How I Passed HTB Certified Penetration Testing Specialist
My Methodology to pass CPTS from Start to End
Last updated
My Methodology to pass CPTS from Start to End
Last updated
I recently had the opportunity to take the Certified Penetration Testing Specialist Exam from HackTheBox (CPTS). For those unfamiliar, the CPTS is a highly practical certification that rigorously tests candidates' penetration testing skills. Holders of this certification demonstrate intermediate-level competency in ethical hacking and penetration testing. Over a 10-day period, candidates must identify security issues and exploitation avenues that are not immediately apparent through CVEs or known exploit PoCs. They can think creatively, chain multiple vulnerabilities for maximum impact, and provide actionable recommendations to organizations through comprehensive pentesting reports.
Without ruining the integrity of the exam, here’s a high-level overview:
You have 10 days from the time you spin up your exam environment to successfully capture at least 12/14 flags and deliver a comprehensive, commercial-grade exam report that must include the following:
Executive Summary
Network Penetration Test Assessment Summary (Summary of Findings)
Internal Network Compromise Walkthrough (Must include screenshots)
Remediation Summary (Short, Medium, and Long Term)
Technical Finding Details
Appendices (including but not limited to severity levels, subdomains discovered, compromised users, changes/hosts cleanup, etc).
All of which you would be expected to deliver in a traditional internal network assessment report for an actual client.
Willingness to Learn Dedicate time to thoroughly understand each module. While 43 days may seem excessive, it's crucial to grasp the conditions behind attacks rather than just completing tasks. Even with experience in complex network assessments, the exam presented unfamiliar attack paths that required deep understanding.
Pace Yourself The 10-day timeframe requires completing technical tasks and producing a commercial-grade report. My report spanned 87 pages. Manage your time wisely to ensure both tasks are accomplished efficiently.
Abusing Intended Functionality The CPTS exam challenges you to strategically use available resources. Familiarize yourself with OWASP Top 10 attacks, Linux and Windows lateral movement and privilege escalation, password cracking, pivoting, and ACL enumeration. Expect to encounter sophisticated scenarios where basic tools and common exploits won't suffice.
Be Thorough Take detailed notes during the modules and the exam. Documenting your process and taking screenshots will help you avoid rushing when time is tight.
Be Confident This journey is demanding but achievable. Use this as motivation. The modules provide everything needed to succeed. Stay focused and confident.
Focus on Depth, Not Just the Path For the CPTS, simply following the path can get monotonous. The path covers various sectors step-by-step, making it dull if you stick only to AD, web attacks, or pivoting. The CPTS path is designed for in-depth understanding.
Comprehensive Knowledge You need detailed knowledge of the entire penetration testing process, from start to finish, to crack the CPTS exam. Utilize the CPTS labs thoroughly, as they cover a wide range of scenarios.
Utilize HTB Labs and Resources Invest in a VIP subscription to HTB labs. Follow IppSec on YouTube; his videos are invaluable. 0xdf provides top-tier write-ups for HTB machines. People often recommend TJNull’s OSCP list and IppSec’s Unofficial CPTS Playlist as good boxes to root before the exam.However, my sincere recommendation (which many who have passed the exam share) is that you shouldn’t really be doing any boxes outside the path if you already have sufficient CTF experience.
Focus on Advanced Challenges While normal machines are helpful but they all are pretty much same, prioritize medium/hard/insane machines using IppSec’s videos and 0xdf’s write-ups. This will prepare you for the complexity of the CPTS exam. You can filter HTB labs to focus on specific topics like AD or web attacks.
Leverage IppSec’s Website If you get stuck on a specific topic like AD, LLMNR, or responder attacks in HTB Academy, search for it on IppSec’s website. You’ll find targeted machines and videos to help you master those areas.
By following this methodology and leveraging these resources, you’ll be well-prepared to pass the CPTS exam and excel in penetration testing.
The final module, Attacking Enterprise Networks (AEN), is a comprehensive walkthrough of an enterprise-like lab with multiple machines, integrating techniques from the entire path. A common tip is to attempt AEN completely blind to simulate the exam experience and gauge your readiness. I followed this advice and highly recommend it.
Attempting AEN blind is the closest simulation to the real exam, though it is scaled down in difficulty. Once you’ve seen the module content or walkthroughs, you can’t redo it blind. Strive to finish without external help, even if it takes hours or days. Avoid looking at the questions, as they contain hints you won’t get in the exam. Instead, start the lab, get the IP addresses, and dive into the hacking.
AEN has a specific structure. Here are some spoiler-free steps to follow:
Get all seven web flags on DMZ01.
Get a foothold and root access on DMZ01.
Get a foothold and root access on DEV01.
Get a foothold and root access on MS01.
Get root access on DC01.
Get a foothold and root access on MGMT01.
Not all steps have flags, and the flags in AEN aren’t comparable to those in the exam. Complete the lab first and then submit the actual flags.
If you complete AEN blind in around five days or less, you’re likely well-prepared for the exam. If you needed significant help, refine your methodology and practice more with CTFs before attempting the exam.
If you got stuck occasionally and only glanced at write-ups or asked for small hints, don’t worry. The goal is to overcome challenges without help, but don’t get stuck for more than a day. Take notes on where you struggled, adjust your methodology, and retry the module using your notes.
The exam environment mirrors the AEN structure closely. Here are the steps you can expect:
Get a foothold and root access on Webnix01.
Get a foothold and root access on MS01.
Get a foothold and root access on WS01.
Get a foothold and root access on DC01.
Get a foothold and root access on DC02.
Get a foothold and root access on ADMIN01.
Get a foothold and root access on MGMT01.
Get a foothold and root access on MGMT02.
By practicing AEN blind, you will be better prepared for the structure and challenges of the actual exam.
To enhance my report processing, I subscribed to ChatGPT for one month specifically for the CPTS exam and report writing. ChatGPT 4.0 proved to be significantly more accurate than version 3. It provided valuable assistance in drafting and refining my reports, streamlining the entire process.
PEACE ✌️