Introduction
I will be doing my best to provide tips that have not been shared multiple times already, as there are already plenty of reviews.
About one year ago after working for 6.5 years in the networking field, my interest in cybersecurity was piqued when it started to become more mainstream. The idea of penetration testing immediately captivated me and I spent the next 6 months mastering foundational topics such as operating systems, coding and web application knowledge. Then, while researching for various certificatations I came upon HTB’s CPTS, which stood out from the rest as it involved a 10 day fully practical exam, a commercial grade report and completing the “Penetration Tester” HTB Academy path before even attempting the certification which consists of 28 modules totaling 344 hours (as estimated by HTB).
Several months later after completing the path and various labs as practice, I sat the exam and failed the first time with 8/14 flags, then passed it on the retake with 14/14 flags. And here comes tip #1. My exam taking strategy was flawed. I thought that taking off time from work and spending 12+ hours on the exam every day would surely be the optimal strategy, but it was not. I slowly burned out and by the end my brain would no longer function properly. I would say 7-8 hours a day is the sweet spot. Starting the exam on an early Saturday should be enough time to complete the exam, no PTO required.
Study Strategy
tip #2 is actually following HTB’s advice for taking the modules. In the starting modules a solid strategy for tackling each module is presented: reading the module without taking notes then reading it again while taking notes. This makes the student aware of the entire section context which in the end helps with taking better notes. I ignored this advice at first which lead to lower quality notes, which lead to me needing to redo some modules.
For the next tip #3, whenever you feel like you do not fully grasp something, spend some time doing additional research on it. One example in my case was with the Kerberos protocol. I could not fully understand it from the material alone, but after watching this video it became much clearer to me. Skipping this process is a severe mistake as the exam tests the student on the critical understanding of the content, not just reproducing the commands shown in the modules.
Another important tip #4 that helped me is creating mind maps and checklists at the end of the modules. Assume the scenario where access is obtained as a regular low privilege active directory user, trying to remember all the checks to perform at this point from memory is challenging and coupled with the exam stress missing crucial information becomes more probable. Thus having a mind map as an additional resource for each step in the penetration testing process is crucial for proper and meticulous enumeration.
For mind maps I like to use excalidraw. The following is pretty good example of how a proper mind map should look like. For some modules, particularly the Web related ones I instead chose to make markdown checklists in this format. Choosing between a mind map and a checklist is a highly subjective choice, and comes down to personal preferance.
# XSS Checklist
- [ ] Check 1
- [ ] Check 2
...
Practice
My last tip #5 is likely to be a controversial one. The general consensus among HTB staff and HTB Discord users is that the path and the practice it offers are enough to pass the exam. It is true that almost all sections of every module present the student with a mini assessment of the topic that was presented, while each module ends with a larger, more complex assessment. However in all of the modules, except for the last one the student always knows what vulnerability is supposed to be found, which defeats the point of “black box” pentesting. For example, when doing the “File Inclusion” module, the student knows that each section assessment, including the module assessment at the end will involve identifying and exploiting an LFI vulnerability.
This is very different from being presented with a web application with no prior knowledge of what vulnerabilities are present. It requires meticulous testing of all application functionalities against multiple vulnerability classes, instead of just one. This sort of practice is only presented to the student once, in the final module. For very bright students, perhaps this is enough, but it definitively was not for me, so after completing the path I spent some time practicing labs on various platforms in order to test and cement my understanding of concepts taught in the modules.
Below I will list my favorite machines from each provider that can be mostly solved only with the knowledge obtained from the CPTS modules. In addition to these I also completed the machines in the well known ippsec list which I consider good practice, and hence they are excluded from my list. The order is intentional, but if you feel like TryHackMe’s machines are getting too easy, feel free to skip ahead(though they are much gentler introduction to boot2root CTFs if you are new to them).
The tables are easy to import and track into any markdown reader. If you feel like a machine should not be here or that another should, please don’t hesitate to reach out to me.
VulnLab was recently acquired by HTB, which means in at some point the machines will be transferred to the HTB platform.
TryHackMe
| Index | Machine | OS | Category | Completed? |
| :---: | :-------------------: | :-----: | :------: | :--------: |
| 1 | Chill Hack | Linux | Web | |
| 2 | Cyborg | Linux | Web | |
| 3 | Game Zone | Linux | Web | |
| 4 | GamingServer | Linux | Web | |
| 5 | Skynet | Linux | Web | |
| 6 | Steel Mountain | Windows | Web | |
| 7 | Tomghost | Linux | Web | |
| 8 | Overpass3 | Linux | Web | |
| 9 | Intranet | Linux | Web | |
| 10 | Dogcat | Linux | Web | |
| 11 | Hack Smarter Security | Windows | Web | |
| 12 | AllSignsPoint2Pwnage | Windows | Web | |
| 13 | Relevant | Linux | Web | |
| 14 | Year of the Fox | Linux | Web | |
| 15 | Year of the Pig | Linux | Web | |
| 16 | For Business Reasons | Linux | Web | |
| 17 | Daily Bugle | Linux | Web | |
| 18 | Internal | Linux | Web | |
| 19 | Reset | Windows | AD | |
| 20 | K2 | Windows | AD | |
HackTheBox
| Index | Machine | OS | Category | Completed? |
| :---: | :-----------: | :-----: | :------: | :--------: |
| 1 | Bashed | Linux | Web | |
| 2 | BountyHunter | Linux | Web | |
| 3 | Friendzone | Linux | Web | |
| 4 | Bastion | Windows | Web | |
| 5 | Return | Windows | Web | |
| 6 | Heist | Windows | Web | |
| 7 | Sauna | Windows | AD | |
| 8 | Cicada | Windows | AD | |
| 9 | EscapeTwo | Windows | AD | |
| 10 | Cronos | Linux | Web | |
| 11 | Shibboleth | Linux | Web | |
| 12 | Bastard | Windows | Web | |
| 13 | Sniper | Windows | Web | |
| 14 | Resolute | Windows | AD | |
| 15 | Intelligence | Windows | AD | |
| 16 | Administrator | Windows | AD | |
| 17 | Mantis | Windows | AD | |
| 18 | Dante | Mixed | Web&AD | |
| 19 | Zephyr | Mixed | Web&AD | |
VulnLab
| Index | Machine | OS | Category | Completed? |
| :---: | :--------: | :-----: | :------: | :--------: |
| 1 | Data | Linux | Web | |
| 2 | Baby | Windows | AD | |
| 3 | Sweep | Windows | AD | |
| 4 | Phantom | Windows | AD | |
| 5 | Trusted | Windows | AD | |
| 6 | Reflection | Windows | AD | |