HTB CPTS Exam Guide: Conquering Flags 4, 5, and 6
HTB CPTS Exam Guide: Conquering Flags 4, 5, and 6
Surviving the external perimeter is just the warmup. The true difficulty of the CPTS exam begins when you are forced to move laterally across restricted internal subnets. Flags 4, 5, and 6 are designed to test your mastery of intermediate Active Directory exploitation and your ability to pivot proxy traffic seamlessly without triggering simulated defense mechanisms.
1. The Pivoting Infrastructure
To reach the infrastructure containing the middle-tier cpts flags, you cannot rely on direct connections. The hosts holding these flags are segmented behind internal firewalls. You must establish a robust pivoting tunnel.
Using tools like Chisel or Ligolo-ng is mandatory here. By setting up dynamic port forwarding through your compromised edge machine, you can run tools like CrackMapExec or BloodHound directly against the internal Domain Controllers from your local attacker machine.
2. Weaponizing Active Directory Flaws
Finding the path to Flags 4, 5, and 6 relies on identifying logic flaws in how the corporate domain handles permissions and service tickets.
Kerberos Exploitation
Once you route your traffic internally, your priority is to extract the AD database structure. Candidates must run SharpHound and analyze the resulting graphs to find hidden relationships. Key attack vectors during this phase include:
- AS-REP Roasting: Identifying users who have "Do not require Kerberos preauthentication" enabled, allowing you to request their ticket granting ticket (TGT) and crack their hash offline.
- Kerberoasting: Requesting service tickets (TGS) for accounts with Service Principal Names (SPNs) and cracking the passwords to hijack high-privilege service accounts.
- SMB Share Hunting: Using compromised domain credentials to spider internal file shares for sensitive documents containing passwords or SSH keys to intermediate servers.
Stuck in the Internal Network?
Pivoting and Kerberos attacks can consume days of your exam time if done incorrectly. Download the explicit step-by-step solutions for Flags 4, 5, and 6.
Access the CPTS Reporting Walkthroughs