My CPTS experience - tips and tricks

šŸ“… August 3, 2025 Cybersec
cpts

HTB CPTS - My experience, tips and tricks

I recently passed the CPTS by HackTheBox. I got at least 50ā€“100 DMs asking for tips, so in this blog Iā€™ll share my experience and some practical advice that helped me pass. Some of these are my own, and some I learned from people or friends online. A lot of the DMs came from complete beginners, so Iā€™ll start by sharing my journey from 0 to CPTS.

Hereā€™s the structure Iā€™m going to follow (based on the questions I received). Feel free to jump to whatever part youā€™re interested in. Itā€™s structured this way so I donā€™t waste your time:

  1. My journey: 0 to CPTS (Skip this if youā€™re just here for exam tips)

  2. Tips I received from friends and people online - and how accurate they really are (important)

  3. Additional learning materials I used (spoiler: not many) and preparation tips

  4. Issues I faced while preparing and during the exam (again, important)

1. My journey: 0 to CPTS

At the time of writing this, Iā€™m in the 7th semester of my Bachelorā€™s in Computer Engineering. I started with some basic TryHackMe paths, up to the Jr. Pentester path (couldnā€™t finish Red Teaming) in my 4th Semester. After this, I was advised to jump straight into HackTheBox.

Weā€™ve all heard that OSCP is the gold standard, but I watched this video by Pink Draconian, who claimed you learn a lot more in CPTS, with better study material and much cheaper pricing. So I started the Pentester Job Role path on HTB around February 2024 and did it for 3ā€“4 months before exams interrupted me.

I had completed 40% of the path by then. When I resumed, I realized all my notes were in a physical notebook (donā€™t judge, we all start somewhere). I switched to Obsidian and made module-wise notes. But I made the mistake of just copy-pasting everything, including screenshots from skills assessments. While helpful, they didnā€™t cover the core concepts.

I especially struggled with AD and some web attacks. A friend with a gold sub shared walkthroughs, which I speedran till Windows PrivEsc. My sub was expiring, and I wanted to move to boxes. I skipped the last 2 modules since I heard AEN was a better lab for exam practice.

Then I did boxes for around 3 months and I was stuck almost every time. Speedrunning the modules didnā€™t help. I must have done 60ā€“80 retired boxes, but always with writeups. I understood the content but couldnā€™t do it alone. Thatā€™s when I realized I needed a methodology.

I bought a prolab voucher and completed Dante. Also did 7 flags on Zephyr. Dante was eye-opening. I actually hacked on my own (with help on Discord). Multiple pivots and port forwards using ligolo-ng made me feel like I was learning something real.

Feeling confident, I tried more boxes and tackled chemistry (payload didnā€™t work despite the right CVE) and LinkVortex (stuck at foothold, needed help again). I knew the attack paths but still struggled with execution.

By early 2025, I knew I had to get serious. I didnā€™t have a solid methodology. Thatā€™s when I found these blogs by BRM. He had a field manual template that I decided to replicate. I reached out to him on LinkedIn. He was incredibly kind and answered all my queries.

He also did a live presentation on the HackSmarter Discord and talked about creating checklists for when you get stuck. I reached out again, and he generously shared a few examples with me.

BRM recommended the Using CrackMapExec module. Since I didnā€™t have enough cubes, I played HTB Season 7 for rewards. I barely knew what I was doing. My friends helped a lot. But I did learn hands-on AD, bloodyAD, Kerberos clock skew, and more. I solved all the Season 7 machines (with help), got the cubes, and unlocked the module.

When summer break started, I went all-in on making my field manual. I posted a daily log on X (formerly Twitter) (shameless plug, follow me).

This took 41 days where I re-did everything from scratch, made notes, and completed the skills assessments myself. I still got stuck, but now I understood the why. Then I tackled AEN on my own. Again, I struggled, but did most of it solo. As soon as I finished, I purchased the exam voucher and started my attempt. The rest is history.

2. Tips I received from friends and people online - how accurate are they?

Letā€™s break it down:

1. ā€œYou donā€™t need to do boxes. Theyā€™re different from the exam.ā€
āœ… True, if you have a solid methodology. Dante will teach you more as a beginner than any box. Boxes crushed my confidence. Skip them if youā€™ve already got fundamentals.

2. ā€œDo the CrackMapExec/API attacks modules.ā€
āŒ Not needed post-update (2025). Instead, read CMEā€™s docs and the spider module if you must. The CME skills assessment made me doubt myself a day before the exam.

3. ā€œLeave plenty of time for reporting.ā€
āœ… 100% true. My report took 2ā€“3 days. I was burnt out and made several mistakes including missed redactions, typos, and my name not rendering in 4 places. But I passed. The report was 195 pages.

4. ā€œBuild solid notes.ā€
āœ… True. I was bad at note-taking, but my field manual saved time and kept me away from Googling or using ChatGPT during the exam.

5. ā€œEnumeration is everything.ā€
āœ… Absolutely true. The exam isnā€™t hard, itā€™s about finding the right things. Flag 5 was supposedly hard, but I found it easy because I knew the modules. Manual enumeration using PowerView or fuzzing is key.

6. ā€œAEN is the closest thing to the exam, but forget it when the exam starts.ā€
āœ… Half true. The exam is harder. Do AEN blind, but if stuck for more than 1ā€“2 hours, use the walkthrough.

3. Additional learning materials and preparation tips

I didnā€™t use much extra material. Hereā€™s what helped:

  1. Enumeration is everything (already covered above).
  2. Treat AEN like a real exam. Use the same tools youā€™ll use during the real exam (e.g., ligolo-ng).
  3. Practice pivoting and double tunneling. Itā€™s easy to mess up. I highly recommend this Ligolo-ng post.
  4. Main tools:
    • ligolo-ng for tunneling
    • bloodyAD for AD
  5. Stay calm. If stuck, try a different approach. Change the tool, wordlist, or method. Knowing the modules well makes a big difference.
  6. Practice report writing. I used SysReptor for reporting. Itā€™s a very easy-to-use tool and I had some experience with Markdown, but it can be overwhelming for first-time users. I just winged it on the exam. I would not recommend this to anyone.

4. Issues I faced during prep and the exam

  1. Exam lab being finicky
    Things didnā€™t load properly.
    Fix: Contacted support. They told me to change my VPN. That fixed it.

  2. Ligolo-ng not working
    I faced this issue.
    Fix: Build static binaries yourself. Hereā€™s how:

sudo apt update
sudo apt install -y git golang-go build-essential mingw-w64
git clone https://github.com/nicocha30/ligolo-ng.git
cd ligolo-ng

Build static binaries:

CGO_ENABLED=0 GOOS=linux  GOARCH=amd64 \
    go build -trimpath -ldflags "-s -w" -o proxy cmd/proxy/main.go

CGO_ENABLED=0 GOOS=linux  GOARCH=amd64 \
    go build -trimpath -ldflags "-s -w" -o agent cmd/agent/main.go

CGO_ENABLED=0 GOOS=windows GOARCH=amd64 \
    CC=x86_64-w64-mingw32-gcc \
    go build -trimpath -ldflags "-s -w" -o agent.exe cmd/agent/main.go

Use these in the exam. Precompiled binaries from GitHub releases didnā€™t work for me.

  1. Double pivot was unstable

    No fix for this. I gave up after getting 12 flags.