CPTS: How I Prepared and Passed the HTB Certified Penetration Testing Specialist Exam
A honest, detailed breakdown of everything I did to prepare for and pass the CPTS exam.
introduction
If you’re reading this, you’re probably somewhere in the middle of your CPTS journey — maybe just starting out, maybe stuck, or maybe just looking for reassurance that someone else figured it out too. I’m not going to pad this post with fluff. Here’s exactly what I did, what helped, what didn’t, and what I wish I had known earlier.
what I did before taking the CPTS exam
I won’t pretend I had some unique, revolutionary approach. Honestly? I followed the path of others. I read blogs, I watched videos, and I built on what people who came before me had already figured out. There’s no shame in that — standing on the shoulders of giants is how you climb faster.
What I did do differently was stay consistent and treat every resource like it mattered. Here’s the breakdown.
Be ready to research on the fly — You will almost certainly encounter something during the exam that you have never seen before. Don’t panic. The ability to research unfamiliar techniques quickly and adapt is itself a core penetration testing skill.
phase 1: HTB Academy — 4 to 5 Months of Grinding
I had no prior penetration testing experience when I started. That’s important context. Everything I learned came from grinding through the HTB Academy CPTS learning path.
It took me roughly 4 to 5 months to work through the full path, and I approached it with two rules:
Rule 1: Take notes on everything. Not just copy-pasting commands — I wrote down why something works, what the underlying concept is, and when I would use it in a real engagement. Notes that explain the “why” are the ones you’ll actually revisit during an exam.
For note-taking software, i prefer Obsidian, you might choose your preference. There are a lot of note-taking softwares out there.
Rule 2: Do every lab and skill assessment blindly first. Before looking at hints or writeups, I forced myself to attempt every lab and skill assessment on my own. It doesn’t matter if it took me three hours on something that should take twenty minutes. That struggle is where the real learning happens.
After completing each module, I wrote a short summary of my approach — the thought process, the tools I used, the mistakes I made. This became an invaluable reference during the exam itself.
Reminder: Don’t rush the Academy path to hit a deadline. Rushing means shallow understanding, and shallow understanding will cost you during the 10-day exam window.
phase 2: CPTS Preparation Track — 1 Month
HTB released an official CPTS Preparation Track — a curated set of machines specifically designed to mirror the skills tested in the exam. I spent one month working through all 15 boxes in this track.
CPTS Preparation Track Machine List
| # | Machine Name | OS | Key Focus |
|---|---|---|---|
| 1 | Fluffy | Windows | Active Directory / General Enumeration |
| 2 | Jeeves | Windows | Privilege Escalation / KeePass |
| 3 | Trick | Linux | DNS Enumeration / LFI |
| 4 | Postman | Linux | Redis / Webmin CVE |
| 5 | Pov | Windows | SSRF / .NET Deserialization |
| 6 | TombWatcher | Windows | Active Directory |
| 7 | Media | Windows | Media Server Exploitation |
| 8 | VulnCicada | Windows | Active Directory / LDAP |
| 9 | StreamIO | Windows | SQL Injection / LAPS |
| 10 | Voleur | Windows | Active Directory / Credential Theft |
| 11 | Administrator | Windows | Active Directory / ACL Abuse |
| 12 | Authority | Windows | Active Directory Certificate Services |
| 13 | Craft | Linux | Git / SSTI |
| 14 | Redelegate | Windows | Active Directory Delegation |
| 15 | Snoopy | Linux | DNS / Command Injection |
my approach to each box
- Easy and Medium boxes: I attempted them fully on my own, using LLMs occasionally when I was completely stuck on a specific concept (not to get the answer, but to understand the underlying technique).
- Hard and Insane boxes: I watched walkthroughs and read writeups to understand how experienced testers approach these machines — their methodology, their tooling choices, their thought process. I didn’t try to brute-force my way through machines that would take me weeks to solve solo. Instead, I extracted the key techniques and documented them in my notes.
The goal wasn’t a perfect solo completion rate. The goal was to leave each machine having learned something I could apply on exam day.
phase 3: IppSec’s Unofficial CPTS Playlist
Alongside the preparation track, I watched IppSec’s unofficial CPTS playlist on YouTube. IppSec is one of the best resources in the HTB community — his explanations are clear, methodical, and closely mirror how you should think during a real penetration test.
My approach here mirrored what I did with the machines:
- Easy/Medium: Attempt first, then watch to compare my approach.
- Hard/Insane: Watch first to understand the technique, then take notes.
🎬 Playlist: IppSec’s Unofficial CPTS Playlist
Tip: Don’t just watch passively. Pause after each section and ask yourself: “Could I replicate this step right now?” If the answer is no, rewind.
phase 4: Pro Labs — Getting Comfortable with Real Networks
This is the part most people skip, and I think it’s a mistake.
The CPTS exam takes place in an enterprise-like internal network environment. It’s not a single isolated box — it’s a full network with multiple hosts, services, and pivot points. The best way to get comfortable with that kind of environment before exam day is HTB Pro Labs.
I purchased one month of Pro Labs access and completed two labs:
- Dante — A great starting point for understanding network enumeration, pivoting, and chaining vulnerabilities across multiple hosts.
- Zephyr — After a 2–3 day break, I moved to Zephyr, which pushed me further into Active Directory and lateral movement techniques.
Both labs helped me build intuition for things the exam will test you on: misconfigured services, outdated software, forgotten or exposed internal services, and the need to pivot through the network methodically rather than tunnel-visioning on individual machines.
Don’t skip Pro Labs. Even one month makes a significant difference in how comfortable you feel navigating a multi-host network under exam pressure.
phase 5: Report Writing
The CPTS exam is not just about getting flags — it includes a professional penetration test report as a deliverable. Many people underestimate this part, including me which i failed for the first attempt.
The resource that helped me most was this article by Bruno Rocha Moura: CPTS Report Writing Guide
It walks you through how to structure a professional pentest report — executive summary, findings, evidence, remediation recommendations — the whole thing. I highly recommend reading it before your exam, not during it.
Also if you have seniors out there, you should apporach them and ask how their experiences in reporting. For me, i have asked a senior, and he gave me some tips that could actually help me for my second attempt report.
my reporting workflow
I used SysReptor as my reporting tool. It’s a web-based pentest reporting platform that lets you document findings in a structured, professional format as you go. 
Thing you should do: Once you reach Flag 12, treat it as your natural checkpoint — pause active exploitation and shift your full focus to the report. Go back through every finding, polish your language, ensure each screenshot is clean and clearly annotated, write a detailed step-by-step walkthrough for each vulnerability, and make sure your remediation recommendations are specific to the actual target environment rather than generic advice.
Then after you done with the reporting, go for the last 2 flags, don’t let it hunt you down after you finished the exam.
Critical tip: Report as you go. Every time I captured a flag, I immediately documented the finding — the vulnerability, the steps to reproduce, the evidence (screenshots, commands, output). Do not leave reporting until the end. With a 10-day exam window, it’s tempting to push reporting to the final days, but you will forget details, and you will regret it.
key takeaways
If I had to distill everything into a short list:
- Follow the Academy path seriously — don’t skip modules, don’t rush.
- Take notes that explain the “why”, not just the “how.”
- Challenge yourself on every lab before looking for help.
- Use the CPTS Preparation Track — it exists for a reason.
- Watch IppSec — especially for machines and techniques outside your comfort zone.
- Do Pro Labs — at least Dante. Zephyr is a bonus.
- Learn to write reports before the exam — not during it.
- Report as you go — your future self will thank you.
- Be ready to research on the fly — You will almost certainly encounter something during the exam that you have never seen before. Don’t panic. The ability to research unfamiliar techniques quickly and adapt is itself a core penetration testing skill.
resources & tools
No matter how well you understand the concepts, having the right references open during the exam can save you hours. These are the resources I relied on most throughout my preparation and during the exam itself:
references & cheatsheets
- thehacker.recipes - Excellent structured reference for Active Directory attacks, Kerberos abuse, and Windows privilege escalation. Bookmark this one.
- hacktricks wiki - The go-to wiki for almost everything. If you’re stuck on a technique, chances are HackTricks has a page on it.
- GTFOBins — Essential for Linux privilege escalation. If a binary is on the system, GTFOBins will tell you how to abuse it.
- Nalchhen’s CWEE Cheatsheet — A detailed cheatsheet put together by a friend of mine. Highly recommended, because CPTS is not purely Active Directory — web application attacks are a significant part of the exam, and this cheatsheet covers them thoroughly.
tools
As for tooling, I primarily stuck with Linux-based attack tools since I am far more comfortable working in a Linux environment. That said, there are situations during the exam where Windows tools are either necessary or significantly more effective — so don’t completely rule them out.
A few tools worth having ready:
- Nmap — Your bread and butter for network and service enumeration.
- fping - For ping sweeping the network range.
- BloodHound.py — Critical for visualizing Active Directory attack paths. Learn this well before the exam.
- Impacket — A must-have suite for interacting with Windows protocols from Linux (SMB, Kerberos, DCOM, etc.).
- NetExec — Invaluable for lateral movement, credential testing, and SMB enumeration across multiple hosts.
- Evil-WinRM — Clean and reliable for Windows remote management over WinRM.
- Ligolo-ng — My preferred tool for pivoting and tunneling through the network. Some might choose chisel over ligolo-ng.
- Ffuf — Fast web directory and parameter fuzzing.
- bloodyAD — A powerful Active Directory privilege escalation tool that works without needing to be on a Windows machine. Great for abusing AD permissions and ACLs directly from Linux.
You don’t have to mirror my setup exactly — use what you’re comfortable with. But make sure you’ve practiced with your tools before the exam. The worst time to learn a new tool is during a 10-day exam window.
final thoughts
The CPTS is genuinely hard. It’s a 10-day practical exam covering the full penetration testing lifecycle — enumeration, exploitation, privilege escalation, Active Directory attacks, lateral movement, pivoting, and reporting. You cannot cram for it.
But if you put in the months of consistent, deliberate practice described above, you will be ready. The exam is fair to people who prepared honestly.
Good luck. You’ve got this.