Passing CNPen (Secops group) with merit

29-Dec-2024

The Certified Network Pentester (CNPen) by SecOps Group is an excellent certification for cybersecurity professionals with 0-1 years of experience looking to gain hands-on penetration testing skills. Unlike many theory-heavy certifications, CNPen is a 4 hour practical exam and highly relevant for beginners aspiring to specialize in network penetration testing.

To pass the CNPen exam with merit, focus on mastering the following skills:

  1. Network Scanning & Enumeration: Learn how to identify open ports, running services, and vulnerabilities using Nmap scripts (NSE).
  2. Exploitation with Metasploit: Understand how to leverage Metasploit for exploitation and privilege escalation. Learn how to handle exploits, configure payloads, and manage sessions effectively. Meterpreter: Understand how to use Meterpreter post-exploitation techniques.
  3. Handling Reverse Shells: Be proficient in handling bind & reverse shells in Bash, Netcat, PowerShell, and Python. Learn how to stabilize shells, upgrade shells (e.g., to an interactive TTY), and evade firewalls.
  4. AWS S3 Bucket Misconfigurations: Understand public vs. private S3 buckets and how misconfigurations can lead to data exposure. Learn to use AWS CLI tools for bucket enumeration and exploitation.
  5. Generic Web Exploits:Be comfortable with SQL Injection, XSS, Directory Traversal, LFI/RFI, and Server-Side Request Forgery (SSRF). Practice manually exploiting these vulnerabilities without automated tools.
  6. Source code: Learn how to review source code in languages like Python, PHP, and JavaScript. Identify hardcoded credentials, weak authentication logic, and security misconfigurations.

During the exam

The exam environment will provide you with a kali machine to perform all the attacks. It is recommended to use this machine for all the testing as you will save lots of routing headache as the testing environment is only accessible through vpn.

This is a 4 hour practical exam with 15 questions. There are no artificial flags, rather a piece of information obtained during the testing had to be provided in the answer field.

  • For example "What is the password of user with the username banana?"

Don't rely on a single tool during the testing. During the exam, my metasploit was not working and for some reason (god knows why) I didn't contacted Secops Group support cert@secops.group. Having issues with metasploit was fine with me as I used villain for performing the same task.

Although, if you encounter any infrastructure related issues during the exam contact the secops group cert support, they are really helpful and reply quickly.

Resources:

  1. Hacktricks aws-s3-unauthenticated-enum
  2. Flaws Cloud walkthrough
  3. Hacktricks Website
  4. Payatu's Guide to Linux Priv Esc