2026-07-10 @pequepadawans cpts review active-directory

CPTS review

Context

Certified Penetration Testing Specialist — Hack The Box. Practical exam, 5 days, 14 flags. Passed.

Modules Worth Mentioning

When going through the Hack The Box Academy modules, not all content is created equal. Here are my thoughts on where you should focus your energy:

  • Pivoting: The official module feels a bit outdated. I highly recommend learning Ligolo-ng instead. To truly master pivoting, dive into the ProLabs—specifically Zephyr and Offshore. Don't be intimidated; you can always ask for nudges in the official Discord if you get stuck.

  • Attacking Enterprise Networks: Do this one completely blind. It will take you longer to finish, but you will enjoy the process much more and learn significantly more.

  • Active Directory Enumeration & Attacks: This is incredibly important. Take exhaustive, meticulous notes as you go through it.

  • Stay Current: Some modules are slightly outdated, so try to adapt the techniques to modern realities to get the most out of them.

  • Introduction to Active Directory: This module is heavy on vocabulary, but I highly recommend doing it if you feel you are missing foundational knowledge before tackling the more advanced AD attacks.

  • NetExec (nxc): I didn't do the CrackMapExec module, so I can't speak to it, but I heavily advise gaining expertise with nxc. The syntax is incredibly friendly, it can handle almost any network-related task, and it is overall just very comfortable to use.

My Exam Experience

Exam freedom

One thing that really surprised me is that you can use any exploit during the exam—even 0-days. With that in mind, remember that there is no single "correct" path to passing. Don't limit yourself by trying to guess what the exam creator intended. Come up with your own creative ways to breach the systems. That is what I did, and it saved me a massive amount of time.

A Very Unstable Lab Environment

To be completely honest, the lab environment was quite unstable. I had to reset my exam over 10 times in 5 days. I tried switching VPN servers, which helped sometimes, but overall, the environment felt sloppy. Tip: EU servers are usually overloaded, so try switching regions if you face connectivity issues.

The Flag Timeline

Day Flags Captured Notes
Day 1 0 Off to a slow start.
Day 2 0 Anxious; convinced I would fail on the first flag.
Day 3 7 The breakthrough.
Day 4 8 - 9 Hit a major roadblock.
Day 5 9 - 12 Pushed through to the passing threshold.

Flag 1 isn't technically difficult, but it is a long attack chain that requires you to look at the bigger picture. If you are stuck here (like I was and some friends were), do not hesitate to re-enumerate. The instability of the lab can lead to inconsistent initial scan results.

Flag 8 was a massive roadblock for me and many others. Fortunately, I managed to find an alternative path that helped me bypass the intended hurdle. I would confidently say that if you manage to capture Flag 1 and Flag 8, you have a 95% chance of passing the technical portion of the exam, as the rest of the flags are relatively straightforward.

Dealing with Burnout

When I obtained Flag 12, I honestly decided to call it there because I was completely burnt out. The path to Flags 13 and 14 looked straightforward, but my brain was fried. I hadn't taken a single real break since I started.

What not to do

My routine was a mistake: wake up → hack all day → eat while hacking → sleep a little.

I have to admit, this was a massive failure on my part. I forced this exhausting routine because I thought I had wasted too much time on the first flag and wouldn't finish, but I ended up finishing with 5 days left on the timer! Ironically, my best ideas came during the rare 5-minute moments when I actually stopped and got out of my "tunnel vision." Once I secured enough points to pass, I took a full 24-hour break from anything exam-related before starting the report.

The Report

My final report ended up being 118 pages long. I used Sysreptor and automated a lot of the writing process by leaning on AI. For this, I used OPENCODE to draft the findings.

My AI Reporting Workflow:

Whenever I confirmed an attack path and gained a flag, I dumped the raw commands into my Obsidian vault. I then fed that dump, along with a very vague explanation, into the AI and told it to draft a formal "finding." This prevented me from wasting precious time writing while I was still hunting for flags. When it was time to compile the final document, I just took the drafted findings, slightly changed them, and added my screenshots.

AI caveat

Please revise the AI-generated text. AI hallucinates, but having it draft the foundation saves you hours of tedious work. I spent about 8 hours a day for two days on the report (roughly 16 hours total).

Recommendations and Tips

1. Step Away from the Keyboard

Take breaks for at least 10 minutes. Just lay down on your bed, close your eyes, and try not to think about the exam. Getting out of that tunnel vision is usually when the missing puzzle piece will finally click in your mind.

2. Use a Virtual Whiteboard

I heavily recommend using a whiteboard to visualize the bigger picture (in my case, I used Obsidian with the Excalidraw plugin).

  • Draw a large rectangle for each subnet and place each host inside as a smaller rectangle.
  • Nomenclature: Always use HOSTNAME - IP.
  • Color Coding: Use Red (0 access), Yellow (unprivileged access), and Green (full control / root / system).
Note

The image below is not from the exam — it's from a ProLab, but the methodology is the same.

Pasted image 20260710161444

3. Maintain a Strict Markdown Structure

Keep a dedicated table for the credentials you gather. Note exactly where you found them and where they can be used. Copy and paste your successful commands immediately—you will need them for the write-up, and you will definitely need them to quickly repeat your intrusion if the lab resets.

Keep an "Ideas / TO DO" section in your .md file. Ideas often come in packs, and if you don't write them down immediately, you will forget them. If you don't maintain a bit of order, you are going to end up missing things.

The exact structure I used:

# Creds Table
| Users  | Pass  | Hash  | Notes   | Valid on   |

# Ideas / TO DO
- [ ] Idea 1
- [ ] Idea 2

## HOST 1
### Intrusion
- Commands / Screenshots, etc.
### Priv Esc
- Commands / Screenshots, etc.

## HOST 2
### Intrusion
- Commands / Screenshots, etc.
### Priv Esc
- Commands / Screenshots, etc.

4. Various Mini-Tips

  • If you are stuck for a long time: Question your previous assumptions. Re-enumerate from scratch or enumerate again with a completely different command/tool.
  • Don't over-rely on automation: Automated tools are great, but have manual commands in your notes to fall back on if the tools fail or output messy results.
  • Beware of rabbit holes: The exam is full of them.
  • Take good notes in the Academy: During the CPTS path, make sure to take your own notes with code snippets so you can copy/paste them later. You won't remember every command by heart, so don't be afraid to reference specific Academy modules during the exam.
  • Prioritize ProLabs: Do the CPTS track, but give massive priority to large labs like Zephyr and Offshore (if you are feeling brave, though Offshore has some content outside the scope of the exam). Doing these massive environments will help you build the actual methodology needed for the exam. Normal, single HTB machines won't give you that vision. Even though the Attacking Enterprise Networks module is the closest thing to the exam, it is just too short to fully cement a solid methodology for massive labs.

Would I Recommend the CPTS?

Yes, absolutely. It teaches you a lot of content, the curriculum is very wide in scope (web, AD, pivoting, reporting, methodology), and the price is very good compared to the OSCP for what you get in return.

Caveat

That said, I wouldn't recommend jumping straight into this cert without previous cybersecurity knowledge. The Academy modules assume you can enumerate on your own, that you understand networking basics, and that you can read a script and adapt it. If you're brand new, start with something lighter (e.g. the HTB CJCA path, or just the easy-rated HTB machines) before committing to the CPTS.

Pasted image 20260710142524