of hands-on study materials. After the non-Active Directory portion, there’s about 5 vulnerable virtual machines complete with walkthroughs from the initial attack to gaining full root access. The Active Directory portion starts with a walkthrough for setting up an AD home lab with a domain controller and two workstations so that you can follow along with the videos. The web application portion also includes a local web server to test out vulnerabilities, as well as walkthroughs for each attack. Its a very thorough course and I’d recommend any aspiring hacker take this course.
   
   
   

2. External Pentest Playbook: This course will teach you how to go about attacking a network from the outside rather than starting from within the target subnet. While there’s not as much hands on lab work in this course, it does provide a lot of valuable information on password guessing/finding techniques, attacking login portals, privilege escalation, report writing, and even some common pentest findings. This course was very helpful for the exam.

3. OSINT Fundamentals: As the name suggests, this course covers the fundamentals of open source intelligence (OSINT) gathering. Whether you’re looking for information on a business, an image, email addresses, usernames, websites, passwords, or people, this course provides a ton of resources to gather any type of information you might need. This course also covers the intelligence lifecycle, OSINT automation, and OSINT report writing and wraps up with some fun OSINT challenges.

4. Windows Privilege Escalation: This course covers a broad range of privilege escalation techniques for the Windows OS. Some of the escalation paths include DLL hijacking, kernel exploits, password mining, port forwarding, RunAs, service permissions, startup applications, getsystem, executable files, registry, impersonation and potato attacks. The course also includes access to a Windows PrivEsc room on TryHackMe.com so you can follow along and try each exploit.

5. Linux Privilege Escalation: As you may imagine, this course covers some privilege escalation techniques for Linux. Some of the escalation paths include capabilities, docker, NFS root squashing, SUID escalation, kernel exploits, scheduled tasks, sudo exploits, and some automated tools for privilege escalation and exploitation.

The PNPT exam was a lot of fun… and a lot of frustration. You have 5 days to attack and fully compromise an Active Directory domain from outside of the network, starting with an OSINT investigation to discover a way into the internal network. The exam will test your ability to brute force using burpsuite, password guessing techniques from the course material, pivoting using something like sshuttle or proxychains, and Active Directory enumeration and attack skills, as well as critical thinking and attention to detail.

To be completely open and honest, I failed the exam 3 times, all of which were because I was thinking WAY too hard about it. I failed the first exam without breaching a single account. That was rough. On the second attempt, I managed to breach through the external network and set up a tunnel, but I assumed some things about usernames that were wildly inaccurate. I did manage to gain access to the internal network and move laterally, but then I got stuck on a particular machine. That’s what caused my second failure. Its also what caused my third failure, which happened when I gave up halfway through after being stuck in the same spot that I got stuck on for the previous attempt. It. Was. Frustrating.

Fortunately TCM offers any further retakes for $100, so you don’t have to break the bank to pass. “We never want to profit on failure,” the website says. That is an amazing business model, in my opinion. Too many companies are too focused on making a profit and lose sight of what’s actually important.

What makes this exam great is the fact that it is meant to mimic a real world penetration test with absolutely no flags to capture. The exam material consistently tells you to think of it like a real penetration test rather than a CTF, a sentiment I absolutely support. Enumeration is key here. If you are stuck, Enumerate Enumerate Enumerate!

The exam isn’t proctored or anything, but after 5 days the exam environment will close. Once I finally figured it out I realized I was only 10 minutes or so from compromising the entire domain. I was too busy focusing on what I should be that I was overlooking what I actually found.

Aside from the frustration, this was a lot of fun!