\nFind a Linux host in subnet X, exploit a vulnerability, receive file X and decrypt it to retrieve the flag.<\/p>\n<\/blockquote>\n\n\n\n
So a big part of the challenge was understanding the question, identifying the correct vulnerable machine, and figuring out the steps to obtain the flag. Taking notes helped build a fast and structured attack path \u2014 or so I thought (more on that later).<\/p>\n\n\n\n
I scheduled the exam three weeks in advance, giving myself time to prepare properly. Instead of doing too many TryHackMe learning paths (which don\u2019t align closely with CEH), I practiced with VulnHub machines like the DC series to simulate unknown environments. I also re-did the CEH Engage modules to sharpen my workflow and focused on the questions I struggled with earlier.<\/p>\n\n\n\n
Day of the exam<\/h2>\n\n\n\n The exam was scheduled from 13:00 to 19:00 (Amsterdam time). In the morning, I warmed up with one CEH Engage module and watched a bit of Netflix to relax \u2014 I was nervous, especially after failing the theory twice.<\/p>\n\n\n\n
When it was time, I joined the GoToMeeting session, but the proctor couldn\u2019t see me. That was stressful because you have a 15-minute grace period before they cancel your session. Luckily, the proctor emailed me an invitation code which worked (shout-out to Proctor 6). After verifying my room, ID, and removing unsupported software (note: TeamViewer is not allowed), I was cleared to begin.<\/p>\n\n\n\n
During the exam<\/h2>\n\n\n\n I used the first few minutes to gather info about the subnets involved and saved that into a file, to avoid repeating slow scans later. I ran the classic: nmap -sCV -A <ip> -a ip_subnet.txt<\/code> for all three subnets. Then I scanned through the 20 questions, filtering them by perceived difficulty. Sample question types (without breaking NDA):<\/strong><\/p>\n\n\n\n\nIdentify a service version on a given machine.<\/li>\n\n\n\n Perform a vulnerability scan and provide the CVE.<\/li>\n\n\n\n Exploit a vulnerability, obtain a file, and decrypt it.<\/li>\n\n\n\n Identify SQL injection on a web domain and extract a password.<\/li>\n\n\n\n Perform Wireshark analysis.<\/li>\n\n\n\n Malware identification.<\/li>\n\n\n\n Wireless password cracking.<\/li>\n<\/ul>\n\n\n\nI learned you get three attempts per question<\/strong>, which gave me more confidence. I started with the easiest questions. For longer tasks (like vulnerability scans), I launched them and worked on other questions while waiting. Multitasking is crucial \u2014 it\u2019s easy to waste time in rabbit holes.<\/p>\n\n\n\nTo manage that, I used a self-imposed 15-minute timer per question<\/strong>. If I was still stuck, I moved on. Six hours sounds like a lot, but it goes by fast. After three hours, I already had 14 correct \u2014 just enough to pass. That gave me a boost. I went on for another hour and reached 16. Then I took a short break to grab a snack and chat with my girlfriend.<\/p>\n\n\n\nIn the final stretch, I managed to solve one more, ending with 18 out of 20<\/strong>. The last two were difficult:<\/p>\n\n\n\n\nA Drupal site with no clear attack vector:<\/strong> I tried droopescan<\/code>, Drupalgeddon 1 & 2, scanned for known CVEs based on the enumerated version, looked for hidden directories using gobuster<\/code>, and probed other open ports \u2014 no luck.<\/li>\n\n\n\nA vulnerability scan question:<\/strong> I couldn\u2019t get the CVE to appear, even after digging into the vulnerability for 45 minutes.<\/li>\n<\/ol>\n\n\n\nWith an hour left and 18\/20 already confirmed, I decided to submit.<\/p>\n\n\n\n
Post-Exam Reflections<\/h2>\n\n\n\n Now that I\u2019ve had time to reflect, I want to share some insights. Many online say the CEH Practical is “easy.” I partially agree \u2014 if you either:<\/p>\n\n\n\n
\nDrilled the ECC labs for two months, or<\/li>\n\n\n\n Have solid CTF\/real-world experience.<\/li>\n<\/ul>\n\n\n\nBut if something doesn’t go as expected \u2014 for example, an exploit doesn’t work \u2014 then your troubleshooting skills<\/strong> really matter. That\u2019s where CTF experience shines. For instance, I had to perform a path traversal attack<\/strong> on a DVWA instance. Sounds easy, right? But:<\/p>\n\n\n\n\nThe DVWA had to be set to low security<\/em>, and<\/li>\n\n\n\nIt was hosted on a Windows server<\/strong>, so \/etc\/passwd<\/code> was useless.<\/li>\n<\/ul>\n\n\n\nInstead of using the file inclusion tab, I used the RCE module and started enumerating files with dir<\/code> and type<\/code>. This kind of pivoting isn\u2019t something you just memorize \u2014 it comes from practice. So no, it’s not that easy<\/strong> for beginners. I’d rate it somewhere between beginner and intermediate.<\/p>\n\n\n\nBadge completion<\/em><\/figcaption><\/figure>\n\n\n\nFinal verdict<\/h2>\n\n\n\n Even though I didn\u2019t pass the theory (and thus missed CEH Master), I still feel very proud of this achievement. Pentesting is hard. Failing the theory twice was frustrating, especially knowing I understood the material \u2014 I just don\u2019t perform well under multiple-choice pressure. But the practical<\/strong> let me prove my skill, and I\u2019m glad I pushed through. There\u2019s a lot of criticism about CEH out there, and I get some of it. But honestly:<\/p>\n\n\n\n\nThe book was solid.<\/li>\n\n\n\n The ECC labs were stable and helpful.<\/li>\n\n\n\n The Engage modules were a good playground (even after breaking a few machines myself \ud83d\ude05).<\/li>\n<\/ul>\n\n\n\nI\u2019m not done \u2014 maybe someday I\u2019ll try CPENT<\/strong> \u2014 but that\u2019s for later. Lastly, I\u2019ll share my CEH notes in my GitBook. Even if no one reads them, I want them to be out there. Everyone deserves to learn from someone else’s struggle.<\/p>\n","protected":false},"excerpt":{"rendered":"So, I\u2019m finally done with CEH. After countless hours of studying and working through labs for both the theory and practical exams, I wanted to take a moment to share my journey \u2014 the highs, the lows, and what I learned along the way. Theory Exam To earn the CEH Master title, you first need […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[35],"tags":[],"class_list":["post-361","post","type-post","status-publish","format-standard","hentry","category-training"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=361"}],"version-history":[{"count":3,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/361\/revisions"}],"predecessor-version":[{"id":366,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/361\/revisions\/366"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/08\/CEHPRACTICAL_5FB43496785F.png\")