← back to blog
4 min read
  • #ejpt
  • #study
  • #kali
  • #notes

Lab time vs book time for eJPT

eJPT rewards hands-on enumeration reps, not reading. Here is my Kali VM setup, what one lab session looks like, and the note format that actually survives the exam.


I spent my first two weeks studying eJPT the wrong way. I read the material, highlighted it, read it again, then sat down at a lab box and had no idea what to type. The exam is not a reading test. It is a hands-on test where you get a network, some hosts, and a list of questions you can only answer by breaking in and looking around. Reading teaches you what nmap does. It does not teach you what to do when nmap comes back with a port you have never seen before.

So I flipped how I spend my hours. Now it is mostly lab time, a little book time. Here is what that actually looks like for me, because I am still in progress on this cert and I am writing down what is working before I forget it.

Why reps beat reading here

eJPT asks you to enumerate. That is the whole game. You find hosts, you find services, you find versions, you find the one thing that is misconfigured, and you follow it. The skill is not memorizing that SMB runs on port 445. The skill is the muscle memory of running the enumeration, reading the output without panicking, and deciding the next command in about ten seconds.

You do not build that by reading. You build it by doing the same boring loop fifty times until it stops being scary. My rule now is simple. If I catch myself reading for more than thirty minutes without touching a terminal, I am procrastinating with extra steps.

That said, book time is not useless. I still read to understand a protocol I keep tripping over, or to figure out why an attack that should have worked did not. Reading is for filling a specific hole. It is a bad default and a good repair tool.

My Kali VM setup

I keep this boring on purpose. Boring means it works the same way every time.

  • Kali Linux running in VirtualBox on my laptop. Free, and I can snapshot it.
  • A snapshot taken right after a clean setup, so when I wreck something I roll back in thirty seconds instead of reinstalling.
  • Two folders in my home directory. One called targets with a folder per box, one called notes.
  • The tools that ship with Kali. I did not go install a pile of extra stuff. nmap, the netcat family, the usual web tools, Metasploit for when it is the right call. eJPT does not need a custom rig.

One honest limitation. A VM on a mid laptop is slow, and Metasploit is a memory hog. If your machine has 8GB of RAM you will feel it, and you should close the browser while you work. I am not going to pretend a $2000 rig does not make this smoother, because it does. You just do not need one to pass.

I also do a lot of small study on my phone with Termux, but not the hands-on lab work. Termux is great for reading man pages, ssh-ing into something, or running a quick command when I am away from the laptop. It is not where I practice full attack chains. Right tool, right place.

What one lab session looks like

I time-box a session to about ninety minutes. Longer than that and I stop learning and start flailing. A session goes like this.

  1. Pick one target box. Just one.
  2. Full port scan first, then a service and version scan on what came back. I say out loud what I expect to find before I read the output.
  3. Enumerate every open service, one at a time, top to bottom. No skipping to the exciting one.
  4. When I find a foothold, I stop and write down exactly what got me in before I go further.
  5. If I get stuck for more than twenty minutes, I write down the specific question I am stuck on, then I go read to answer that one question.

The part people skip is number three. On the exam the answer is usually in the service everyone ignores because it looked boring. Enumerating everything is the habit that actually moves your score.

Notes that survive the exam

My first notes were a wall of text I could not search under pressure. Useless. Now every box gets a plain markdown file with the same four headings, so I always know where to look.

  • Recon. The raw scan output, pasted in. Ports, services, versions.
  • Findings. One line per interesting thing. "Port 8080 running an old web app, default creds might work."
  • Access. The exact command or step that got me in. Copy-paste ready.
  • Loot. Users, hashes, flags, anything the exam might ask for.

The exam is open notes in the sense that nobody stops you from using your own. So during practice I write notes as if the future stressed version of me will read them and nothing else. Short lines. Real commands, not descriptions of commands. If I write "used nmap to scan" that helps no one. If I write the actual flags I ran, I can rerun it in five seconds.

I keep the same headings for every single box. Boring and repeatable beats clever and unique when the clock is running.

If you want a low-friction way to drill the recall side while the labs build the hands-on side, I put eJPT flashcards, quizzes, and a daily question with streaks into Aldo's Toolkit, free on both the App Store and Google Play. It is what I use to keep the terms warm on days I cannot sit at the VM. Grab it at /app and tell me what is missing.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.