TCM Security – PNPT Exam

So I took this exam last week and it’s fair to say I failed and pretty hard too. The structure of the exam is really good and I felt that the initial contact was very well written. The Rules of Engagement are super clear and you’re given an Open VPN file to connect to the network.

The network itself is really responsive and running scripts and other attacks work really really well.

The problems

Please note the problems here are all mine. Absolutely nothing wrong with TCM and their practices.

After about 9 hours of trying to get some sort of foothold on the network and getting nowhere, I became super frustrated so frustrated I emailed TCM’s support team asking them to check the environment as I was convinced something was wrong. Let’s put it this way I didn’t send my email graciously, it was a rather panicked clumsy email that no doubt sounded like I was asking for help and tips. I wasn’t but certainly didn’t help myself. They responded in about 10 minutes which I couldn’t quite believe. They were very gracious in their response and kindly informed me that the environment was working fine with no errors.

The second thing I did which was super stupid in hindsight is going to Discord Server and ask for general guidance on OSINT. I was convinced and still am that my OSINT sucked. What I was trying to ask for is how people take the information and make the decision on their attacking method. I was quickly pulled into a one-to-one meeting with the moderators and told off. Whilst this is an open-book exam and I felt I was being generic enough to ask, the topic in question is still pertinent to the exam. Just learn from my mistake don’t do it. Fortunately, the moderator was gracious enough to tell me off and put a temporary ban on my account on the Discord Server. They said that if I did anything like that again, my exam would have been terminated. It’s not worth it, it’s open book just go to Google and research.


So all in all, I didn’t get very far in the exam, the thing I wanted to test my knowledge on Active Directory I never got into which is a shame. Once I submitted my report the TCM team dropped me a little hint, my jaw dropped as I looked into it and my wife started laughing her head off because it was rather stupid.

Takeaway 1: I believe the exam is designed for beginner to intermediate, if you’re spending hours and hours coming up with weird and wonderful ways to exploit something, don’t. Just stop!

Takeaway 2: In the courses, Heath talks about the importance of Enumeration. I genuinely believe he’s right here. Make sure you’re notes are right on this and make sure you include Reconniasinace and Scanning within your Enumeration.

Takeaway 3: There’s a saying “try harder” when it comes to this stuff. However, John Hammond, I think re-phrases this perfectly to “try again”. If you’re stuck. Stop, you might not be able to let go of what you’re doing in your head. I know I can’t however, take 10-20 minutes off, step away from the desk and get a cup of tea or coffee. Then when you sit back down at your desk and review all of your Enumeration, it’s likely there’s something in there that you can use which is much easier than whatever you’re looking at.

Next Steps

I’d like to give this another crack, however, all of my Cisco certifications are up for renewal at the end of the year and with work moving to Juniper, I don’t have access to any of their hardware so I need to put some time aside to get back to it. If I get time I’d like to have another go before the end of the year but we’ll see what happens with my other certifications. I’ll update here once I’ve had another go.

Attempt 2

So, it happened again. TCM has announced a complete overhaul to their exam scenario and should I want to make use of the hint I was provided with I should have another go before the end of 2022. Not ideal with my Cisco certification renewals looming but I felt I needed to use the knowledge I gained on the scenario and not waste it.

With the hint I got from the last attempt I spent 30 minutes on the re-attempt and had access to the internal network through Proxychains. I attempted to use Responder, MITM6 and NTLMRelayX but as they all use Link-Local networking I needed to run the software on the External server. Unfortunately, I couldn’t escalate my privileges on that external server and as such I could run those pieces of software as it needs root privileges.

I was able to run some brute-force attacks against the internal network and got a user account on the domain but the account didn’t have any privileges so I could use SMB or RDP to get onto the internal network any further. All in all a bit of a shame but I’m glad I didn’t give up and continued to attempt to gain further access.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s