> For the complete documentation index, see [llms.txt](https://x3m1sec.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://x3m1sec.gitbook.io/notes/my-certifications/cpts/cpts.md). # My review After several intense months juggling work, life, hobbies, and studying (plus a few existential meltdowns along the way πŸ˜…),\ I'm proud to share that I’m now officially a **Certified Penetration Testing Specialist (CPTS)** by **Hack The Box**! *** ## πŸ“š What is the CPTS? For those unfamiliar, the **HTB CPTS (Certified Penetration Testing Specialist)** is a **hands-on certification** that validates your offensive security skills through a **realistic, complex, and corporate-like environment**. Before attempting the exam, you're required to complete the full [**Penetration Tester Job Role Path**](https://academy.hackthebox.com/paths/jobrole) on HTB Academy β€” an in-depth learning track with **28+ modules** covering every phase of the penetration testing process. *** ## 🧠 The Learning Path The CPTS path covers a wide range of essential and advanced topics: * βœ… Penetration testing methodologies & engagement planning * 🌐 Passive and active information gathering * 🐧 Linux & πŸͺŸ Windows exploitation * 🏒 Active Directory penetration testing * 🌐 Web application attacks * πŸ” Post-exploitation and enumeration * πŸ” Pivoting and lateral movement * ⬆️ Privilege escalation (Windows & Linux) * πŸ›‘οΈ Vulnerability assessments * πŸ“ Reporting and communicating findings > What I truly appreciated was how the path helped me think like an attacker.\ > It gave context to tools, taught me how to build a methodology, and encouraged problem-solving over copy-paste exploitation. *** ## πŸ”¬ Prepping for the Exam: Going Blind on *Attacking Enterprise Networks* One of the **most critical modules** is **Attacking Enterprise Networks**, simulating a full end-to-end corporate pentest. I took a different approach:\ I completed the module **completely blind** β€” no tutorial, no spoilers β€” relying only on my notes and HTB Academy's search function. This decision helped me: * 🧠 Think independently * πŸ““ Improve my documentation workflow * 🧭 Strengthen my methodology * ❌ Make (lots of) mistakes and learn from them Once completed, I revisited the module with the tutorial to patch knowledge gaps. > **πŸ“Œ Pro tip:** Treat this module like it *is* the exam. Go in blind. Simulate the pressure and unpredictability of a real-world engagement. *** ## πŸ§ͺ What About Pro Labs? I Took a Different Path... While many CPTS candidates train with HTB Pro Labs like **Zephyr** or **Dante**,\ I chose a different route and skipped them entirely. Instead, I focused on the **machine list curated by LainKusanagi**, originally intended for OSCP prep: πŸ“„ [OSCP/HTB Training List by LainKusanagi](https://docs.google.com/spreadsheets/u/0/d/18weuz_Eeynr6sXFQ87Cd5F0slOj9Z6rt/htmlview) These machines were incredibly relevant to CPTS in areas like: * πŸ”€ Basic pivoting and tunneling * ⬆️ Linux/Windows privilege escalation * πŸ”Ž Service enumeration and misconfigurations * 🧩 Manual exploitation (no Metasploit!) * 🧠 Methodology building under realistic pressure πŸ—‚οΈ I also created my own Notion tracker: πŸ“Œ [My Personalized Machine List on Notion](https://www.notion.so/OSCP-Machine-List-1f3e6083c26b809883c4f9bd1fef4770) Would I recommend this approach? βœ… Yes β€” if you want to sharpen your methodology, get used to noise, and simulate real-life reporting\ 🚫 No β€” if your only goal is to rush through and pass the exam quickly > **In summary:** HTB Pro Labs are excellent, but with the right mindset and machine selection, they’re not strictly necessary. *** ## πŸ’₯ The CPTS Exam: Brutal, Realistic, and Rewarding The CPTS exam challenges you to compromise a **realistic corporate network** β€” from initial access to full domain takeover. 🎯 **My Result:** 100 points β€” 14 flags\ 🧠 **My Experience:** Brutal, mentally exhausting, but immensely rewarding. πŸ’‘ Key takeaways: * Some flags took 1 hour, others 2–3 days * The environment is noisy, and distractions are constant * Everything feels like a rabbit hole β€” until it’s not * All techniques are **within scope**, but require **creative thinking** > **πŸ”₯ Top advice:**\ > Don’t overthink. Many times, I lost hours overcomplicating things.\ > **Trust the basics** β€” they work. *** ## 🧾 Reporting with SysReptor One of the biggest lifesavers during the exam was [**SysReptor**](https://sysreptor.com) β€” a modern, fully customizable offensive security reporting tool. ### πŸ”§ Why I loved it: * πŸ–₯️ Beautiful, clean UI * ✍️ Fully Markdown-based customization * 🧾 Built-in **CPTS report template** * πŸ“€ One-click PDF export * 🐳 Seamless local Docker deployment (more stable than the cloud version) Instead of wasting time on Word or manual templates, I focused on content.\ SysReptor helped me deliver a polished, professional report without the headache. > **🎯 Real-world bonus:** SysReptor isn’t just for the CPTS β€” it's also perfect for client reports and internal red teaming deliverables. πŸ“š **Useful Links:** * πŸ”— [SysReptor Official Site](https://sysreptor.com) * ✍️ [HTB Sysreptor templates](https://github.com/Syslifters/HackTheBox-Reporting) * πŸ“– [SysReptor Documentation](https://docs.sysreptor.com/) * πŸ™ [SysReptor GitHub (Open Source)](https://github.com/Syslifters/sysreptor) *** ## ✍️ Final Thoughts Earning the CPTS has been a **transformative journey**.\ I didn’t just learn tools β€” I learned how to **think like a pentester**, handle pressure, and build a practical methodology. > Would I recommend it? **Absolutely.**\ > Whether you're new or have experience, CPTS offers *real-world value*, hands-on depth, and a credible path into offensive security. *** ## πŸ”œ What’s Next for Me? More labs, more learning, and more knowledge-sharing.\ On the horizon: **OSCP**, **CRTO**, or **PNPT**.\ But most importantly β€” continuing to grow and help others in the community do the same. *** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://x3m1sec.gitbook.io/notes/my-certifications/cpts/cpts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.