TryHackMe PT1 Certification Review: Entry-Level Penetration Testing Exam

Introduction

The TryHackMe PT1 is an entry-level certification that requires you to understand the fundamentals of Web Application security, network security, and Active Directory penetration testing. The certification is a real-world example of a penetration test, including a realistic report that is graded by an AI (more information on this is available within the blog). This certification is designed for individuals seeking to enter the field of cybersecurity, with a focus on penetration testing and security assessment. Among all the practical entry-level certifications in the industry, this is a great certification; however, there are a few cons that will be discussed.

Exam Breakdown

The exam is 48 hours long and requires you to penetrate various systems, obtaining flags along the way. Each flag results in points being obtained. You need a total of 750 points to pass the exam. With each exam purchase, you receive one free retake. Something to remember is that this exam expires after 3 years. You will have to renew this certification to keep it.

There are three domains in this exam:

Web Application Security
Network Security
Active Directory

Web Application Security

The web application security section requires you to understand the fundamentals of various attacks, including Insecure Direct Object References (IDOR), SQL Injection, Cross-Site Scripting (XSS), and others. As an Application Security Professional in the field, this was NOT entry-level. While I understand why they describe it as entry-level, I can say with certainty that you will get lost in rabbit holes and get stuck a few times. This is by far the most challenging section of the entire exam. This accounts for 60% of the exam grade, so allocate a decent amount of time to this.

Network Security

The network security is your standard TryHackMe or HackTheBox boxes. You have a machine that requires thorough enumeration and privilege escalation on Linux and Windows. You’ll need to be familiar with the basics of enumeration and privilege escalation techniques.

Here are a few tools to look into:

Hydra
Gobuster
Nmap
GTFOBins
Revshells.com
SNMPWalk

Active Directory

The easiest of the three is Active Directory. This section requires you to understand the fundamentals of AD attacks and how to exploit specific misconfigurations to achieve the ultimate goal: gaining Domain Administrator privileges. In this, you will need to navigate through different machines. While Active Directory can sound terrifying to some, most of the attacks are taught within the TryHackMe material.

Here’s some stuff to look at:

Kerberoasting
AS-REProasting
Pivoting (Ligolo-ng)
Impacket
NetExec (nxc)
PowerView
SharpHound/BloodHound

My Experience with PT1

Starting in the exam environment, I connected to the VPN and began reading the Rules of Engagement. This document outlines everything you can and cannot do during the exam. Don’t skip that part. The exam is structured into different sections with a visual diagram showing you where you are within the network, similar to how Cobalt Strike does it.

I began by examining the web application section. As a web application penetration tester for almost three years, I was confident that I could handle this. After about 15 minutes of reviewing the application, I began to notice that the machine was slowing down and lagging slightly. I created a new VPN file and found that the lab was no longer connecting. After a few restarts, nothing was working, so I contacted TryHackMe to assist with the issue. With my luck, it was a holiday weekend, and no one was available to help me troubleshoot the problem. After restarting and taking a break, I returned, and the lab began to function correctly—no lag, no bugs, no VPN issues.

When performing a real-world web application assessment, I like to scope out the application and understand what it’s doing before proceeding to test. After reviewing each endpoint and understanding its details, I began my standard methodology, but still found no flags.

I stopped looking at the web application and began checking out the Active Directory section. As I mentioned earlier, this was the easiest section. Looking at the first machine, I knew exactly what to do and gained access to the machine. After that, I began enumerating the machine and identified a misconfiguration that led to a pivot point. From there, I could pivot and find another misconfiguration, wrapping up the AD environment. I wish the AD environment were more challenging and had more machines to pivot. However, it was suitable for a beginner certification.

Next, the network security section was also very similar to the Active Directory. Looking at the machines, I gained access to the machine and escalated my privileges to administrator/root. These two sections combined took less than 2-3 hours to compromise.

Back to the web application, I obtained the first flag within 20 minutes. From there, I did additional exploits and received two additional flags. From there, I knew I had passed the technical assessment, but I was determined to identify the final flag. After a few hours of trying different things, the final flag was deemed too challenging, and I stopped the technical phase.

The reporting phase started. Throughout the entire exam, I documented my process and the commands I used on each machine, making it easy to write up the findings. The reporting utilizes Artificial Intelligence (AI), which I’m not a massive fan of. The AI requires you to supply specific keywords, and if those aren’t there, you could get points taken off. A key piece of advice: ensure you include the proper CVSS score. You can do this by going to this website. I wish I had known this when taking the exam, as I based my decision on what I felt was an appropriate severity score. Severity scoring is challenging because there’s a lot of thought that needs to go into it. Nonetheless, ensure that you do so when reporting.

I supplied as much information as possible about the vulnerability, what it is, how it works, the commands I used, and a step-by-step process. Be as THOROUGH as possible. Remember, an AI is grading this, not a human. You want to put as much detail as possible about the attack and how you achieved it. Lastly, there is the remediation section. Ensure that you provide a wealth of resources and information about each vulnerability you identify. If your report consists of a few sentences, you WILL FAIL.

After completing the reporting phase, I reviewed the report one more time and submitted the exam. Now, if the vulnerability you identified doesn’t have a flag associated with it, chances are it won’t be graded. I put in a vulnerability that I found, and instead of giving me some credit for identifying it, the AI removed the vulnerability completely and gave me a zero.

Preparation Strategy

While exams can feel daunting for most, I have compiled a few resources that would be beneficial to try before attempting the exam. This is my personal preference, but I recommend completing all TryHackMe boxes before attempting this one.

Learning Paths

TryHackMe Rooms

Cheatsheets

I know some of these are OSCP-based, but they are still good for this exam.

Final Thoughts & Next Steps

This exam was fantastic. There’s a ton of value in this exam and a great entry-level certification to get if you are a beginner. Something worth noting is that you should familiarize yourself with web application security. This was the most challenging part of the exam that I felt a beginner could struggle with.

I would recommend this exam to individuals seeking to enter the field of penetration testing, as it offers value and provides a realistic view of what an actual penetration test entails, encompassing both technical and reporting components. This is a perfect exam that can lead you to the OSCP.