# CPTS Preparation
The Hack The Box CPTS Preparation track equips learners with the essential knowledge and practical skills needed to succeed in the Certified Penetration Testing Specialist exam. — [Hack The Box](https://app.hackthebox.com/tracks/CPTS-Preparation) #### EASY
Attack TypeHTB MachineAttack Used in HTBWalkthrough Tool / Notes
AD/Certificate abuse, WinRMFluffy Initial exploit → credential access → abuse of AD/ADCS and WinRM for lateral/privilege escalation.Fluffy — walkthrough certipy, WinRM, RCE PoC
Web: SQLi / LFI / log poisoningTrick SQL injection → LFI / log poisoning → escalate through service misconfigurations.Trick — walkthrough sqlmap, LFI/log-poisoning techniques
Service misconfiguration (Redis / SSH key)Postman Unauthenticated Redis / write SSH key to get initial access; follow-up privilege escalation.Postman — walkthrough redis-cli, ssh-key exploitation, john/hashcat
#### MEDIUM #### AD / Domain-focused (Medium) | Attack Type | HTB Machine | Attack Used in HTB | Walkthrough | Tool / Notes | | --------------------------------------------- | ----------------- | -------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | ------------------------------------------------- | | Web/Service → Jenkins RCE → PrivEsc (Windows) | **Jeeves** | Abuse of Jenkins (unauthenticated/script console) for RCE, then Windows privilege escalation techniques. | [Jeeves — walkthrough](https://www.youtube.com/watch?v=EKGBskG8APc) | Jenkins console, post-exploitation priv‑esc tools | | ADCS / Certificate / AD enumeration | **TombWatcher** | AD enumeration + ADCS abuse (certificate-related escalation techniques). | [TombWatcher — walkthrough](https://www.youtube.com/watch?v=um8b-TN76bY) | certipy, BloodHound, impacket | | Kerberos / relay / credential discovery | **VulnCicada** | Information leak + Kerberos relay / certificate relay to obtain machine certs or domain access. | [VulnCicada — walkthrough](https://0xdf.gitlab.io/2025/07/03/htb-vulncicada.html) | petitpotam, certipy, impacket | | Kerberoast / DPAPI / secret extraction | **Voleur** | Kerberoast / targeted ticket cracking + DPAPI / secrets dump to recover creds and escalate. | [Voleur — walkthrough ](https://www.hyhforever.top/posts/2025/07/htb-voleur/) | Rubeus, mimikatz, secretsdump | | AD: ACL / GenericAll / password reset abuse | **Administrator** | AD ACL enumeration and abuse (GenericAll / password resets) to gain domain admin. | [Administrator — walkthrough](https://www.youtube.com/watch?v=Miam4nw9pmE) | BloodHound, impacket, aclpwn-style techniques | | Ansible / leaked vault blobs → AD / creds | **Authority** | Discovery of Ansible vault blobs / secrets → decrypt/crack to obtain creds and pivot in the network. | [Authority — walkthrough ](https://www.youtube.com/watch?v=7AF5riqLy-8) | ansible-vault, john/hashcat, AD tooling | #### Web / Application / Service (Medium) | Attack Type | HTB Machine | Attack Used in HTB | Walkthrough | Tool / Notes | | ------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------- | --------------------------------------- | | ASP.NET insecure deserialization / ViewState | **Pov** | Information disclosure (web.config), insecure deserialization (ViewState/ysoserial) → RCE and escalation. | [Pov — walkthrough](https://www.youtube.com/watch?v=84xCsHvkxYE) | ysoserial.net, PowerShell, mimikatz | | Web: subdomain enum → SQLi → LFI/RFI | **StreamIO** | Subdomain enumeration → SQL injection to steal creds → LFI/RFI to achieve RCE. | [StreamIO — walkthrough](https://www.youtube.com/watch?v=qKcUKlwoGw8) | sqlmap, LFI → RFI chains | | Web upload / symlink privesc / file abuse | **Media** | Malicious upload / file handling to obtain credentials or hashes; symlink/FS abuse for privilege escalation. | Media — walkthrough | file upload exploitation, hash cracking | | Web app / Git / Vault interplay → host compromise | **Craft** | Exploitation of web services (Gogs/Vault or similar) → steal secrets, pivot to host and escalate. | [Craft — walkthrough](https://www.youtube.com/watch?v=3znkLWakuUA) | web RCE, Vault access, SSH pivot | #### HARD | Attack Type | HTB Machine | Attack Used in HTB | Walkthrough | Tool / Notes | | ---------------------------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | ---------------------------------------- | | AD / delegation (FTP / KeePass → MSSQL → delegation) | **Redelegate** | Anonymous FTP → KeePass database recovery → MSSQL credentials → abuse of constrained delegation / force-change to escalate to domain. | [Redelegate — walkthrough](https://0xdf.gitlab.io/2025/07/17/htb-redelegate.html) | keepass2john/john, mssql tools, impacket | | Complex LFI → DNS/key leak → interception → priv esc | **Snoopy** | LFI to read BIND/DNS keys → manipulate DNS / intercept password resets (mail/Mattermost) → SSH MITM/privilege escalation. | [Snoopy — walkthrough](https://www.youtube.com/watch?v=6tn30O0SjVQ) | socat/mitmproxy, SSH MITM, mail spoofing | #### INSANE | Attack Type | HTB Machine | Attack Used in HTB | Walkthrough | Tool / Notes | | ------------------------------------------------------------------ | ----------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------- | | Multi-step AD / LDAP injection / container escape / AD trust abuse | **Ghost** | LDAP injection → credential exfiltration (Gitea) → RCE → container pivot → abuse of AD trusts and multi-step domain takeover. | [Ghost — walkthrough](https://www.youtube.com/watch?v=4dEmocjKnZg) | LDAP injection scripts, container escape payloads, impacket, AD tooling | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://savitar.gitbook.io/mynotes/machines-to-pratice-for/cpts-preparation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.