[ HALL OF FAME ]

CPTS passers who completed the journey. Their wisdom, for those still on the path.

47 CPTS Passers
avg 8 Days to Pass
3-6 Months Prep
// FEATURED PASSERS
0x
0xSleuth
@0xsleuth_htb
CPTS Certified 4 months prep Day 7 pass
"BloodHound told me everything I needed. Once I saw the shortest path to DA, the exam became a checklist. Spend 20% of your prep time getting good at reading BloodHound graphs."
KR
KrebsOnRoute
@krebs_htb
CPTS Certified 6 months prep Day 9 pass
"I failed the first attempt because my report was trash. The second time, I wrote findings AS I went, not at the end. Night and day difference. The report is literally half the exam."
PT
p3ntag0n
@p3ntag0n
CPTS Certified 3 months prep Day 6 pass
"AD CS (ESC1) was in my exam. If you haven't done the AD CS Attacks module with Certipy, do it today. Certipy find + certipy req + certipy auth is a path to DA that bypasses everything."
SH
ShadowHunter
@sh4dow_hunt3r
CPTS Certified 5 months prep Day 8 pass
"Ligolo-ng changed my pivoting game. No more proxychains headaches. Full network access through a TUN interface. Practice it before the exam β€” the double pivot setup is worth knowing cold."
NX
n3xgen
@n3xgen_sec
CPTS Certified 4 months prep Day 7 pass
"Credential reuse saved me three times. Every password I found, I immediately sprayed it with nxc across the entire /24. Passwords that didn't work anywhere were still added to my cred list."
RM
RootMe_HTB
@rootme_htb
CPTS Certified 5 months prep Day 8 pass
"Don't skip the report course module β€” I used SysReptor for the exam and having my template ready was a massive time saver. Set it up and practice it on lab machines before exam day."
ZD
Zeroday_Drift
@zd_drift
CPTS Certified 7 months prep Day 9 pass
"I was stuck for 6 hours because I assumed a service was patched. It wasn't β€” I just had the wrong port. Two-pass Nmap -p- every single time. Never assume. Always verify."
AF
ArcFault
@arcfault_sec
CPTS Certified 4 months prep Day 7 pass
"winPEAS is great but read it, don't just run it and blindly follow. The AlwaysInstallElevated finding with both HKLM AND HKCU set gave me SYSTEM on two machines in my exam."
LV
LaVulner8
@lavulner8
CPTS Certified 3 months prep Day 5 pass
"Kerberoasting + weak password on the service account β†’ DCSync β†’ Game over. That attack chain appears in the exam. Know it cold. impacket-GetUserSPNs, hashcat -m 13100, secretsdump."
// COMMUNITY WISDOM
// WHAT THEY WISH THEY KNEW
  • SNMP (UDP 161) has credentials 30% of the time β€” always check it
  • VHost fuzzing finds hidden admin panels that normal ffuf misses
  • LDAP anonymous bind is allowed more often than you'd expect
  • NFS no_root_squash is still a common privesc in 2026 labs
  • AD CS ESC1 appears in real exams β€” learn Certipy properly
  • PrintSpoofer still works on unpatched Server 2019 in labs
  • Document dead ends too β€” they prove thoroughness in the report
// PREP RESOURCES THEY USED
  • HTB CPTS Path β€” complete it 100% including all modules
  • Pro Labs: Offshore and RastaLabs for AD practice
  • HackTheBox machines: Forest, Blackfield, Monteverde, Cascade
  • TryHackMe: Attacktive Directory, Post-Exploitation Basics
  • HackTricks β€” bookmark it, you'll use it daily
  • ired.team β€” incredible AD attack reference
  • GTFOBins β€” know it cold for Linux privesc
  • LOLBAS β€” Windows binary abuse reference
πŸ†
Did You Pass CPTS?

Share your experience and help others on their journey. Your tips, timeline, and lessons learned could be exactly what someone needs to push through.

Share Your Story