The Advanced AD Phase (Flags 7, 8 & 9)
← Back to Blog

The Advanced AD Phase (Flags 7, 8 & 9)


HTB CPTS Strategy: Cracking Flags 7, 8, and 9

Welcome to the most brutal and highly-searched segment of the exam. The difficulty curve surrounding cpts flag 8 and cpts flag 9 is where the majority of unprepared candidates fail out. By this stage, you have exhausted basic Active Directory exploits and must now navigate a complex, multi-tiered enterprise architecture filled with cross-forest trusts, constrained delegations, and interconnected database clusters.

1. Breaking the Boundaries: CPTS Flag 8

Securing cpts flag 8 requires you to completely rethink your administrative paths. You are no longer just looking for local admin rights; you are looking for structural domain flaws.

Trust Abuse and Delegation

To capture Flag 8, you must heavily audit the domain trusts. This involves mapping out parent-child domain relationships and identifying if SID History is enabled across the trust boundary. Advanced techniques required here include:

  • Resource-Based Constrained Delegation (RBCD): Exploiting write access over a computer object to configure RBCD, allowing you to forge a service ticket and hijack the target machine as an administrator.
  • Active Directory Certificate Services (AD CS): Identifying misconfigured certificate templates (like ESC1 or ESC8) to request a certificate on behalf of a highly privileged user, like a Domain Admin.

2. Forcing the Pivot: CPTS Flag 9

The moment you achieve your escalation in the previous step, you are immediately walled off again. CPTS flag 9 tests your ability to weaponize your newly acquired high-tier credentials across segmented network enclaves.

A major focus point for Flag 9 is deeply linked database infrastructure. Finding a Microsoft SQL Server (MSSQL) and realizing it has a database link to a remote server allows you to execute SQL queries across the network boundaries. By enabling features like xp_cmdshell over the linked server, you can gain a remote shell in a previously inaccessible subnet and extract the flag.

Don't Let Flag 8 or 9 End Your Exam

These specific flags require flawless execution of complex AD attacks. Ensure your methodology is perfect by referencing our commercial-grade exam solutions.

Download the Complete Flag 8 & 9 Blueprint