The Enterprise Dominance Phase (Flags 13 & 14)
← Back to Blog

The Enterprise Dominance Phase (Flags 13 & 14)


HTB CPTS Final Stage: Rooting Flags 13 and 14

You have survived the external perimeter, navigated the complex trusts of Flag 8, and breached the deepest network segments. Reaching the final hosts in the HTB CPTS environment means you are knocking on the door of Enterprise Admin. However, capturing Flags 13 and 14 requires extreme stealth and an absolute mastery of native Windows operations.

⚠️ Rooting the Network is Not Enough: Securing Flag 14 does not grant you the certification. You must submit a flawless, commercial-grade penetration testing report. Guarantee your success by utilizing our verified CPTS Exam Reporting Templates.

1. Living Off the Land (LOLBins)

The final domain controllers in the CPTS environment are hardened. If you attempt to drop custom compiled exploits or generic reverse shell binaries, they will likely be quarantined by simulated antivirus software, wasting hours of your time.

Securing the final flags requires you to manipulate built-in Microsoft utilities. You must abuse inherent high-level Windows privileges to extract the final data:

  • SeBackupPrivilege: If you acquire this privilege, you can bypass standard file permissions to copy critical files, specifically the NTDS.dit database and the SYSTEM registry hive, allowing you to extract all domain hashes offline.
  • Group Policy Manipulation: Wielding control over Group Policy Objects (GPOs) allows you to push scheduled tasks directly to the Domain Controllers, effectively granting you a system-level shell upon execution.

2. The Reporting Phase

Once you extract Flag 14, your technical exam is over, but the most important phase begins. The CPTS demands a meticulously documented report that outlines every single step of your exploitation chain, from the initial web fuzzing to the final DCSync attack.

Your report must include explicit vulnerability descriptions, the exact commands executed, screenshots verifying your access, and professional remediation advice for the simulated client. Missing a screenshot or failing to explain the impact of a Kerberoasting attack will result in a failure.

Secure Your CPTS Certification Today

Do not fail because of formatting errors or missed documentation. Access the premier reporting templates and complete flag solutions at the LOKI Store.

Get the CPTS Master Exam Report