Passing the CPTS Certification

Certification Exam, Privilege Escalation, Active Directory, Web Application Security

Introduction #

This blog will be about preparing for the CPTS certification and my experience with it. I primarily wrote this after receiving several questions about the CPTS certification.

The CPTS is a hands-on penetration testing certification from Hack The Box that evaluates your ability to conduct a full engagement and document it professionally. I was able to pass with all 14 flags and a 101-page report.

CPTS points

Preparation #

The Course #

The course is long and can take multiple months to complete, but is necessary due to the essential penetration testing concepts and attacks it covers.

Completion of the Penetration Tester path (the CPTS course) is obligatory to attempt the exam. If you already have foundational infosec knowledge, the material will land quickly. If not, expect a significant time investment.

Do not rush the course, and take time to understand the tools mentioned and explore multiple ways to achieve the same objective, as this deepens your understanding and builds the adaptability needed to handle the different situations you will encounter.

Pivoting #

If pivoting is a weak point, I recommend completing Pro Labs such as Dante or Offshore. I have a blog demonstrating triple pivoting using the tunneling tool Ligolo-ng. Alternatively, if Pro Labs are not preferred, the course also includes a module named Attacking Enterprise Networks (the penultimate module in the course), which requires pivoting and is sufficient for practice. When you reach this module, try using Ligolo-ng and see if you like it.

Pro Hacker Rank #

If you hold the Pro Hacker rank on Hack The Box, you are likely ready. Reaching that rank requires solving a substantial number of challenging active machines, which strongly suggests that you are:

  • Carrying a solid methodology
  • Able to gain advanced and long-term footholds
  • Strong at privilege escalation
  • Comfortable operating in Active Directory environments
  • Able to move past atypical obstacles
  • Perseverant and resilient, which are crucial traits when facing the exam

However, holding this rank is not necessary. I personally approached the exam without it, holding the Hacker rank instead. While I have read claims of others passing the exam relying solely on the course material, I do believe achieving this rank can still be helpful when preparing.

CPTS Track #

Hack The Box also released a CPTS preparation track that consists of machines designed to help participants build the confidence and expertise required to approach the certification successfully.

Reporting #

I have read some recommendations about writing the report as you progress through the exam, but personally, I saved reporting until I had made decent progress. The report is of no use if your score in the exam is insufficient.

However, I do encourage taking organized notes of anything of interest and successful attacks such as credentials, potential attack paths, and payloads. When writing the report, I did my best to follow the structure of the penetration testing sample report by Hack The Box, and the reporting requirements and advice mentioned in the Documenting & Reporting course module.

SysReptor is worth checking out. SysReptor is a fully customizable and organized pentest reporting platform designed to simplify pentest report creation for security professionals. SysReptor can be self-hosted or used directly in the browser.

It is what I used for my CPTS report, and I would recommend giving it a try. It includes a CPTS reporting template out of the box, supports Markdown, and reduces the time spent on formatting so you can focus on the actual report content.

One thing I appreciated was that feedback was provided even when you passed. It makes every result an opportunity to improve and learn from mistakes.

Final Thoughts #

The exam itself is demanding, but fair if you approach it correctly and keep the module lessons in mind. From what I have heard, it is more difficult than the OSCP exam from OffSec. Most attack vectors are straightforward, but not immediately obvious. Each exam voucher includes two attempts, and you will most likely need to use both.

No amount of blogs, videos, or checklists will truly help you pass. You will need to put in a significant amount of time to be prepared for the exam. It is the hardest certification I have completed, and it is worth it for the competence it builds.