> Deep-Dive Research Hub

Advanced attack chains, tool guides, and techniques beyond the standard modules. 15 topics covering the hardest CPTS exam concepts.

Active Directory
BloodHound Advanced Queries
Custom Cypher queries, shortest path to DA, Kerberoastable + DCSync targets, LAPS + GPO abuse paths.
β†’
Active Directory
Ligolo-ng Double Pivot
Multi-hop tunneling through segmented AD networks. Agent chaining, route injection, and traffic routing without proxychains.
β†’
Active Directory
AD CS ESC1–ESC8 Attack Chains
Complete Certipy-driven exploitation of all 8 ADCS misconfigurations β€” from enrollment abuse to CA key theft.
β†’
Active Directory
RBCD Full Walkthrough
Resource-Based Constrained Delegation from WriteProperty to S4U2Self/S4U2Proxy and impersonation to DA.
β†’
Privilege Escalation
Potato Attacks Comparison
PrintSpoofer vs JuicyPotato vs GodPotato vs SweetPotato β€” when to use which, OS compatibility, and current bypass status.
β†’
Active Directory
Responder + NTLMRelayx Chain
LLMNR/NBT-NS poisoning β†’ relay β†’ SMB signing disabled targets β†’ shell or DA hash. Full attack chain with edge cases.
β†’
Evasion
AMSI Bypass Techniques (2026)
Working PowerShell AMSI patches, memory patching via reflection, CLM bypass, and constrained language mode escapes.
β†’
Active Directory
GPO Abuse for Persistence
Modifying GPOs with GenericWrite β€” scheduled tasks, startup scripts, registry keys, and immediate policy push.
β†’
Tools & Setup
SysReptor Complete Setup
Docker install, CPTS finding templates, CVSS calculator integration, screenshot embedding, and PDF export pipeline.
β†’
Tools & Setup
HTB Machines β†’ CPTS Modules
Curated list of 30+ HTB machines mapped to specific CPTS exam objectives. Ordered by difficulty and topic coverage.
β†’
Active Directory
Certipy Complete Guide
Full Certipy workflow: find, req, auth, shadow, relay, forge β€” all subcommands with real-world output examples.
β†’
Active Directory
Shadow Credentials Attack
msDS-KeyCredentialLink manipulation via Whisker/Certipy β†’ PKINIT β†’ TGT β†’ NT hash without password reset.
β†’
Infrastructure
NFS Exploitation
no_root_squash UID spoofing, SUID binary planting, squashfs tricks, and NFS version fingerprinting for privesc.
β†’
Privilege Escalation
Docker / LXD Container Escape
Privileged container escapes, cgroup release_agent, LXD image trick, socket mounts, and cap_sys_admin abuse.
β†’
Tools & Setup
Credential Hunting Scripts
Automated one-liners for Linux/Windows credential discovery β€” config files, env vars, history, browsers, keyrings.
β†’