CPTS Preparation

The Hack The Box CPTS Preparation track equips learners with the essential knowledge and practical skills needed to succeed in the Certified Penetration Testing Specialist exam.

— Hack The Box

EASY

Attack Type	HTB Machine	Attack Used in HTB	Walkthrough	Tool / Notes
AD/Certificate abuse, WinRM	Fluffy	Initial exploit → credential access → abuse of AD/ADCS and WinRM for lateral/privilege escalation.	Fluffy — walkthrough	certipy, WinRM, RCE PoC
Web: SQLi / LFI / log poisoning	Trick	SQL injection → LFI / log poisoning → escalate through service misconfigurations.	Trick — walkthrough	sqlmap, LFI/log-poisoning techniques
Service misconfiguration (Redis / SSH key)	Postman	Unauthenticated Redis / write SSH key to get initial access; follow-up privilege escalation.	Postman — walkthrough	redis-cli, ssh-key exploitation, john/hashcat

MEDIUM

AD / Domain-focused (Medium)

Attack Type	HTB Machine	Attack Used in HTB	Walkthrough	Tool / Notes
Web/Service → Jenkins RCE → PrivEsc (Windows)	Jeeves	Abuse of Jenkins (unauthenticated/script console) for RCE, then Windows privilege escalation techniques.	Jeeves — walkthrough	Jenkins console, post-exploitation priv‑esc tools
ADCS / Certificate / AD enumeration	TombWatcher	AD enumeration + ADCS abuse (certificate-related escalation techniques).	TombWatcher — walkthrough	certipy, BloodHound, impacket
Kerberos / relay / credential discovery	VulnCicada	Information leak + Kerberos relay / certificate relay to obtain machine certs or domain access.	VulnCicada — walkthrough	petitpotam, certipy, impacket
Kerberoast / DPAPI / secret extraction	Voleur	Kerberoast / targeted ticket cracking + DPAPI / secrets dump to recover creds and escalate.	Voleur — walkthrough	Rubeus, mimikatz, secretsdump
AD: ACL / GenericAll / password reset abuse	Administrator	AD ACL enumeration and abuse (GenericAll / password resets) to gain domain admin.	Administrator — walkthrough	BloodHound, impacket, aclpwn-style techniques
Ansible / leaked vault blobs → AD / creds	Authority	Discovery of Ansible vault blobs / secrets → decrypt/crack to obtain creds and pivot in the network.	Authority — walkthrough	ansible-vault, john/hashcat, AD tooling

Web / Application / Service (Medium)

Attack Type	HTB Machine	Attack Used in HTB	Walkthrough	Tool / Notes
ASP.NET insecure deserialization / ViewState	Pov	Information disclosure (web.config), insecure deserialization (ViewState/ysoserial) → RCE and escalation.	Pov — walkthrough	ysoserial.net, PowerShell, mimikatz
Web: subdomain enum → SQLi → LFI/RFI	StreamIO	Subdomain enumeration → SQL injection to steal creds → LFI/RFI to achieve RCE.	StreamIO — walkthrough	sqlmap, LFI → RFI chains
Web upload / symlink privesc / file abuse	Media	Malicious upload / file handling to obtain credentials or hashes; symlink/FS abuse for privilege escalation.	Media — walkthrough	file upload exploitation, hash cracking
Web app / Git / Vault interplay → host compromise	Craft	Exploitation of web services (Gogs/Vault or similar) → steal secrets, pivot to host and escalate.	Craft — walkthrough	web RCE, Vault access, SSH pivot

HARD

Attack Type	HTB Machine	Attack Used in HTB	Walkthrough	Tool / Notes
AD / delegation (FTP / KeePass → MSSQL → delegation)	Redelegate	Anonymous FTP → KeePass database recovery → MSSQL credentials → abuse of constrained delegation / force-change to escalate to domain.	Redelegate — walkthrough	keepass2john/john, mssql tools, impacket
Complex LFI → DNS/key leak → interception → priv esc	Snoopy	LFI to read BIND/DNS keys → manipulate DNS / intercept password resets (mail/Mattermost) → SSH MITM/privilege escalation.	Snoopy — walkthrough	socat/mitmproxy, SSH MITM, mail spoofing

INSANE

Attack Type	HTB Machine	Attack Used in HTB	Walkthrough	Tool / Notes
Multi-step AD / LDAP injection / container escape / AD trust abuse	Ghost	LDAP injection → credential exfiltration (Gitea) → RCE → container pivot → abuse of AD trusts and multi-step domain takeover.	Ghost — walkthrough	LDAP injection scripts, container escape payloads, impacket, AD tooling