Introduction

Certified Penetration Testing Specialist (CPTS) is a relatively new penetration testing certification, introduced in September 2022 by HackTheBox (HTB). It is an entry to intermediate level certification, covering an array of topics and tools vital for penetration testers. It aims to equip individuals with the essential skills required in the field.

Offensive Security Certified Professional (OSCP) has been the de facto penetration testing certification for a long time, it is offered by Offensive Security. The course and certification has been through a number of updates and iterations over the years, with the most recent being in mid 2023. It is designed as an introductory qualification, similarly targeting individuals wanting to acquire the fundamental skills for a career in penetration testing.

I started the CPTS course in April 2023, and passed the exam in November. I then started the OSCP course right after, and passed in the same month.

Some quick background: I studied cybersecurity in school, and had a year or two of experience in the field. I had no pentesting related certifications before CPTS, however, I had a solid foundation in computer science, with certifications such as CCNA, AWS and some others.

The Cost

At the time of writing, the CPTS course can be unlocked for $106 (a month of platinum and a month of gold), the exam voucher with 2 exam attempts costs an additional $210, bringing the total to $316. If you are a student, the entire course can be unlocked for $8 a month. Depending on your speed, the certification can be acquired for as low as $234.

The OSCP course costs $1649 for 90 days of access and 1 exam attempt, or $2599 for a year of access with 2 exam attempts.

It goes without saying that CPTS offers substantially better value compared to OSCP. In addition to its high cost, which is more than five times that of CTPS, the OSCP course is time limited, meaning that once your access ends, you cannot access the materials and labs without purchasing an extension. For CPTS, once the modules are unlocked, they are available permanently, including the labs and future updates. For the student subscription (and annual subscriptions), similar access is granted once the module is completed. While the materials can be absorbed into your notes, having access to the labs can be invaluable if you want a refresher or more practise, even after the course.

I can say confidently that the student subscription offers the best value for cybersecurity training compared to everything else available. Not only does it unlock the CPTS path, it also includes all tier 2 and below modules, including the modules from the CBBH and CDSA certifications. At the time of writing, that’s a whopping 69 (nice) modules, all with their own distinct content and labs.

The Course

CPTS

The CPTS course adopts a text-based format, there are a total of 28 modules, each focusing on a major topic, such as Active Directory Enumeration & Attacks. Within each module, there are distinct sections dedicated to specific skills or subtopics, for example Kerberoasting. Following each section, practice exercises are provided to assess your understanding of the material covered. Additionally, at the end of each module, there are skills assessments requiring you to apply the entirety of your learning from that module.

The course is structed like a typical penetration test, starting from enumeration and Footprinting, to getting initial access, to privilege escalation and lateral movement, ending with documentation and reporting. The topics covered are both wide and in depth, with the stand out being the Active Directory Enumeration & Attacks module, which equips you with all the essential knowledge and tools to attack an AD environment. The Documentation & Reporting module, an essential skill for a pentester, provides a good introduction and example on a commercial grade pentest report, which the candidates are expected to do the same for the exam.

Each modules starts with the basic ideas of the topic and then slowly moves on to harder techniques, using what you have already learned. The practice exercises build upon the content from previous sections, while the skills assessments take place in a completely different environment. To finish the modules, you will need a good understanding the of material. Just copying the commands will not be enough, as you will be tested on on applying this knowledge effectively, even in different situations.

While the overall quality of the modules is great, certain ones can be more challenging or seem less cohesive. For example, in the Password Attacks module, there’s a significant amount of downtime spent waiting for tools to complete their tasks, which can be quite frustrating. Additionally, the Thick Client Applications sections within the Attacking Common Applications module feel somewhat misplaced. Given the advanced knowledge required and complexity of reverse engineering, the brief coverage provided here seems inadequate, serving more as an roadblock to course rather than a comprehensive learning segment.

OSCP

OSCP also adopts a similar overall structure, divided into 25 topics with their own sections. Additional videos are provided for some topics, yet both personal experience and feedback from others suggest that these videos are less effective as a learning tool compared to the text-based materials.

Although the OSCP course follows a similar structure, it falls short in quality, depth, and the comprehensiveness of exercises when compared to the CPTS course. You will be hard pressed to find any topics in the OSCP course that are not already covered by CPTS. With the exception being  Client-side Attacks and Antivirus Evasion, the latter of which unfortunately goes over some outdated techniques and tools which do not stand a chance against modern antivirus products. On the other hand, CPTS includes dedicated modules covering Nmap, web proxies (Burp Suite and ZAP), and a range of web attacks including XSS, command injection, and file upload attacks. And as mentioned earlier, the Active Directory Enumeration & Attacks module in CPTS is significantly more comprehensive compared to the corresponding Active Directory content in the OSCP course, covering topics such as ACL Abuse, attacking domain trusts, various tools for different situations and more.

Additionally, while the capstone exercises in OSCP (similar to the skills assessments in CPTS) provide a welcome challenge, they are noticeably less difficult than those in CPTS. Moreover, the standard exercises in OSCP often mirror the scenarios covered in the sections exactly, requiring little more than replicating the demonstrated steps to complete them.

In my opinion, the biggest issue with the OSCP course lies in its failure to provide content and training that justify its cost. It leaves learners with an underdeveloped toolkit and skillset. Despite attempts to update the course, the content remains underwhelming. For example, in the pivoting module, the lab practice exercises are essentially unchanged, differing only in the methods expected for completion. The CPTS Active Directory labs have a much more robust setup, with thousands of users in the domain and simulated actions. In comparison, OSCP offers less than five targets and only about 20 users, which is significantly less immersive and comprehensive.

For the OSCP Challenge Labs, in Medtech and Relia, you quickly gain domain administrator credentials soon after your initial entry into the domain. This lessens the need to further exploit the domain with your initial foothold account, unless the admin credentials are ignored on purpose. This approach somewhat defeats the purpose of advancing through the domain with the originally compromised account, reducing the complexity and learning potential of the exercise. Additionally, the OSCP sets are nothing like the exam, but more on that later.

I encountered a good number of technical problems with the OSCP labs. There were times when the target machines would not spawn, or certain exploits would not work until I reset the labs. On several occasions, all lab machines were unavailable, with downtimes stretching up to five hours. In contrast, while the infrastructure for the CPTS labs is not perfect, the issues I faced there were less severe and frequent, especially when taking into account that I spent considerably more time in the CPTS labs.

The Preparation

After finishing the CPTS course, I dedicated a month to working on HTB boxes and pro labs. I managed to complete the Dante and Zephyr pro labs and regularly completed medium and hard boxes on HTB, though not without some difficulty. Is this extra practice essential for passing the CPTS exam? Not at all. The course itself contains everything needed to pass the exam. The key is to thoroughly understand the course material and be able to apply it effectively. During my studies, I invested time experimenting with different tools and techniques, looking into documentation and online posts, and exploring various methods to achieve the same objectives. This approach greatly added to my familiarity and comfort with the course content.

I’d also like to emphasise the importance of avoiding asking for help during the course. Struggling is a crucial part of the learning process. If you don’t encounter difficulties during the course, you might find the exam challenging unless you already have the necessary experience. When faced with issues, it’s beneficial to do your own research on the topic or error. This often leads to a better learning experience compared to seeking quick answers on Discord or the forums. Throughout my time with the CPTS course, I didn’t ask for help, not because I found it easy, but because I was able to resolve the challenges I encountered. This process of troubleshooting and problem-solving was a valuable learning experience in itself.

Unfortunately I do not have much to say about my OSCP preparation, because all my preparation came from doing the CPTS course. I did not spend much time on the OSCP materials as I was already familiar with the topics, I did the exercises and challenge labs to secure the bonus points, and moved on to the exam. Unlike CPTS, extra practice outside of the course is needed. The best way to prepare for OSCP, from personal experience and from fellow HTB academy users/CPTS holders, is to do the CPTS course. There’s no need to do the exam, just going through the materials will be a great preparation. Other than that, doing easy boxes on HTB can be a good exercise, or even the Dante pro lab, where the difficulties of the individual targets are similar to what you will find in OSCP.

The Exam

CPTS

The CPTS exam spans 10 days and places the candidate in a simulated penetration testing scenario against a company. To pass, you need to capture 12 out of 14 flags. At the end of the 10 days, a detailed report must be submitted. This report should include the attack chains used, findings from the test, and recommendations for the company.

I managed to submit all 14 flags by day 7 of the CPTS exam and spent the remaining time crafting the report. I was notified of my success 2 weeks after the report submission. I’m happy to report that the lab environment is exceptionally well-designed. It presents a cohesive, networked setting with its own narrative and interactions, enhancing the realism and learning experience.

The exam is a true marathon, thoroughly testing your grasp of the course material. It was challenging; there were moments when I felt stuck and out of ideas. However, going deeper into my notes and the course materials often provided the breakthrough I needed. The time constraint is a significant aspect of the CPTS exam to consider. During the 10 day period, I devoted most of my waking hours to the exam, aside from sleeping. Despite having a decent pace, I only managed to submit the report on the final day, due to the extensive amount of tasks and documentation required. Completing the exam on the first attempt would be extremely challenging without taking time off to focus solely on it.

The upside is that, for CPTS, the second attempt is free, and you are placed back into the same environment. This allows you to pick up from where you left off, as long as you submitted a report in your first attempt. Considering this, it’s reasonable to view the exam as a 20 day exam, with the opportunity to resume once your initial attempt has been graded.

I mentioned that the Documentation & Reporting module provides a solid introduction and an example of a commercial grade penetration test report. While the exam expects a similar standard, in reality, few people fail due to poor reporting quality. The grading focuses not on language proficiency, but on your ability to document findings and present good recommendations to the client. As long as your report adheres to the structure of the provided template or example report, the main task is simply to accurately detail your findings.

OSCP

The OSCP exam is proctored and spans 24 hours, afterwards, the candidate will have another 24 hours to submit a report. The exam lab consists of 3 machines in an Active Directory set, and another 3 standalone machines. To pass, 70 out of 100 points are needed, I won’t go into detail on the points weightage, they can be found here.

I got the passing score within 4 hours of taking the exam and was notified of my success 12 hours after submitting the report. I had the pleasure to work on the updated exam machines, which had a noticeable increase in difficulty, and was easy to identify which targets were the newer ones. The challenge was somewhat unexpected, differing from what I had previously heard about the exam. The active directory set is surprisingly tricky to get a foothold, and for one of the machines, I even had to write some custom code. While it’s possible that I have done a more difficult approach, I couldn’t think of another way to do it. Even with the unexpected challenge, the exam is still straightforward for me, given that I’m already well prepared by passing the CPTS exam, and having a good number of hard and insane HTB boxes completed before I did the OSCP exam.

However, I can say with confidence that solely relying on the OSCP materials would make it highly unlikely for anyone to pass the exam lab that I had. While I welcome the idea of updating the exam to increase its difficulty, it’s crucial that the course also updated accordingly. As it stands, the existing materials do not adequately prepare candidates for the exam. Furthermore, the level of difficulty in the OSCP challenge labs is not representative of what is faced in the new exam labs. If your preparation is solely based on the OSCP materials, you might find yourself in a situation where, despite being familiar with the course content, the exam still appears overwhelmingly difficult, if not impossible. This is based on my personal experience, and I believe it’s a rather poor approach to increase the exam’s difficulty without simultaneously updating the course content. Such a practice can create a significant disconnect between what is taught and what is tested.

While I personally did not encounter issues with tool restrictions and time constraints in the exam, I can fully appreciate why someone with limited experience might find the exam particularly challenging. In my view, a realistic exam should grant candidates the freedom to employ any tools or methods they are comfortable with. If a candidate has mastered a specific tool, they should be allowed to utilise it during the exam. This approach not only simulates real-world scenarios more accurately but also acknowledges and leverages the diverse skill sets and preferences of different candidates.

The report requirements for the OSCP are relatively straightforward, with the primary focus being on the attack chain. other parts are optional. In contrast to the CPTS report, which resembles a commercial-grade document, the OSCP report is closer to a walkthrough.

The Time Investment

One of the most significant challenges with the CPTS course is time commitment. To qualify for the exam, candidates must complete all modules and their respective exercises, which typically takes 3-6 months, depending on prior experience. Even for those familiar with the content, completing the exercises can be time-consuming. This extensive duration, especially considering the 10-day exam (or 20 days if a retake is necessary), could be a deterrent for some some who may not have the capacity to invest such a significant amount of time. Having to complete all exercises might be a deal-breaker for potential candidates. I started the CPTS course in April, but had to take a break for a couple of months in the middle because of other things. The actual time I dedicated to the course was about 3-4 months, during which I devoted all my free time to it. However, not everyone has the ability or the circumstances to commit to such a schedule. This factor is crucial to consider for anyone contemplating undertaking the CPTS course, as the time investment required is substantial.

On the other hand, I was able to complete the OSCP course and exam in just two weeks. Since it’s not mandatory to finish all exercises, I could quickly cover all the topics and proceed directly to the exam. I believe this approach is more advantageous, particularly for individuals already with the skills needed to pass. Allowing candidates to access all content without the requirement to complete the entire course before attempting the exam can motivate more people to try it. If they fail, they have the option to retake it. This flexibility can be appealing and less daunting for potential candidates, especially those confident in their existing knowledge and skills.

The Industry Recognition

This brings us to another challenge with CPTS: its relative novelty in the field. At the time of writing, there are fewer than 200 certified individuals, partly caused by the significant time commitment required, as previously mentioned. Its recognition in the cybersecurity and penetration testing communities is still limited. Personally, I have yet to come across a job listing that specifically mentions CPTS. In this regard, OSCP maintains its status as the industry standard and is often a prerequisite for even being considered for an interview.

The saying that ‘OSCP gets you into the field, while CPTS keeps you there’ is one that I agree with. In terms of depth of knowledge and training quality, CPTS is indeed superior. However, when it comes to recognition by HR departments and recruiters, OSCP has the edge. It’s a vital credential for those seeking entry into the field, whereas CPTS is more about enhancing and solidifying their skills once they are already in the industry.

Tips for the Exam

CPTS

Be Thorough: If I can offer a single piece of advice, this is it. Test everything and leave no stone unturned. You may find yourself stuck during the exam, but that’s because you haven’t tried and tested everything, often the breakthrough is something that you missed or didn’t think of.

Be Familiar with the Content: As I’ve mentioned many times in this post, the exam rigorously assesses your grasp of the course material. Mastery of the course content is a sure path to passing the exam.

Take Good Notes: This isn’t just vital for the exam, but for anything in the cybersecurity field. The sheer volume of information can be overwhelming, making it impractical to rely solely on memory. Effective note-taking not only aids in retaining information but also simplifies future reference.

Have a Good Situational Awareness: Know where you are, what access you have, what credentials you can use is vital in the exam. Use everything you have to find the next step.

Don’t Rely on a Single Tool: We all have our favourite tools to use, but don’t tunnel vision on it, sometimes changing things up might reveal something else or give a different perspective. As an example, I prefer doing everything in the terminal, however, one of the breakthroughs during the exam was when I switched to RDP. The solution I discovered could have been achieved in the terminal as well, but this change in approach and pace in helped me identify it.

Refer to the Course: Since everything in the exam can be found in the course, if you are really stuck, checking the materials might help you find something that you have missed or forgot.

Pace Yourself: The exam is a marathon, take care of your other needs during the exam and don’t spend every minute on it, take breaks, go out for a walk, have pizza 🍕. This will help you keep your head in the game and prevent burnout. I would highly recommend not spending ~20 hours a day for the first few days like me.

Keep Going: There may be times where you are stuck, but you aren’t out of ideas until you have found it. Being frustrated or discoursed will not help you in the exam, and it’s okay having to retake, view it as a 20 day exam instead.

OSCP

Unfortunately I did not find the exam challenging enough to give specific advice, everything mentioned earlier will apply, but if I can make a suggestion, give the CPTS course a try, it will prepare you better than the OSCP materials ever could.

FAQ

These are my opinions on the frequently asked questions towards CPTS.

Do I need to do boxes to pass the exam?

No. I can’t think of an occasion where I used what I have learned doing a box in the exam. Most of the boxes are out of scope, the exam does not test your ability to carry out some crazy exploit. There are also many things in the exam you don’t encounter when doing boxes, such as it being a networked environment, and post exploit information gathering. I did boxes because I enjoy doing them.

Okay but I really want to do boxes, which ones will prepare me for the exam?

That’s not an easy question to answer, I cannot talk about the content of active boxes or the exam. My suggestion would be to use the advanced search feature for retired boxes, select easy or medium, and search for an area that you want to improve.

Do I need to do pro labs to pass the exam?

Not really. Again, a lot of things in the pro labs are out of scope, it can help you get more familiar with a networked environment, but it can also lead you to try something that’s not in the course. Being familiar with the course is important if you want to do pro labs, as it helps with avoiding going down rabbit holes.

Can I use X tool for the exam?

Yes. There are no tool restrictions, use whatever you want.

Do I need any experience to get started?

Not really, you just need a computer, and willingness to learn. HTB academy’s learning curve can be slightly steeper than THM or TCM, but as long as you’re willing to put in the effort, getting started is not difficult. If you’re completely new, start with the Information Security Foundations path, it is entirely free.

Do I need to be good at programming to do well?

No. Being able to read and understand code can be helpful, but you don’t need be good at a language. There are some modules where you’ll need to write scripts, but it’s explained pretty well and examples are given.

Can I pass the exam while working full time?

Not taking any time off and passing the exam on the first try would indeed be quite challenging, though this also depends on your level of experience. Successfully completing it on the second attempt is certainly feasible, especially considering that you get two attempts. One strategy could be to start the exam on a Friday afternoon, which would give you four full days to focus on it. If the first attempt doesn’t work out, you can use that experience to better plan and estimate the time you might need for a second attempt.

Is it worth it to dedicate 10 days to the exam?

I hope I have laid out the strengths and shortcomings of CPTS well in this post, whether it’s worth it is for you to decide. Personally, passing CTPS is not just about getting a cert, it’s also proof that I have what it takes to tackle this challenge, and I’m ready to move on to more advanced topics.

How to write a good report?

Take a look at the structure and writing style of the example report provided in the course. The primary purpose of your report should be its usefulness to the client. It should to recount the steps taken during the penetration test, with a focus on identifying and highlighting vulnerabilities encountered along the way. For each vulnerability, include a detailed description and an assessment of its impact. The report should offer actionable recommendations for remediation, providing the client with clear suggestions on how to address each identified issue. You can refer to some other examples here.

What’s after CPTS?

Depends on your interest and what you want to specialise in, you should already have a pretty good idea by the time you finish CPTS. There is CBBH and the upcoming CWEE certifications if you’re interested in web. I’m more interested in Windows internals and Active Directory, so I’m currently working on Maldev Academy, then CRTO next.

How do I get flag 9?

cat flag9.txt

This post represents my personal views and is based on my experiences, as well as conversations with fellow students and other penetration testers. I hope it has provided you with decent insights into these certifications and will assist you in determining which certification is best suited to your goals and needs.