After becoming 1 of under 1,000 with the Certified Penetration Testing Specialist, I wanted to write down my experience for CPTS and hope to share some insight like I did for CBBH.
I also wanted to highlight some of the extra training I did as well as the preparation I did for the exam.
Why #
Well, I would be lying if there wasn’t a small part of wanting to achieve the CPTS due to the hype. With the reviews posted about CPTS, you hear and see things like
- “Harder than the OSCP”
- “The new standard for penetration testing certifications”
- “Hardest exam I have ever taken”
There have been quite a few reviews that have added to this mystique. Those are
- Bmdyy’s video review (which was the first to come out): “My Guide to HTB’s CPTS Course/Exam”
- 0xP’s article: “Why HTB’s CPTS exam will become the Standard for Modern Day Penetration Testers”
- PinkDraconian’s video review: “OSCP ⚔️ CPTS”
- John Hammond’s video review: “I Tried The HackTheBox Certified Pentester Exam”
The most surprising of these is John Hammonds review. Even he struggled with the exam and didn’t pass (In his defense, he was moving during the time and was busy doing John Hammond things). It should be known that he also holds the pinnacle of offensive security certifications (IMO) which is the OSCE3 and STILL struggled with CPTS. I think this highlights the type of exam the CPTS is, which I will bring up later.
Other than the reviews and the hype, the main reason why I pursued this was based on some the reasons I gave in my CBBH review. The pricing for CPTS is reasonable, being about $410 being on its own. Plus, I already had about 30% of the course complete from CBBH, I thought I should just continue on completing the CPTS.
Course Material #
I thought the CBBH material was dense until I was near the end of the CPTS training. One review that said it best was completing the CPTS training is a accomplishment in itself which I completely agree with. The CPTS is not only longer, but some of the modules go more in depth than the ones in CBBH.
The most informative, thorough, and dense modules that I enjoyed would have to be:
- Active Directory Enumeration and Attacks
- Windows Privilege Escalation
- Linux Privilege Escalation
- Attacking Common Web Applications
These modules were good at covering almost everything. If there was something not covered in depth, at least mentioned as a side note or as a shameless plug to some other modules. There were a couple times that I was researching a certain attack and wondered if it was covered in the CPTS. Then I would go back and at least find a note on the specific attack I was looking at. Though, it gets confusing with Windows since there are 2 modules you have to go back through to confirm on whether it was mentioned or not.
There are some issues that I had with the course material. If you have looked at any reviews or heard anything about the CPTS, you have probably already heard about the dreaded Password Attacks module. I don’t really have anything to add to this that’s already covered in other reviews, the password cracking portions need reworked. Everything else covering how passwords work and are stored within Linux / Windows as well as Pass-the-Hash and Pass-the-Ticket were great.
Some other issues that I had personally were issues with the Thick Clients in the Attacking Common Web Applications. A couple lab resets worked these out.
Honorable mentions for modules that I enjoyed that I have to add are
- Documentation & Reporting
- Attacking Enterprise Networks
These modules really helped conclude everything in the training with the focus on methodology and mentality. But with how long it takes to complete and how dense the material is, you will have to revisit the modules within the path.
The only thing I personally would have to complain about is that
Ligolo-ng is not covered in the Pivoting and module. Yes, the module was great at covering various techniques and tools that would help further your understanding. But ligolo should be added, probably at the end since there is a
literal autoroute command that makes life easy. Even then, with the new version of ligolo 7, there is really only 3 commands (ifcreate, route_add, tunnel_start) you would have to know if autoroute is somehow not working in certain situations.
Pro Labs #
As one of the things I did to prepare for the exam, I went and completed Dante and Zephyr. This was mainly done to get extra practice in a multi host network. There were only a couple of modules in the training that had multiple machines to attack but felt more like attack chains instead of an actual network.
Also, an article that I enjoyed reading and agree with was Economical Red Teaming. Mainly the points made about pricing being a no brainer to do.
Below are my thoughts on both Pro Labs.
Dante #
I enjoyed this Pro Lab until I got to the halfway mark. I would say Dante is great for learning pivoting and trying to navigate around connecting to certain machines that only accept traffic by some. I can definitely see the reason why it is recommended for OSCP perpetration. This is mainly based on the reviews I have seen for OSCP was well what Dante was like. There was no real ‘route’ until halfway through. There was a great use of context that needed to be used for certain machines which I enjoyed tying together. Though some machines could be “cheesed” with exploits due to the lab not being updated. This could bypass the intended paths for the Pro Lab. A few flags were CTF style and were annoying and cheesy to get. As a side note, for anyone preparing for the PNPT this would a great resource to use as practice. If you are able to complete 50% of Dante, then you would be well prepared to take the PNPT.
The first half of Dante I would rate as a 4/5, the second half went down to 3.5/5. By the end, Dante was pissing me off so much that it was a 3/5. With that, I would give it a 7/10 overall.
The only thing I would add to Dante was that the lab would definitely benefit with an update. This would help fix some of the exploits that could be used to get around the intended paths. It almost seems like Dante is the red-headed step child of Pro Labs since all other labs get regular updates besides Dante. However, it would be a lot to update the lab due to the history of the lab creator and stopping the unintended routes to take. I won’t be talking about this in depth but the history behind the lab creator is probably the worst kept secret. You could probably find information on them if you have the OSINT skills. There is A LOT more lore to add to this puzzle. My search started with a password cracking machine of all things and ended with a welsh dog breed.
Relating to exam:
- Any practice with a large network is a plus, so if you can do Dante to get your feet wet
- Will help with going over some of the web attacks taught
- Will help with pivoting practice
- Will help with privilege escalation practice
Zephyr #
Overall, Zephyr was a great lab. The path is questionable due to all the updates to the lab. There were some parts where I found myself skipping ahead on certain parts based on what I thought was the intended path. This lab really helped with cementing my process of performing enumeration and reviewing BloodHound as well as general AD skills. I also learned some new tricks that I hopefully won’t forget. And when it says it is a purely AD lab, IT IS A PURELY AD LAB (Besides a portion of it). One of the key differences with Dante compared to Zephyr was that some of the attacks performed are out-of-scope of the CPTS course material. I felt that someone could easily do Dante if they completed the CPTS material. As for Zephyr, all you really need is the Active Directory and Windows priv esc module to be good. They will be some extra research that needs to be performed but with the amount of material covered in those two modules, you will have enough context and understanding to know what to search for.
The rating is a lot simpler compared to Dante, Zephyr is a 9/10 for me. There were only minor annoyances I had personally, everything else was great.
Relating to exam:
- As stated, some attack are out-of-scope but good to go through to build those skills
- Will help with Windows privilege escalation practice
- Will help with pivoting practice
- ABSOLUTELY WILL HELP with AD practice
Note #
I have seen recommendations from staff and others about going through the last module, Attacking Enterprise Networks, blind to prepare for the CPTS exam. In my humble opinion, I think that the Attacking Enterprise Networks should be reviewed holistically on the overall methodology. I feel that doing the module blind won’t be that useful if you already done it. I could see its use if you did it blind first, then went back to see what you missed, then continue on blind. Then if you want to feel extra prepared, I would recommend applying what the module is teaching in other areas like Pro Labs.
One thing I would like to add is that Offshore is also a direct recommendation from the Academy x HTB labs. If you would want to stick with HTB, then Offshore is another option that you can do. Offshore is simply Dante 2.0 with some added defenses, so in theory all you would need is to go over Shells & Payloads as well as the Introduction to Windows Evasion Techniques ( now apart of CAPE ) to be extra prepared.
Also there have been the new pro lab editions. These used to be the Endgames that required Guru rank on the main HTB platform. Another direct recommendation is the P.O.O. endgame. I personally don’t have any experience with doing them but it would not hurt to get extra practice in. Though with these new additions, the only thing to note is that these would be smaller attack chains, not a full on network like Dante, Zephyr, and Offshore.
If you would want another option other than HTB to get practice in on a multi host network, then VulnLab and GOAD would be a good choice as well. If you have the extra hardware to setup multiple hosts, then GOAD (even Ninja Hacker Academy) would be good practice as well.
If you feel like you don’t need to do the Pro Labs / multi host network to be prepared, my recommendation is to review everything holistically. Specific attacks / techniques are important, but your methodology will help push you towards and would include those attacks. Everything you need is within the course modules (so reviewing them should be your top priority due to how much content there is).
Prep #
One of the main things I wanted to do to prepare for this exam was to setup Sysreptor for report writing. Since the team at Sysreptor already had the report templates for all of the HTB certifications, it seemed to be an easy way to already generate a report. Also, from what I have seen within the reviews for CPTS and my own personal experience with passing CBBH I knew that the report for the CPTS would be daunting. So any way to automate the report would be a major benefit. I setup this up through a separate Linux VM (can choose whatever distro you like such as Ubuntu / Parrot) rather than my own Kali VM.
Fourth wall break: I chose not to use the Sysreptor cloud service since I felt weird using an external source I did not own for report writing stuff. If you don't really care about data sensitivity and don't want to go through the pain that I will describe below, then it should be fine. It seems like HTB does support the Sysreptor team and has even pinned their links within the certification channels in the Discord. You should have no worries with using the cloud service.
One thing required for Sysreptor is Docker Compose. I have always had issues with installing Docker Compose with trying to setup BloodHound but thanking fully this guide helped me setup Docker Compose.
Once you have Docker Compose installed, then you would be able to move onto installing and setting up Sysreptor with the following guides:
- https://docs.sysreptor.com/htb-reporting-with-sysreptor/
- https://docs.sysreptor.com/setup/installation/#manual-installation
The key thing for installing Sysreptor is setting up the Docker volumes, creating the superuser (which will use your password for you Linux user), and then downloading and importing the HTB certification report templates.
All seemed to be well once everything was setup, HOWEVER there were a couple mistakes that during the exam I will share here that spare anyone the trouble. The biggest mistakes that I made with Sysreptor / reporting were:
- If you are going to install Sysreptor, it would be best if it was done on a host instead of a VM. Sysreptor was lagging so terribly I had to switch from Sysreptor to a different program like Google Docs. (INB4 low VM resources, the VM had adequate resources, 8 cores and 32 Gb ram to be specific)
- Not reviewing the exam report from both the template and the example report from the resources provided in the Documenting & Reporting module.
- Scheduling the exam so that the 10th final day would land on a holiday. Its not best to write a report during a holiday.
- Having to reformat the report template when I exported the report from Sysreptor into Google Docs, as well as having to redo the screenshots for findings due to them being corrupted during the transition from PDF to Google Docs.
My biggest advice is to setup Sysreptor properly on a system so that latency won’t be an issue. If not, then download the CPTS demo report from the Sysreptor site and upload into your program of choice like Google Docs. The reason to download the report template from Sysreptor is so that the report template for the exam can be prepared BEFORE starting the exam. This will give you time to reformat the document to ensure that the table of contents and links to the different sections are properly setup. Once that is uploaded, then properly reviewing the sample report given from the Documenting & Reporting module so you have knowledge of what the final report for the CPTS should look like.
Other things to prepare for the exam other than reporting is making your own cheat sheets. I would recommend go through and taking notes on the course material and THEN going back and make your own cheat sheets. These should just be lists of commands with some context if needed, don’t just copy the cheat sheets that HTB provides. Though, I would also copy these down in case you want to look at another set of cheat sheets to reference.
Lastly, I would recommend setting up a transfer folder with all the tools you would need for pivoting and priv esc. This was something I picked up from the PEH course for the PNPT. Either put these tools in either a folder in your home directory or opt directory. This should include Ligolo and any other priv esc tools / windows specific tools that were covered in the priv esc modules. For Ligolo specifically, build the latest version and download the compiled binaries from the previous versions in the releases tab. The previous versions that would need to be downloaded should be ones that you learned to use from the Pro Labs like Dante / Zephyr. If you are going into the CPTS without doing the pivoting practice with the Pro Labs, the best methodology would be to cycle through the previous version binaries until the get one that works on the specific host that you need. One thing that is great about Ligolo is that you can still use the newest proxy version with a outdated agent, so you still have the new functionality.
Exam #
Small note, I enjoyed the in-universe lore provided in the letter of engagement that tied the information from the CBBH and CPTS course material together.
I think having experience with passing CBBH helped prepare me more for CPTS since I knew the type of exam that the HTB team makes. Hindsight is 20/20, but I would say that CPTS is not “advanced” but it is definitely not easy. Something that I noticed with CBBH and with CPTS is that the crazy advanced methods and attacks aren’t “needed” for the exam. HOWEVER, the exams focus on putting everything together. This is best explain by “Outside-the-box Thinking & Vulnerability Chaining” section on both CBBH and CPTS exam pages. With this in mind, I knew what to expect. Only thing I would say with the difference between CBBH and CPTS was that CBBH was harder in one aspect due to the fact it was not as “linear”. In every other aspect, CPTS takes the cake.
My first attempt went ok, there were a few moments that stumped me. However, having a solid methodology as well as putting things together for attack chains helped me. For example, if you see “X”, you should think back to what was covered on “X” in the course material and think of what “Y” attacks / techniques are covered.
Other than that, this exam will take a while. This is probably the main reason why John Hammond failed his first attempt. This exam requires a lot of time commitment to be successful. The 10 days will be needed to do both the exam lab and report. At a minimum, the lab portion should take you at least a week to complete if you are well prepared but expect to use all 10 days especially for the report. One thing that I did enjoy about the lab environment was that you were given a few days of time for the instance, so you do not have to worry about your reverse shells and pivots dropping due to the lab time running out and the instance shutting down.
With everything I mentioned on the mistakes I made within the prep section, I was able to submit my report. Though I failed due to not having one section not meeting the required standards for passing. This is were going back through the report provided from the Documenting & Reporting module will help. This is essentially the standards they want for the CPTS. The only things that are missing from this report are provided in the report template given at the start of the exam which can be seen on the provided CPTS template from Sysreptor (mainly the tables in the appendix).
After confirming multiple times with support team that I only have to resubmit a new report that meets the standards, I used my second attempt to upload a report with the required standards that they wanted. I did not have to go through the exam again to recollect the required points. I think my saving grace was that I had THOROUGH screenshots and took plenty of notes during the exam that included commands that I used. So for the second time around, all I need to do was reuse the same screenshots from my first attempt and go through my notes to get the necessary commands to provide replication steps. This ties into the tips I have for the CPTS which will be covered later.
Once I resubmitted by report again, I had to wait … again.
Another holiday break to go through and low and behold, I got CPTS certified. The feedback for the second time round was that the report was good overall. Though some improvements could be made on having more screenshots, better resolution screenshots, screenshots for every step for a finding, having good descriptions and captions, and including commands for a finding. Most of these are mainly for the client to reproduce, validate, and remediate the findings found. Even though I thought I was thorough, I could see where these improvements are applicable in my report looking back.
Conclusion #
Overall, I would recommend this exam. Though there are a few caveats.
Similar to some reviews on CPTS, this is not a beginner level certification. This is more intermediate. I would recommend that if you are a beginner, not to hop straight into this certification. This is ESPCIALLY true if this is your first certification. I would recommend PNPT or even CBBH to get some experience with an exam. If you don’t want to go through a different exam, then definitely looking into doing the Dante, Zephyr, and Offshore Pro Labs. I would still recommend getting some experience with multi host environments if you plan on taking the exam.
As for how long the coursework took for me to complete, it was a lot longer than compared to CBBH. It took about ~122 hours for me to complete the coursework. Keep in mind that I also completed the CBBH coursework so I already had about ~30% of the coursework completed for CPTS already. So using some ChatGPT magic with the time logs I had, with 122 hours plus the ~56 hours to complete the web modules that I had already completed from CBBH. Adding that up would come out to ~180. If you add up all the hours together based on the estimate that it will take about 40 days with giving each day 8 hours of studying, you are looking close to 320 (315 to be exact) hours in total. As shown, your mileage will vary depending on your experience. I share this to show that anyone approaching this should be prepared for the coursework. As stated earlier, completing the coursework is a accomplishment in itself.
With that out the way, here are some tips that I shared for CBBH as well that I will also put here:
- Track your progress.
- For each question and skill assessment that you do, copy down the steps you took. This will help reinforce your methodology as well as prepare you for the CPTS report.
- Take your time with the study material. There is a lot of information to process then to study for the exam. Make sure you reflect back on what modules and questions were the hardest for you to complete and review what stumped you the most.
- Create a cheat sheet for yourself for the exam. Shrink it to a couple of sentences of what to look for and a command to run whenever you are in that situation as described within that section. I would also add the HTB cheat sheets as well within the cheat sheet you made.
CPTS specific tips:
- REVIEW THE REPORT TEMPLATE
- PREPARE THE REPORT TEMPLATE
- Make sure to take thorough screenshots and copy down the commands for each finding. This relates to the tip above on copying the steps you take for each question and assessment. I found that this made it easier for me to do during the exam since it already became habit when I was going through the modules.
One final thing that I want to add is that both the course material CPTS and CBBH is really well done. Due to the material being updated every once in a while, it should be revisited. On top of what I already said about the material being extremely dense and taking considerable amount of time to complete, revisiting the course material would be beneficial just to refreshed on the topics as well as potentially finding new information in case you missed it the first time (or from newly updated material).
With that, that is all of my experience that I had with CPTS. Now if you excuse me, I have business with S.T.A.L.K.E.R. 2 I have to attend to.