Misc

How I Speedran CPTS in 1.8 Months (and miraculously passed)

pwnpwnpurin

pwnpwnpurin

7 min read

tldr: social life gone to ashes

note: this is the newest (at the time of writing) version of CPTS.

I don't want to bore you (the reader) in the basics of what CPTS is, pretty sure you already read 50 articles of another person passing this cert and you're probably aiming to find something much more useful such as resources (dw ill give that later on)

Storytelling time, I started the modules around late Feb and finished around mid-April (can't remember the exact starting date but roughly ~1.8 months). During the academy modules admittedly I didn't had the capacity to absorb all of the contents but rather focused on my labs and took detailed notes on what steps i did and what went right/wrong and how to fix the wrongs. This became useful during the exam. I've also had some crunch days where i did 24 hour grinds without sleep to finish the modules (AD was long and painful.)

Note: for the note-taking, I used notion for both exam and academy modules. The note structure was like this:

(say we're inside the module already)
# Module section
<content>

## Questions
<detailed step by step>
Answer: <hash>

Sample taken from my notes directly:

I attempted my 1st take on the exam on April 18 and utilized the full 10 days until April 28 to pass my report. Initially (and admittedly) i got too cocky and thought i can get it done in 2-3 days, but of course i got humbled bad.

I got 1 flag after 2 days, got stuck on flag 6 for a few days (this one was painful), also flag 8 and a bit on 9 and 12, but other than that the flags wasn't mentioned weren't outrageously hard, you just have to take a step back and look at the bigger picture (i.e., instead of looking for CVE's you look for internal misconfigurations). I got 12/14 flags because it was on day 8 when i consecutively got 3 flags (flag 10-12) and i haven't done ANY proper reporting yet at that time, so i called it quits and prayed to otherworldly beings that my report will suffice lol.

Luckily the report passed (although i know personally that there were some things i would've improved on if i wasn't restricted by time). The exact feedback i got was this:

Hi <pwnpwnpurin>, Congratulations on passing the HTB Certified Penetration Testing Specialist (CPTS) exam! You are now an official holder of the CPTS certification. Feel free to share your achievement on LinkedIn, etc. You earned it! Working through all of the content in this job role path and mastering it by gaining 85 points on this exam is no small feat! We found your report to be very well done. You captured the description and impact of each vulnerability very well. You gave actionable remediation recommendations that do not break the line of independence that we must maintain as pentesters (essential third-party auditors) by recommending specific technologies or attempting to re-write the customer's code in the report. Here is some constructive feedback on content areas you could focus on to strengthen your skill-set: - It is always good to add descriptive captions to both command output and shell output so the technical people reading it (and possibly using it as a guide to reproduce + test their remediation efforts) can quickly identify what is being shown. - Where possible, it can be good to show a few more screenshots/command output to ensure that anyone reading the report can reproduce the issues shown. Overall your report was excellent, well presented, precise, neat, and professional, and the tips above are just constructive feedback. Again, congratulations on a job well done, and feel free to show off your hard-earned certificate! Thank you, <examiner> (@<examiner>)

note: not sure if im allowed to show who the examiner is but they've put their full name and handle, saw his video once on a tips and tricks on CPTS and didn't even know at the time that he was an examiner haha.

Resources and (non-generic) Tips and Tricks

as im writing this im wine drunk on a 3am sunday midnight, so forgive for the mistakes. Anyways, im not gonna bore you with the generic 大便 you see everywhere with the TLDR of just try harder bro, but instead attempt to give good practices that i've picked up on. As much as i want to be super specific about something on the exam, i don't want my cert to be revoked :/ Also this is not a very structured tips and tricks, just freeforming and writing whatever comes to mind so i might add/modify anything when i‘m more sober

Relatively hard flags (as agreed on platforms like reddit)

As mentioned previously, flag 1 and the couple of others were notoriously hard, and unfortunately the only way forward for these ones is the generic 'try harder'. These flags have i'd rather say "complex" exploit chains that you need to do first in order to either gain foothold or escalate your privileges on that specific flag.

Admittedly, there were some things in the exam that was not fully covered in the modules (that requires you to do research mid exam), though it could be argued that yes the concept was taught, but you would not expect to exploit that path because the one you're doing is already promising/is already giving you results. The best advice i can give for this is "if it works but you're still not moving forward, maybe that's it but just in a different flavor". Otherwise take the other quote of repeating the same thing over and over again expecting different result is a sign of insanity or something.

Rabbit Holes

the exam is pretty straightforward, you will get a feel mid-exam if an exploitation path is BS and just wasting your time deliberately or "this is it just need the right angle to attack it". This might differ from experience to experience but during my examination attempt i didn't feel any "rabbit holes" or a fake path designed to look like real one, I've always kept something like this in the back of my head that "if a credential pair doesn't work on anything, then its probably nothing"

One of the best advice i got from a friend during my examination attempt was "keep things dumber" and (non-verbatim) "wag mo i-overthink (don't overthink it)", because this is a intermediate-level exam, you're not expected to make and write a 0 day (overexaggeration) so if you're already thinking of that path then you're probably overthinking it.

Reporting

What i did was just followed the Sysreptor template for CPTS, I kind of winged it on the exam with a really small experience of testing through adding vulns/editing sections before i started the exam.

One thing i did was take REALLY detailed notes, I've structured my notes like this:

Exam (take 1)
- Targets/live hosts
- Enumeration
  - EXT.ppurin.local
  - DMZ.ppurin.local
  - AD.int.ppurin.local
- Findings
- Accounts Compromised
- Notes
- Attack Chain
  • For targets, I kept it simple and just added the targets/vhosts i found and how i found them.
  • Enumeration, on the main page i did the nmap scans, then created a page for the specific domain/vhost/machine. Essentially it acted as a "foothold/privesc" notes for that specific machine. This became useful later on with my reporting alongside my field notes.
  • Findings were positioned to be quick hits but for proper vulns, say i found an anonymous FTP against a service, i'd just put something there like:
## EXT.ppurin.local:21 - anonyumous FTP allowed
command: ftp [email protected]
result: <successfully logged in whatever> or a screenshot

This helps in report writing so you won't waste time sifting to all of your notes just to find a specific vulnerability, essentially making this a primary source of information when report writing then having the field notes as a backup/supplementary details.

  • Accounts compromised is pretty straightforward, but the reason i did that was to not miss any user credential pair since i was already anticipating that the network will be huge, and boy i was not wrong.
  • The Notes page was my field notes, it also served a really important part when i was report writing because there were some commands i left out on the findings section that was in my notes section because i was doing FAFO.
  • Attack chain was just how i exploited x and y, more of a guidance in case i forget everything the next day. It's supposed to be an anti amnesia page, in case i forget i'll remember. To be fair i haven't utilized this too much because i remembered all the attack chains i did (and i had planted persistence on machines i know matters such as the initial foothold so i can ligolo my way)

I'm pretty sure there's a better way to structure this, but i just made that on the fly during my exam. If you do, feel free to modify and create your own methodology that works best for you.

AEN (attacking enterprise networks)

A lot of people are saying that you should take this blind and honestly i get why, its the closest things you will have on the exam. I didn't follow this personally because i wasn't really going through reddit and stuff but i know it would've been nice. There were alot of instances where i had to look at the AEN page to see what exploits were tried and how did it work around that time.

In short, yes, take the AEN blind especially if you're not comfortable with AD yet.

No, its not a mini CPTS. But what it showed me was the mindset of the exam makers mid-exam and how i utilized that to get the flags

Useful Tools

I didn't use any special/nonstandard tooling specifically made for RT engagements (though custom harvesters that gathers everything in one shot would've been REALLY nice, its just not necessary in this exam). Generally, what the academy gives you throughout the entire course is already enough. I found myself going through the same methodology post compromise which is to just run LaZagne/Snaffler after compromise in case i missed something as that user's context then if i find nothing i go exploring manually through installed apps. Other than that here's some tools i used that i don't think the academy covered/covered in depth enough that's useful:

Thanks

thanks for the friends in our red team space who believed and gaslighted me into thinking i can do this in 3 days tops. you know who you are. And also to the friends that did the earlier versions and gave their insights so i can better prepare.

Read more