Pentest_Notes

🎯 HTB Certified Penetration Testing Specialist (CPTS) Exam Checklist

Exam-specific tips, common scenarios, and time management strategies. Last Updated: 2026-03-27

Exam Overview

Format: Practical, hands-on penetration test of a simulated corporate network
Duration: 10 days for testing + 10 days for report writing (verify current format)
Objectives: Compromise machines, collect flags, write a professional report
Key Areas: External/internal enumeration, web attacks, AD attack paths, privilege escalation, pivoting, lateral movement, reporting

Time Management Strategy

Day	Focus
1	Full enumeration of all accessible hosts. Map the network. Identify all services.
2-3	Web application attacks, initial foothold
4-5	Post-exploitation, privilege escalation, credential harvesting
6-7	Active Directory attacks, lateral movement
8-9	Pivoting to internal networks, repeat methodology on new subnets
10	Flag collection verification, cleanup, start report notes
11-20	Report writing

⚠️ CPTS Exam Tip: Don’t rush exploitation. Spend the first day ONLY on enumeration. The better your enumeration, the faster your exploitation.

Common Exam Scenarios & What to Look For

External Perimeter

Web applications with known CVEs
Default credentials on web apps
SQL injection leading to shell
File upload vulnerabilities
LFI/RFI to code execution
Exposed Git repositories (.git/)
Exposed configuration files
Subdomain enumeration revealing hidden apps

Initial Foothold to Domain User

Credentials in web app configs/databases after web shell
Credentials in files on SMB shares
Password reuse from web app to domain
ASREPRoasting without credentials
LLMNR/NBT-NS poisoning (Responder)
Username = password

Domain Escalation

Kerberoasting → crack service account passwords
ACL abuse chains (GenericAll, GenericWrite, WriteDacl, ForceChangePassword)
Unconstrained/constrained delegation
Group Policy Preferences (GPP) passwords
Passwords in AD description fields
DCSync with sufficient privileges

Lateral Movement

Pass-the-Hash with admin NTLM hashes
WinRM/PSExec/WMI with credentials
Password spraying with found credentials
Accessible shares with sensitive data
RDP with found credentials

Privilege Escalation

Service misconfigurations (unquoted paths, weak permissions)
Scheduled tasks with writable scripts
AlwaysInstallElevated
Stored credentials (cmdkey, browser, KeePass)
Kernel exploits (last resort)
SUDO misconfigurations (Linux)
SUID binaries (Linux)
Cron jobs with writable scripts (Linux)

Things Commonly Missed

⚠️ CPTS Exam Tip: These are frequently overlooked and can cost you flags:

Key Commands Quick Reference

```bash

Quick full-scope enumeration

nmap -p- -v –min-rate 4000 -sV nmap -sUV --reason -F --version-intensity 0 --min-rate 5000

SMB null session check

nxc smb -u "" -p "" --shares nxc smb -u "guest" -p "" --shares

Username = password check

nxc smb -u users.txt -p users.txt --no-bruteforce

ASREPRoast without creds

impacket-GetNPUsers domain.com/ -usersfile users.txt -dc-ip -request

Kerberoast with creds

nxc ldap -u 'user' -p 'pass' --kerberoast spns.txt

Quick web enum

feroxbuster -u http:// -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt,bak -t 100

BloodHound collection

SharpHound.exe -c All –zipfilename bh.zip

Report Writing Tips

Document attack path from start to finish with screenshots
Include remediation recommendations for every finding
Use CVSS scoring for vulnerability severity
Include an executive summary for non-technical audience
Proofread for grammar and consistency
→ See 15_Reporting_Documentation.md

Exam Day Reminders

Take regular breaks — 10-day exam is a marathon, not a sprint
If stuck for 2+ hours, move to a different target
Re-enumerate with every new credential found
Screenshot EVERYTHING — you can’t go back
Keep organized notes — they become your report
Enumeration is key; step back and try harder