As you may know, I passed the CPTS (Certified Penetration Testing Specialist) exam from HackTheBox on October 9, 2024. It’s been a while, but I’ll do my best to recall as much as I can for this blog.
The Course
To take the exam, you are required to complete the “Penetration Tester Path” course from HackTheBox Academy. You can access it in two ways: through monthly cube subscriptions or annual plans like Silver or Gold. In my case, I chose the Silver subscription, which included access to all penetration testing path modules plus a voucher for two CPTS exam attempts — a better deal than waiting for monthly cubes and purchasing a separate voucher.
As for the course content, it was fairly comfortable for me, as I’ve been doing Capture The Flag (CTF) challenges on various platforms for a long time, so much of it felt familiar. The curriculum starts from the basics, covering penetration testing regulations, Nmap, service enumeration, web attacks, pivoting, and Active Directory attacks. Finally, once you complete all those modules, you take on the capstone: the Attacking Enterprise Network (AEN) module, which brings together all the techniques and methodologies you’ve learned. This module was by far my favorite. Many people use it as a practice test for the exam, and I’ll explain how I approached it later.
Tips and Tricks for the Course
First, as everyone recommends: take notes! Many people use popular note-taking tools like Notion, Joplin, or Obsidian. For me, I used Notepad++ to take module notes, then organized them in Google Sheets, exported them as CSV, and loaded them back into Notepad++ for a lightweight, all-in-one reference. I’ll share more on technical note-taking in a future blog, but this was my method.
For the AEN module, treat it like a real exam — give yourself 10 days, including time for report writing. For the report, I used Sysreptor along with the CPTS Exam Report Template. There’s even a module that specifically covers report writing, so make sure to review it.
When tackling the AEN as a practice test, do your best on your first attempt. If you’re stuck for several hours (say, 4+), and nothing from the previous modules helps, take that as a chance to identify your weaknesses. Go back, study the areas where you’re struggling, solve that piece, and move forward. It’s essential to recognize where you’re weak and actively work on it. Practice report writing with Sysreptor during these 10 days as well. Once you complete the AEN module, I recommend repeating it using different techniques and methodologies to sharpen your skills. I personally went through it twice before my exam. My favorite part of AEN was the “Dealing with the Unexpected” section, which teaches you how to handle unknowns — a mindset I still apply today.
Post-Practice
After finishing all the modules, including AEN, I recommend doing the AEN module before moving on to post-practice labs, just to get it out of the way.
For post-practice, I suggest working on boxes from the IPSEC CPTS playlist and the TJ Null OSCP practice list (NetSecFocus Trophy Room Google Spreadsheet). I completed about 80–90% of the TJ Null list, focusing on boxes from HackTheBox, Proving Grounds (Practice and Play), and VulnLab (more on VulnLab later). I did fewer boxes from the IPSEC playlist due to time constraints and went straight to the exam.
These post-practice exercises help reinforce what you learned and introduce you to new tools, methodologies, and approaches. Always use write-ups as learning tools — not as a sign of defeat. If you’re stuck and have no other way forward, check the write-ups to learn, not to shortcut the process. (I’ll write more on this topic in a future blog.)
There’s often debate on Reddit and Discord about whether HackTheBox Pro Labs are necessary. My take: they’re worth it because they provide a deeper, more realistic enterprise network experience. I completed several Pro Labs like Dante, Zephyr, Rastalabs, and Offshore. For CPTS, Dante, Zephyr, and Offshore are enough — Rastalabs is overkill. Mini Pro Labs like Xen, P.O.O., and Hades aren’t necessary either. Also, feel free to mix and match labs and boxes; there’s no need to lock yourself into just one at a time.
Regarding VulnLab, I don’t think it’s essential for CPTS, even though it appears on the TJ Null list. That said, it’s great for sharpening your technical skills.
One more lab I want to mention is SlayerLabs. It offers its own Udemy course, which you can purchase while working through the labs. It’s a good course, and you’ll pick up some new tricks, especially around Active Directory and Metasploit techniques. While the AD sections are relatively easy and not super deep, SlayerLabs shines in its post-exploitation methodologies. If you need to strengthen your post-exploitation skills, SlayerLabs is a great resource.
In Summary:
- HTB, VulnLab, PG Practice & Play (independent boxes): Learn new tools, techniques, and problem-solving perspectives.
- HTB Pro Labs (Dante, Zephyr, Offshore): Gain exposure to enterprise network attacks, Active Directory, pivoting, and lateral movement.
- SlayerLabs: Focus on post-exploitation techniques and methodologies.
My Exam Journey
To keep it short, it took me two attempts to pass the CPTS exam. My advice: if you suspect you might fail the first attempt, use the remaining time to focus on writing the report — this will save you time on the second attempt, and you’ll receive feedback on your weaknesses (assuming they approve your report; otherwise, they’ll only provide report feedback.
Exam Advice
Here are a few key exam tips:
- As everyone says, use the Penetration Tester Path modules for review or when you miss something.
- Take breaks — go for a walk. If you get a new idea, jot it down in your phone or notebook so you’re not stressing over it in bed.
- Use Ligolo-Tools, embrace automation tools like Metasploit, and don’t hesitate to use AI tools like ChatGPT.
Lastly, good luck, mate!
I wish you the best on your exam and success in your penetration testing career!
Thanks you for reading this blog !