β Research Hub
Tools & Setup
HTB Machines β CPTS Modules
Curated list of 30+ HackTheBox machines mapped to specific CPTS exam objectives β ordered by difficulty and topic coverage to maximize study efficiency.
Fundamentals & Enumeration
| Machine | OS | CPTS Modules | Key Concepts |
|---|---|---|---|
| Lame | Linux | Nmap, Shells | Samba exploit, basic enumeration |
| Legacy | Windows | Nmap, Common Services | MS08-067, SMB exploitation |
| Blue | Windows | Nmap, Exploitation | MS17-010 (EternalBlue) |
| Nibbles | Linux | Web Info Gathering, Footprinting | Web app enum, CMS exploitation |
| Keeper | Linux | Footprinting, Password Attacks | Default creds, KeePass exploitation |
Web Application Attacks
| Machine | OS | CPTS Modules | Key Concepts |
|---|---|---|---|
| Poison | Linux | File Inclusion, Shells | LFI β RCE, log poisoning |
| Magic | Linux | File Upload | MIME bypass, PHP webshell upload |
| Bolt | Linux | SQLi, SQLMap | Server-side template injection, credential reuse |
| Horizontall | Linux | Ffuf, Web Attacks | API subdomain, Strapi RCE |
| Bashed | Linux | Footprinting, PrivEsc | Web discovery, sudo privesc |
| Optimum | Windows | Common Apps | HFS RCE, Windows privesc |
| Bounty | Windows | File Upload | ASPX upload bypass, SeImpersonate |
Active Directory
| Machine | OS | CPTS Modules | Key Concepts |
|---|---|---|---|
| Forest | Windows | AD Enum, AD Attacks | AS-REP Roasting, DCSync, ExchangeWindows Permissions ACL |
| Blackfield | Windows | AD Attacks, ACL Abuse | AS-REP Roast, ForceChangePassword, DCSync |
| Monteverde | Windows | AD Enum, Password Attacks | Azure AD Connect, credential reuse |
| Cascade | Windows | AD Enum, AD Attacks | LDAP enum, AD recycle bin, .NET reversing |
| Sauna | Windows | AD Enum, AD Attacks | Kerbrute user enum, AS-REP Roast, DCSync |
| Active | Windows | AD Enum, Kerberoasting | GPP password, Kerberoasting DA |
| Return | Windows | AD Enum, Common Services | LDAP credential leak, Server Operators group |
| Escape | Windows | AD Attacks, ADCS | MSSQL hash capture, ADCS ESC1 |
| Manager | Windows | ADCS Attacks | ADCS ESC7, Certipy, LDAP enum |
| Support | Windows | AD Enum, RBCD | SMB info leak, RBCD attack |
Privilege Escalation
| Machine | OS | CPTS Modules | Key Concepts |
|---|---|---|---|
| Beep | Linux | Linux PrivEsc, Common Services | FreePBX/Elastix LFI β RCE, Webmin exploit, multiple privesc paths (sudo nmap, sudo -l) |
| Sunday | Solaris | Linux PrivEsc, Password Attacks | Finger enumeration, shadow hash cracking, sudo wget |
| Valentine | Linux | Linux PrivEsc | Heartbleed, tmux session hijack |
| Shocker | Linux | Linux PrivEsc | Shellshock, sudo perl |
| Arctic | Windows | Windows PrivEsc | ColdFusion exploit, JuicyPotato |
| Bastard | Windows | Windows PrivEsc, Common Apps | Drupal RCE, JuicyPotato |
Study Strategy
Recommended Order: Lame β Blue β Bashed β Nibbles (basic skills) β Poison β Magic β Bounty (web) β Sauna β Forest β Active (AD basics) β Blackfield β Escape β Manager (AD advanced)
- Don't read walkthroughs until you've spent 2+ hours on a machine
- After completing, read at least 2 public writeups to see alternate approaches
- AD machines (Forest, Blackfield, Sauna) are the closest to actual CPTS exam feel
- Manager and Escape specifically practice ADCS β high value for CPTS
- Retire machines rotate β check HTB retired list for machine availability