What I learned from Failing & Passing the PNPT

Hi everyone! Welcome to my first exam certification write up. The aim of this write up is to provide insights, expectations, the approach to the exam and how beneficial this exam will provide to you if you decide to take it. Most importantly, this review will strictly be less technical but lean more on telling a story of how I managed to get through the exam despite failing it on my first try a year prior, what resources I took and lastly some tips on how to clear it. You might be asking yourself what if questions such as, what if I take this exam, how will it benefit me? Or what if I do not take the exam but just the course, will it be sufficient for my learning? Or maybe add some different perspectives of how you feel about the exam? Or influence your decision in taking this exam.

Well this write up will answer those what if questions as I will share my experiences from the very beginning when I first purchased TCM Security’s Practical Ethical Hacking Course. I hope it will relate to whatever current situation that you are in whether you are getting started in cybersecurity or preparing for the exam. Without further ado let's get started!

What is the PNPT?

First off let's talk a bit on what is the Practical Network Penetration Tester or most commonly known as the PNPT. My definition of the PNPT exam is it is the first exam certification that provides an assessment on how to attack and compromise the internal Active Directory of an organization by using skills and techniques that real hackers use. Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. 

TCM Security states that it is a ‘Real-World Exam’ certification which is definitely true to that. Your mission starts off by trying to gather publicly available information and use that leverage to infiltrate into the internal network until gaining administrative control of the entire network. Sounds cool right? Not only that but after purchasing the exam voucher, it includes a free retake in case you fail on the first attempt and with a lifetime access to all the course materials related to the exam which includes the following;

1. Practical Ethical Hacking - The Complete Course

2. Windows Privilege Escalation for Beginners

3. Linux Privilege Escalation for Beginners

4. Open-Source Intelligence (OSINT) Fundamentals

5. External Pentest Playbook

Course Material

Regarding the course material, it is really good especially with the amount of money that you have to pay. It is indeed a good investment as everything that will be assessed in the exam is covered in the course. The course covers an extensive amount of material starting from the basics up until the advanced level. The approach to deliver the materials are catered to all levels and some of the topics that seem hard to understand are explained perfectly.

How I found the PNPT?

I had just passed a cybersecurity certification from CompTIA and was researching how to renew it by taking a high-level certification. Then I stumbled upon the free Practical Ethical Hacking course on Youtube, further research led to finding the fully paid course which also consisted of the Practical Network Penetration Tester exam. After fully paying for the course materials which includes an exam voucher and free retake, my intention was to use the course materials to enhance my knowledge for the CompTIA certification. However as I was going through the course, I soon realized that eventually I would like to use the skills learned in this course and put them to the test in a simulated environment such as TryHackMe more on this later. 

Going back to the course, I believe it is the first cybersecurity course that offered insights on how to attack Active Directory. At the time I don’t think that the other companies were providing Active Directory attacks on their platforms, but soon after Offsec would introduce it in their exam. I was working as a system administrator and I had never even heard of Active Directory attacks let alone knew that it was even possible. This provided another good reason to learn as I would be able to apply the learning materials to my professional career. Taking the exam was not something that I wanted to pursue at the time as I had zero experience in practical ethical hacking.

How I prepared?

The course material currently has about 50+ hours of content and I managed to finish it within 4 months. I was juggling between an office hour job during the day and so I invested about 2-3 hours per night during the weekdays to study the material whereas during the weekends I spent up to 7 hours. If you are a complete beginner to cybersecurity I would suggest going through every single video in detail. Do not worry as the presentation of the material is favorable to beginners and I can vouch for that. I am not a super-technical person myself but my knowledge during that time was that I had the basic knowledge of networking, linux and programming fundamentals hence I was able to skip some of the materials that taught these topics.

I talked about TryHackMe previously and this service provided me with a very good platform to apply what I learned in the course into a simulated environment. If you are a complete beginner to ethical hacking, I highly recommend this platform to practice your hands-on skills. TryHackMe also includes a very good amount of learning paths designed for all levels where the machines properly guide you with detailed instructions. The learning path that I would suggest will be the Junior Penetration Tester, Complete Beginner and the CompTIA Pentest+ path. 

With the TryHackMe machines and Practical Ethical Hacking course in rotation, I felt confident enough to take the PNPT exam so I booked the exam on April 2023. Turns out I was not ready enough as I failed badly by getting stuck in the very early stages of the certification exam. Key takeaways that I learned from that first failure were not enough enumeration, lack of a good note taking practice, lack of basic reconnaissance techniques, not thinking outside the box and easily giving up. I felt embarrassed and disappointed that after spending a lot of hours in training I could not even find a basic entry point into the network.

But as an aspiring penetration tester and ethical hacker, we do not give up when faced with obstacles. The traits that every cybersecurity professional should have are;

1. Learn from your mistakes 

2. Be resilient 

3. Have the mentality and the capacity to withstand or quickly recover from difficulties. 

Soon after it was back to the drawing board and grinding back on the TryHackMe machines by working on the areas where I got stuck in the PNPT exam. Furthermore I looked at other resources as well which helped to expand my knowledge and observe a different methodology on how to solve the problem.

A New Exam

By mid 2023 TCM Security introduced the Practical Junior Penetration Tester or PJPT, an exam similar to its big brother the PNPT but without the external portion. I took the exam and passed it on the first try! Giving me full confidence in my knowledge of internal Active Directory attacks. With that certification, I felt ready to retake the PNPT exam again. 

Retake Redemption

Fast forward to early 2024 I booked the exam where I was faced on the stage where I got stuck. However this time, with a whole new perspective and good wealth of experience with me, I managed to get through it and progress further into the internal network until finally getting the domain administrator credentials! Once again learning from mistakes and a lot of practice really benefited me to succeed. The whole process was not easy though, there were some challenges along the way where I got stuck in some stages. This is where the reviews from other people who have passed have stated that the exam is not a capture the flag or CTF. If you approach it with a CTF mindset, you will get stuck and waste your time.

Key Takeaways

Learn from your mistakes! As I repeated many times in this review, failure does not mean the end of the world and it is also a trait that many aspiring penetration testers have in their mindset. Penetration testing is almost like a game of chess where if you find a good move, find a better one. I also like to relate it to the famous video game franchise Hitman. There are many ways to assassinate your target but ultimately the best and stealthiest way will always be after doing a lot of information gathering by finding clues. 

Take breaks and stay hydrated. Before the exam you are provided with a rules of engagement documentation that also mentions this. It really is true as if you stay too long in front of the computer your mind does not focus and you easily will become stressed out.

Do not rely on one source. Part of becoming a good pentester is adopting your own methodology and resources. There are many resources out there that will help in enhancing your knowledge to get a further understanding in some of the topics taught in the course. 

This is not an exam where you need to capture everything hence the reason why you see a lot of people saying to not treat it as a CTF! I do not want to reveal too much but this is all I am going to say.