My HackTheBox CPTS Certification Review

After 3 months of preparation and 10 days of examination, I obtained the CPTS 🎉.

• The CPTS
• The Exam
  • The Courses
  • The Lab
  • The Report
• Conclusion
  • My Tips, In Brief
• Some References

The CPTS

The CPTS is a penetration testing certification, covering globally the prerequisites of a pentester.
28 course modules are to be followed, each comprising numerous chapters.
Almost every chapter includes a few questions, sometimes with a mini VM as a skill assessment.

The estimated duration is 3 months, which can be shortened if you’ve already completed certain modules.
The estimation is rather accurate; personally, I took 2.5 intensive months (I had already validated some modules).

The certification, on paper, technically approaches the OSCP level, but with different duration:

• OSCP: 24h exam + 24h report
• CPTS: 10 days exam + report

The main difference lies in the price: CPTS is ~€300, versus ~$1700 for the OSCP.
Also, the learning path works on a subscription basis, making it very accessible.

The Exam

The Courses

The courses are verbose, which can seem tedious, but you get used to it. There are enough diagrams to understand everything.

There are also many commands provided; ideally note them all. Also collect all the cheatsheets which are generally sufficient, but not all commands are included.

The skill assessments just validate that you’re following the course somewhat. No need to get stuck on them; they’re sometimes difficult but never impossible to find. The forum helps a lot in exploring the right tracks when blocked.

For my part, I was blocked until the end of the certification on the Nmap skill assessment. Returning to it several times always helps with progress.

The Lab

The exam is hard, no doubt, and the 10 days are necessary.

You’ll have several “big” enumeration phases, but the whole thing remains coherent and there’s no random password in a randomly hidden file on the system or an ultra-protected random port.

During enumeration, note everything, not just for the report but also for the machine you’ll see in 3 days with password reuse.

After exploitation, and this is repeated several times in the course: Stabilize your connections.

We always lose several hours establishing, repairing, and debugging network tunnels and pivots. By using the right tools for each situation, we really save time.

Finally, don’t forget the purpose of the audit: Help the client secure. Several vulnerabilities don’t interest us but are important anyway (failing to have flags, you gain points on the report.)

The Report

I must admit I failed the first try (we get 2 tries per voucher) because of the report.
Close to giving up on the 12th flag (last required), I found the solution at 1 AM, after 12 hours of work, 12 hours before the deadline.
As expected, the report was far from adequate and I received complete feedback from the jury to ensure I validated everything without redoing the audit on the 2nd try.

The report is probably the biggest trap; you need to plan 2 days to have the minimum.
For me, it was ultimately the most “new” part; we’re asked for extremely complete reflection on remediation solutions to propose.

The most important sections of the report are the timeline, important for understanding what happened, as well as the findings, what we’re paid for.

In the audit timeline, you need 3 levels of detail:

• Executive Summary (High level)
• Detailed Walkthrough (Semi-technical)
• Reproduction Steps: Everything must appear (code, screenshots, commands…)

The timeline therefore represents in my case 40 pages (~¹⁄₂ of the report).

The rest is dedicated to findings; all findings must be detailed, with explanation, reproduction, and remediation.

About 60 pages for me…

Conclusion

With a bit of energy, the certification is largely achievable if you have some knowledge in security, and good Windows and Linux culture.

However, the purely network part is in my opinion ultimately minor and rather limited to enumeration/pivoting.
The only vulnerability at this level wasn’t even applicable to my path (but still critical).

Being depicted as “for pentesting,” the CPTS covers in my eyes a broader spectrum of careers, especially in the highly specialized security field.
Several course chapters are clearly enriching for a purple team.

My Tips, In Brief

• Note all commands of interest
• Make a notebook; everyone organizes their notes differently and even the very detailed CPTS notebooks on Github forget elements
• Do boxes, pro labs: boxes bring a clear method for a machine. Pro labs additionally bring a notion of organization, particularly on the enumeration/exploitation/pivot cycle that must ALWAYS be repeated at each step (new access, new account, etc.)
• Master file transfer and pivoting techniques
  • Revsock, MSF, Ligolo, Chisel, etc.

Some References

• My personal notebook (!!!contains spoilers on skill assessments): https://icy-word-77c.notion.site/28e13133cc3a80f5ad9fc5a77f1024f8?v=28e13133cc3a80d9afc5000c678bf51a
• Much better detailed than here: https://medium.com/@TheOniOne/cpts-tactics-survival-85fc219d9229
• Tips from this article: https://rezydev.com/writeups/hackthebox/ultimate-htb-cpts-guide#my-top-10-cpts-tips