The CPTS (Certified Penetration Testing Specialist) course from Hack The Box is designed to push ethical hackers beyond automated tools and into the mindset of a pentester. After completing this intensive journey, I can confidently say it delivers on its promise. In this review, I’ll break down what to expect, what makes this course stand out, whether it’s worth your time and also some tips and tricks that might help you.
Course Material...
In order to give the exam you first need to complete all 28 modules, then and only then can you give the exam.
https://academy.hackthebox.com/paths/jobrole
Some of these modules are as follows:
`Password Attacks
Attacking Common Services
Pivoting, Tunneling, and Port Forwarding
Active Directory Enumeration & Attacks
Login Brute Forcing
SQL Injection Fundamentals
Cross-Site Scripting (XSS)
File Inclusion
File Upload Attacks
Linux Privilege Escalation
Windows Privilege Escalation
Documentation & Reporting
Attacking Enterprise Networks
And much more.
In order to complete all 28 modules it took me around 50 days, I was spending around 5-6 hours on studies everyday.
The course is highly comprehensive and up to date. While some skill assessment questions can be challenging, this is where the HTB Discord community proves invaluable. The community is filled with knowledgeable and helpful individuals, always ready to assist. However, don't expect hand-holding throughout the entire process—you'll need to put in the effort to overcome obstacles on your own.
Make sure to make small cheat sheets while completing course material.
My notes in obsidian looked something like this
Also don't forget about the hackthebox academy's search feature
AEN Module...
This module is the last module in the course, I would recommend to solve it blindly
Here are some spoiler-free steps you can follow instead of referring to the module’s content:
- Get all seven web flags on
DMZ01. - Get a foothold on
DMZ01 - Get root access on
DMZ01 - Get a foothold on
DEV01 - Get root access on
DEV01 - Get a foothold on
MS01 - Get root access on
MS01 - Get root access on
DC01 - Get a foothold on
MGMT01 - Get root access on
MGMT01
Although it’s recommended to complete this module blindly, there’s no point in being stuck for days. What worked for me was setting a 6-hour limit—if I couldn’t solve a problem within that time, I would either ask for a nudge or take a quick peek at the solution to keep progressing.
Reminder: This is the closest thing to the exam. If you can complete it blindly or with just 1-2 nudges, you’ll be in good shape for the test. Even if you needed more nudges, don’t worry—it just means you need more practice and refinement in your methodology. Revisit the modules you found challenging, and make sure to go through the AEN module 2-3 times right before the exam for better preparation.
The Exam Cost...
I wouldn’t recommend the yearly Gold plan as it’s quite expensive. Instead, the Silver annual plan is a more cost-effective option and also includes an exam voucher.
If you're a student, this becomes a highly affordable option at just $8 per month. However, you'll need a valid student email to qualify for the discount.
Of course this won't include exam voucher, you ll need to buy it separately for 210$
If you are a student like me, total cost you have to spend will be around 230-240$ in order to give the exam.
The preparation...
Although I don’t have prior experience working as a pentester, I actively solve CTFs whenever I get the chance.
My recommendation will be to get monthly/yearly subscription on hackthebox to play retired machines,
I highly recommend this playlist from IppSec: Unofficial CPTS Prep. Be sure to check it out—it’s an invaluable resource that will significantly help during your exam preparation. Make sure you take highly detailed notes while solving them. First try to solve them on your own and if you are stuck for a while don't directly jump to ippsec's video but rather take a small nudge from 0xdf's writeup. When you have completed the lab, then watch ippsec's video and try to make notes of how he solves the box what's his mentality while solving challenges.
If you haven’t heard of ippsec.rocks, you should definitely check it out. Just type a keyword, and it will direct you to an IppSec video where he demonstrates how to solve related challenges.
Active Directory Exploitation path from Hackthebox Tracks is recommended to solve.
Pro labs...
Although solving ProLabs isn’t necessary since everything in the exam comes from the course material, they can still be valuable for gaining hands-on experience in attacking large networks and practicing pivoting techniques.
The recommended ProLabs that could help with the exam are Zephyr and Dante. These labs provide great hands-on experience with network attacks and pivoting, which can be beneficial for the exam.
My experience...
Start 31st Jan: 18:30
Ending 10th Feb: 18:30
Flag 1: 1th Feb 14:35
Flag 2: 1th Feb 20:43
Flag 3: 2th Feb 10:11
Flag 4: 2th Feb 10:18
Flag 5: 3th Feb 20:48
Flag 6: 4th Feb 09:45
Flag 7: 4th Feb 23:34
Flag 8: 5th Feb 21:17
Flag 9: 7th Feb 19:49
Flag 10: 7th Feb 22:14
Flag 11: 7th Feb 23:48
Flag 12: 8th Feb 18:03
Flag 13: 9th Feb 10:08
Feb 10th submitted the report.
Everything from initial access to lateral movement to domain compromise, was brutal.
The exam wasn’t extremely difficult—everything is solvable as long as you stay persistent. Don’t give up; keep pushing forward, and you’ll eventually find a way to solve each challenge.
The exam is fair as long as you studied the course properly made proper notes and did some extra practice like I mentioned in the Preparation section.
Flag 1 and 9...
CPTS holders often mention that certain flags serve as major roadblocks during the exam, and I completely agree. These challenges can be tough, but with the right approach and persistence, they are manageable.
Flag 1: There are a lot of rabbit holes but stick to your methodology and you ll be fine.
Flag 9: This was the toughest flag for me—it took around two days to solve, with an entire day spent stuck at a single point without progress. Solving this step requires creativity, but it’s manageable since it’s covered in the course. Make sure your Active Directory (AD) notes are precise and well-organized—they will be crucial for this challenge.
Results...
Although I managed to capture 13/14 flags on my first attempt, I failed due to a poorly structured report. Thankfully, Hack The Box offers one free re-attempt, which gave me another chance. On my second attempt, I focused on submitting a well-structured, high-quality report, and that made all the difference—I passed successfully.
One big recommendation that I truly stand by and encourage everyone to use during the exam is to host a personal SysReptor instance to aid in reporting.
Conclusion...
The journey was long and challenging, but it was truly rewarding. I highly recommend it to anyone passionate about Infosec—it’s absolutely worth the effort! I hope everyone preparing for the exam succeeds. If you have any specific questions that I haven’t covered here, feel free to reach out to me on LinkedIn.
