Active Directory Paid · $200.00

CPTS Exam Walkthrough

A complete, sanitised CPTS-style walkthrough — two trusted Active Directory forests compromised end to end: external recon and web RCE (OpenNMS, prototype-beta LFI, SQLi), Linux privesc (uftpd traversal, csvtool sudo), NFS to Liferay to SeTcbPrivilege for SYSTEM, lateral movement, LaZagne and BloodHound, targeted Kerberoasting, a DACL chain to DCSync, cross-forest trust and gMSA abuse, VMTools path injection, Nexus and SonarQube, and Anuko SQLi plus Webmin to root. Every flag, IP, hash and passw

Target: 🌐 CPTS network trilocor.local

Recon — DNS zone transfer (AXFR)

dig axfr trilocor.local @<DMZ_IP>

trilocor.local.                 IN  SOA   ns1.trilocor.local.
trilocor.local.                 IN  NS    ns1.trilocor.local.
nms.trilocor.local.             IN  A     <DMZ_IP>
selfservicestg.trilocor.local.  IN  A     <DMZ_IP>
rocketchat.trilocor.local.      IN  A     <DMZ_IP>
gogs-qa0001.trilocor.local.     IN  A     <DMZ_IP>
prototype-beta.trilocor.local.  IN  A     <DMZ_IP>
blog.trilocor.local.            IN  A     <DMZ_IP>
jobs.trilocor.local.            IN  A     <DMZ_IP>
news.trilocor.local.            IN  A     <DMZ_IP>
shop.trilocor.local.            IN  A     <DMZ_IP>

🔒 That is the recon. The full flag-by-flag walkthrough — every host, the complete exploitation chain and all flags — unlocks after purchase.

Unlock This Article

This is a paid article. Get permanent access to CPTS Exam Walkthrough for a one-off payment.

$200.00 USD

Published	May 24, 2026
Updated	Jun 26, 2026
Reading time	31 min
Access	paid

Recon — DNS zone transfer (AXFR)

Unlock This Article

Related Articles

Related Cheatsheets

Responder — LLMNR/NBT-NS Poisoning

NetExec (CrackMapExec) — AD Lateral Movement

Impacket — Windows & Active Directory Attacks

Nmap — Network Scanning & Enumeration

Related Courses

Network Penetration Testing

Networking Fundamentals for Pentesters

Windows Privilege Escalation — Complete Course