HackTheBox Certified Penetration Testing Specialist (CPTS) - Review + Tips 

Hey mate,brother here trying to break into soc analyst position , putting time and effort learning blue team concepts.Holding certificates such as azure fundamentals,secuirty+ and splunk core user.Interested in pentesting however hesistant and curious if diving into pentesting learning path on hackthebox would be a complete waste of time for blue teamers?I want to dedicate my life to cyber security domain and i feel not learning red team stuff would place a limitation on my career growth whilst worrying about wasting my time as a blue teamer trying to land a junior position job.Any feedback will be greatly appreciated brother

@@furkanyaman927 Hiya mate, good question! Learning some red team stuff would definitely beneficial, in the same way learning blue team stuff would be beneficial to a pentester. It's important for attackers to know how defence works, and for defenders to know how attacks work. The question is how much time you would spend on that.. I would say if you still have a lot of blue team stuff to learn, it should be your main focus (as it's your job) but if you feel you've gained enough knowledge/experience about defence that you can spend more time on attack.. it's certainly worthwhile 😊

@@_CryptoCat thank you brother

AMAZING!! Congrats 💪

Wow, what a compliment! I was worried that the video would be way too long for most people so it's great to hear you found it useful 🙏 Best of luck with your CPTS journey 🥰

Thank you 🙏🥰

Thank you! 🙏🥰

Awesome! Best of luck with the course and exam 🤞

Thanks mate! 💜

Thanks! I hoped that would be a good comparison, even though I know nothing about cars 😂

thanks bro! 💜

🥰

Thanks mate! Best of luck with the course and exam, hope you learn a lot 😉

​@CryptoCat hey, I been working through the document and reporting module in the cpts path. And I was wondering if you had time if you could review my report. Your feed back would be very valuable to me!

@@johnnyvims5097Hi I’m planning to start HTB academy could I ask some questions? If you don’t mind 😬 “I can add u from discord or wherever u want “

No problem 👍

Thanks mate! Best of luck with the exam 🤞

Planning on taking it as well. How long are you estimating it will take to finish the course?

@@user-fo9tz3re6u It's so hard to say! It will vary on so many factors; your prior knowledge/experience, how fast you learn, your learning process (e.g. do you complete supplementary material), how many hours per day you invest etc. You can check the modules for a rough guideline on the estimated time to complete 🙂

@@user-fo9tz3re6u With my current pace (~3h per day) I have estimated that it will take me about 4-5 months to properly complete the course. That includes all optional exercises, and reading from additional resources when needed. I am currently keeping a very detailed time record per module and comparing it with HTB's estimate, so I can share that when I am done if it would be still useful for you.

heehee 😁

Awesome! Best of luck with the PNPT exam, I have heard plenty of positive reviews of it and I would say CPTS + OSCP + PNPT are all based on similar techniques, using similar tools etc so completing one course/cert will help you with another 🙂

@@_CryptoCat That's correct. Thanks so much for the Review, It gonna help me a lot.

Hi! Im planning to take either cpts or oscp. how extensive is the resources of cpts than oscp?

Thanks! 🙏🥰

Good plan! Best of luck 🤞

👊

Thanks mate 🥰 CPTS was harder than I thought as well TBH but you will learn a lot in the process and the CPTS track is good preparation. You've got 10 days for the exam and a free retake as well which takes the pressure off a bit. Best of luck!

Thanks mate! I finished the CBBH track after I did CPTS but don't plan to take the exam.. unless HTB wanna sponsor me to make a video 👀

Thanks! I don't think I can share that unfortunately since HTB don't provide any specifics about the size or structure of the network. The only thing I can probably say is that there are multiple machines and different levels of network segmentation, as you'd expect from a realistic AD network.

Go for it! You can definitely save a good bit with the student membership 🔥

@@_CryptoCat where did you learn how to hack? All on htb?? Going into computer science and doing a major too soon. Looking for the Biggest knowledge possible. Thanks.

@@nicolasarsenaukt6821 I did the same; Computer Science undergraduate degree then onto an MSc and PhD in cybersecurity. I would say that my CompSci degree had very little hacking, I had to take the initiative to do CTFs in my spare time and sought out internships, placements and university projects that were cybersecurity related. The CompSci will teach you all the fundamentals that will help you with hacking though and if you're lucky, your university will have some security related modules 🙂

@@_CryptoCat Just as I thought, I Will have good fundamentals that help understanding the hacking process. Then, with ressources online I can easily start with something like HTB or THM. Will update you on my journey

@@nicolasarsenaukt6821 This is a good plan 👌

ty 💜

Go for it mate! Regarding notes, I made a switch from CherryTree (which I used for OSCP and continued with ever since) to Obsidian, mainly for the markdown compatibility. I only took notes for the end of module assessments (actually these were in CherryTree as I only switched to Obsidian right before the exam) but kind of wish I'd taken notes throughout the modules (like I did with OSCP labs/exercises) and updated the cheatsheets supplied by HTB with any missing commands. In terms of what kind of notes to take, I just do like a "writeup" style, e.g. like 0xdf's HTB blog where I document my steps to solve a lab/assessment, recording the commands I used, the output they produce and screenshots along the way. You could lookup some articles/videos on OSCP note taking as the process will be similar for CPTS, e.g. here's one from Conda: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-yYmDQY1zKKE.html - best of luck with course and exam 😊

@@_CryptoCat I've never used Obsidian before so I'll give it a try asap. Taking notes through a 0xdf writeup style sounds like something that would work great for me, I'll try to do that for every skill assessment and all the questions at the end of each section, thank you!

@@SafaretoSaf Awesome! Just don't worry too much about making the notes perfect. You want them to be clear and relevant enough for your own reuse without wasting too much time on formatting or trying to explain your steps for a public audience. So long as they make sense to you, that's the main thing. The process of notetaking should help for your final pentest report as well 🙂

Sure! In the CPTS track there is a documentation/reporting module which includes a sample report (Word/PDF) and then you get a template for the exam report (similar to OSCP) 😊

I think CPTS then OSCP is the best approach 👍 There are definitely CVEs along the way, HTB won't expect you develop zero-day exploits (phew) but maybe some vulns will be less well known, related to the intended functionality of an application or due to a misconfiguration. This means at times you could benefit from reading official documentation to identify potential vulns, rather than finding a CVE or PoC easily available on Google.

@@_CryptoCat Thanks !

Thanks mate! I haven't taken those courses but looking at the overview of the course and exam, most of the same attack types are covered. I guess with CPTS you will learn about all the various AD attacks during the course but they won't *all* be included on the exam. With the CRTP/CRTE being a purely AD based course, I would expect them to integrate more of the AD attacks (and a bigger network) into the assessment. Just my assumption though, I'll be interested to hear a comparison from someone who has done both 🤔 edit: actually, that being said - the CRTP exam is 24 hours so I'm not sure how much more content they could realistically fit into the exam. The CPTS was really packed (or it felt like it to me!).

@@_CryptoCat thanks for the reply. In 2023 I'll hopefully be that person you're referring to (who has done both or all three of them).

@@j.c.5011 Good luck! 🤞 If you remember, you can update this thread with your experience and let people know how they compare 😉

Thanks mate! It's definitely hard to absorb everything, especially if you don't have much prior knowledge/experience on some of the topics covered. My advice would be to take a note of any modules that you really struggle with and make sure to review them a few times once you finish the path and do any related boxes, e.g. the active directory section took me a long time to complete and I didn't feel confident so after completing the path I reviewed all the contents and went and practiced on some AD related boxes. Hopefully once you get the CPTS you'll be able to move into a cybersecurity role, assuming you want to work on it full time 🙂

@@_CryptoCat Thanks!! Yeah... hopefully I will finish it some day! I`ve been 6 months already and half-way... I think maybe it`s better idea to sign up to a master degree in cybersecurity hahahaha I mean for someone with 0 penetration testing experience! I`m already afraid of the AD module hahahahahaha If it took YOU a while... Lots of people say it`s the tougher!!

I only did OSCP but reading the OSEP description is sounds like similar content. I'd hazard a guess that CPTS is a lot more comprehensive and difficult though 👀

The content in the CPTS track is technically enough *but* the more prior knowledge/experience you have, the easier it will be and the more likely you will pass. I tried to make sure I felt comfortable with all the modules before attempting the exam. I flew through the web modules, probably due to existing knowledge/experience. On the other hand, the active directory, privilege escalation and pivoting modules took me a lot longer and I was less confident on those areas when the exam started. My exam experience really reflected that, the web parts were less challenging for me AD was a weak point but everyone will be different!

That's fair 😁 Overall I agree and prefer 10 days but I did invest probably 3-5x more time over those 10 days on the CPTS exam than I did on OSCP and since I didn't pass on the first attempt, I spent more time on the retake (and on prep inbetween). Obviously this extra time spent hacking meant I learnt more and helped to ensure the material would "stick" but it's just a consideration that you *might* end up spending a lot more time overall on the CPTS exam than OSCP. Maybe you'll be less likely to fail CPTS with that extra time - I did stuck for some silly reasons, at various places 😅 Everything seems easier in retrospection though.

@@_CryptoCat I could not agree with you more. If you have more time, you can put more thought and care into the exam, and you can double check everything to make sure you achieved 100% accuracy and not rush through everything just to beat a ridiculous deadline like 24 hours when in the real world, you may typically have 1 to 2 weeks to complete a pentest. And best of all, when you have more time, you can "sleep on a problem" when you can't quite figure it out. When you wake up the solutions are usually there waiting on you because the brain got an opportunity to rest and process the problem. In August, I completed the eJPTv2 beta exam and during the 2 day exam, i got only 4 hours sleep and disliked the experience very much because the number of tasks were doubled as compared to eJPTv1 but the exam duration was reduced from 3 days to 2. eJPTv1 was a much better exam experience at 3 days. I felt like I was focusing more on the time remaining (eJPTv2 beta) then on the actual exam

I demonstrated on a lot of undergrad and post-grad modules over the past 7 years or so. Some of the MSc cyber-security modules I was most involved with were Malware and Software Assurance (secure coding) and then a couple of years ago they introduced a pen-testing module which I helped produce content for. I did the MSc myself in 2016 (before my PhD) and really enjoyed it TBH. Some modules (and lecturers) were better than others but overall it was a good experience. Having helped on the modules for the past 5 years I would say the majority of people who passed have moved onto good jobs. Most students found internships easily, particularly sinces there's a lot of great cyber-security companies in Belfast (Rapid7 take a craaaazy amount of interns here every year). That being said; MSc in cyber-security is not the same as OSCP/CPTS, you'll get an introduction to pen-testing but it's just 1/6 modules and nowhere near the depth that pen-testing certs go. You would want to make sure you are working on CTFs, HackTheBox etc in your spare time to develop those practical skills. I'm leaving Queen's university this month after having successfully passed my PhD viva. I'll be starting full-time with Intigriti next year and won't be demonstrating on any of the modules in future. If you have any more questions though, feel free to ask. If you do end up going for the MSc, give me a shout and we can meet up for a drink or something 😉

@@_CryptoCat Thanks a lot Jonah this was a great response! I am following you on LinkedIn and will catch up with you if I have any doubts in the near future. Thanks again!😄😄

Good question! The exam has 100 points, which you achieve by submitting user/root flags. You need 85/100 to pass and must submit a report documenting how you obtained the flags. There aren't any points for the report, but it is a requirement and they do state you can fail if it isn't done properly. There's a documentation/reporting module in the CPTS track as well as some examples so just follow a long with those best practices, using a template that HTB will provide (similar to OSCP). I made the mistake of not reading the documentation properly which states "if you do not submit a report, you won't be eligible for a resit". I assumed if I didn't get enough points to pass (I got 50 on my first take), there was no point taking the time to write out the report as I wasn't sure if the resit would be the same exam rotation (it was) or if I would get enough flags. Ultimately, I was glad I had to do the report anyway because it meant I had more hacking time on my second take *and* writing up my progress helped me identify areas I should explore further 🙂

@@_CryptoCat wow thanks dude. Im now a subscriber. Keep it up

@@reyparcon1333 thanks mate! 💜

If you can pass the exam and write a good report, I think you would be well ready for a junior pentest role. More so than OSCP imo 🙂

Extremely helpful

I'm not 100% but I would imagine that mindmap has most, if not all of the AD related stuff. The CPTS track does as well though so if you get stuck at any point on the exam, make use of the search feature and carefully review every page on the relevant topics. If you don't get it on your first take (like me), HTB will send you in the right direction so that you [hopefully] get there on your retake 🙂

@@_CryptoCat I know that in the CBBH exam, I passed the various methods of finding the module page, but in CPTS, the difficulty is much higher than that of CBBH, especially in terms of Active Directory. Besides the module content, is there any other recommended information?

@@sleepstudyreleaxsounds6975 I agree, it's a very tough exam! I can't really give any specifics but just make use of all the usual resources; Google, ChatGPT, hacktricks, AD mindmap, bloodhound docs, past HTB machine writeups, exploitdb, OSCP/pen-testing cheatsheets/checklists etc. The only issue with that is there's so many sources so I think using the CPTS track where possible is a good idea since you know all the required material for the exam is in there somewhere.

@@_CryptoCat Thank you, now I will review the CPTS 28 module again, and there will be answers in it

Awww thanks mate, appreciate the feedback and encouragement 🥰 The exam wasn't really buggy, just a few of the modules. I'd recommend running through the course then see how you feel, maybe you'll be ready for the exam 😉

Have you got your cpts yet?

@@atra.9850 Not yet! I'm slowly working through the course. Soon enough!

@@_CryptoCat Passed OSCP and OSWP (lol) since our last chat! Now I'm digging deep into CPTS. Looking forward to learning more!

@@iCyberVenom Amazing!! Congratulations and best of luck with the CPTS 😎

It is certainly possible, especially if you are able to commit to it full-time. I can't say if it will be enough for sure though as there's so many factors. Everyone has a different level of background knowledge/experience, learns at a different speed etc. If you've done HTB/THM machines before, that will make things a lot easier compared to someone who is completely new to pentesting or offensive security generally.

I have my IT career too, so this PT opportunity just appears to me from an old friend to work with him at cibersecurity, so he sing me on HTB and select the JRPT path... I can tell you, for mental sanity, is not possible to finish all the modules in 41 days (specially for the AD module), maybe if you have past expirience in PT you could but without any expirience think it's imposible. But how Crypto bro says it depends background knowledge/experience and the time you have. I finished this path in 3 1/2 really compromised months mixing the time with my regular IT work.

@@pachinchannel Thanks. I decided to jump into Data and DevSecOps.

Best thing to do is open Bloodhound and right-click the connection, check "abuse info" and it will give you the required steps for exploitation. You can also check here: bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#genericwrite

Thank you very much

Hey, good questions! Honestly, I think it would be a shame.. if you do all the work, you might as well get the cert to show for it - it will be on your CV forever! I learnt *a lot* in the exam, especially since I failed the first time and spent a good portion of the 10 days on both exam takes, practicing everything I learnt in the course. I reviewed CPTS modules/cheatsheets soooo much during those 20 days that it really reinforced everything I had learnt during the course, and revealed my weak points. For mock exams/boxes, they do recommend them throughout the CPTS course so I would advise to complete those. Don't stop there though, if you've got time to do more boxes.. do them! TJ Null has a great list of OSCP-like boxes to prep for the OSCP exam and they'll help for the CPTS too 🙂 www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PEN-200_PWK_OSCP_2.0.html#vulnerable-machines

@@_CryptoCat I wanted to save up money for the OSCP, especially since I already spent some getting my eJPTv2 recently. But as with the eJPTv2, I felt that I learnt a lot from the exam itself. And judging by your feedback on the CPTS exam, it seemed likely that I will benefit from taking it as well. I will be able to test my understanding more, and if I pass, it is also a decent addition to my CV, especially if it gets more recognized in the future. Seems like a good investment. Thanks for sharing your experience :)

@@Rookie441 No problem, best of luck with whatever you route you go for 😊

Promised myself to come back to this thread when I passed the OSCP, and I did it! 🎉 This would not have been possible without your inspiration, so thank you 🙏

@@Rookie441did CPTS help

I guess will add 20% to the price, so silver annual would be £420 instead of £350. If you are a student it's £6 a month regardless but a 20% VAT will be added to the exam cost, bringing it from £150 to £180.

Hi mate, thanks for the awesome summary! 💜 Hopefully some other CPTS holders will jump in with their input but let me add mine also: 1. Planning time was very difficult for me. I'm the kind of person that if I start a challenge (e.g. CTF, but let's also say a cert/exam), I'll go all out. Even if I tell myself to take breaks, I'll inevitably spend my breaks thinking about the challenge (exam) and feel like I'm wasting time and need to get back to it. This means that a 10 day exam has a negative toll on me *but* even if I said "I'll only do this 9am-5pm", it would have a negative toll because I'll spend my "non-working" hours feeling anxious that I could/should be working on finishing the exam. 2. Sure, the web content in CPTS can be compared to portswigger labs but it's really a small part of the course/exam. The CPTS web content won't go as in-depth as Portswigger, or cover as many attacks and the exam will reflect that. Web is an important part of pen-testing but there's so much more to it. 3. XSS is in the CPTS module contents, so anything in there, can come up on the exam! 4. No buffer overflow in CPTS. Again, if it's not covered in the course contents, don't worry about it being needed for the exam. Best of luck with the course and exam, if you decide to go for it! 🙂

So long as your question is NOT asking for help with the exam, I hang around in go.intigriti.com/discord 🙂

I haven't done the PNPT so can't say, but I'd suspect CPTS is quite a bit more in depth.

Definitely! I know people who have been working professionally as pentesters for several years but haven't managed to pass the OSCP exam yet (after multiple attempts). IMO the CPTS course is more comprehensive and the exam is more difficult than OSCP so if you pass that, you're actually higher qualified than many junior pentesters who are performing pentests full-time 🙂 That's nothing new actually. When I did my OSCP 3-4 years ago, I read a blog by someone who failed the exam a couple of times and they said they had been working as a pentester for ~10 years. That being said, there are other skills to pen-testing which will develop from working experience, e.g. scope setting, report writing, communicating findings. A professional pentester might fail the CPTS/OSCP exam on technical grounds but have better skills in some other important areas. Hope that makes sense!

😂👌

💀😂

I would say collecting data (e.g. sensitive files, credentials, internal configs) from compromised hosts is "looting". In metasploit, many of the post-exploitation modules will populate a "loot" folder.

@@_CryptoCat Ty 😁

Il take that as a yes

Depends how you define "pentesting experience"! If you mean someone who has previously been employed as a pentester, I don't tick that box.. If you also include HackTheBox machines, VulnHub/ProvingGrounds boxes etc as "pentesting experience", I would say it's needed (or at least highly recommended), e.g. if you start the CPTS track and you've never hacked any machine, don't know the basic tools (e.g. nmap, burp, metasploit etc), I think passing the exam off the contents alone will be difficult. That doesn't mean it's impossible. As long as you spend sufficient time doing the modules that you feel comfortable with all the tools and techniques, you'll have a chance at passing the exam. However, I'd say practicing on HTB machines will greatly improve your chances. You'll see this recommended throughout the course as well, e.g. "X and Y boxes are good for learning about active directory".

@@_CryptoCat appreciate the input. I just subbed to the academy silver and vip on the labs. I guess I will spend abit more time on them then. I’m still at the monitor starting point

@@Obsessedwithcoding Awesome! I would recommend finishing starting point, then do the CPTS track on academy.. taking time to do the recommended boxes and researching any specific topics in the course that you don't feel sure about. Best of luck 🤞

If you want to get the CPTS certfication, I'd recommend getting the CPTS track and starting from the beginning (following through in order). However, if you aren't sure if the course is right for you or want to review the quality of the modules, start by going through as many tier 0 (free) modules as possible 😉

???

3 months is definitely possible but it depends on your prior knowledge and experience - you might come across some topics that are complex and completely new to you and it could take a lot of learning and practice for it to sink in. You'll get a good idea how long it will take once you get started, e.g. if the marker is at 10% complete after your first week, 3 months is probably a good estimate. If you are completing ~5% per week it will take longer etc. I think CPTS then OSCP is the best approach anyway, that's what I would do now if I was just getting started. Good luck! 🙂

@@_CryptoCat Thanks for the insight, much appreciated. Please continue to do comparison videos between these two certs. Would you say AD content on CPTS would be helpful towards OSCP AD boxes?

@@quadraticfunction8045 When I did OSCP AD wasn't a big part but HTB really covered the topic in depth, I'd be surprised if they missed something which ends up coming up in the OSCP course.

Haha love that emoji 😁

Thanks mate, I'll get that link sorted out now. At least it's a 404 and not redirecting to a scam pharmaceutical site which is what happened to the DVWA link 😂 There is definitely text-based content in every module, you need some theory (and examples) to go with the practical labs/exercises. Some are more theory-heavy than others though, e.g. there was *a lot* of text in the AD module.

@@_CryptoCat hahaha indeed :'D thanks for the answer :) would you recommend doing the modules in the order they are listed in or maybe leaving AD until the end is better?

@@aliedora I did them in order which I think is HTB's recommendation but it probably doesn't matter too much, so long as you revisit any modules you need a refresher on 🙂