HackTheBox Certified Penetration Testing Specialist (CPTS) - Review + Tips

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at the hack the Box certified penetration testing specialist certification or cpts this is a certification that had the Box released a few months ago to go along with their penetration tester job role path on the academy and I complete the course and the exam and got the certification last week so this is basically going to be me talking through my experience of the course and the exam and hopefully giving some tips to help people who are looking to either take the course of the exam or compare it to other certifications the only other certification I have that I'm able to compare it to is oscp and it's worth saying I did that in 2019 so before they changed the exam structure and updated the course it used to have a buffer overflow guaranteed in the exam which isn't the case anymore and it didn't used to have the active directory stuff so just bear that in mind my oscp material is a little bit outdated I'm not comparing it's the most recent exam or course and I don't have any other pen tests and certifications so I can't compare this to the EJ PT or pnpc or any of those the only thing I can compare it to is the oscp I should also probably clarify that although hack the Box didn't pay me to make this video they did provide me with free access to the silver annual subscription so that's 350 pound and that gives you access to all the modules on the job role path and an exam voucher as well so while this isn't enough money for me to pretend the exam and of course are really good when they aren't it is enough that I probably need to mention it here and maybe leave a note in the description I'm not 100 sure what the UK laws are around advertising on YouTube so I'll just act out of an abundance of caution and say that I probably need to label it all right with those disclaimers out the way let's jump into the video I'm just going to start off just by a short introduction to hack the Box just in case there's anybody watching a video who's never used hat the box and this is their first experience with the platform so essentially when hack the Box started I think it was 2016 that's when I started playing on it anyway they were releasing machines this was the core function of hack the boxes essentially every week a new machine is released it could be a Linux or Windows machine and your goal is to hack the machine and get user privileges so you get a user.txt flag and then escalate your privileges to root and get the root.txt flag and you can do that with these these are all active boxes which means these are all free to play and every week one of the boxes will be retired and a new box will be released the retired machines are only available to VIP users so I think it's like 10 pounds a month or 15 something like that and that will give you access to all these retired machines and you can get walkthroughs so you can go and look at ipsecs videos or oxdf does great write-ups on his blog and then there's like an official PDF write-up and stuff so retired machines are really good for practicing knowing that you can refer to help whenever you get stuck active machines you're really test in your skills um but these are all free which is a bonus aside from these machines you also have challenges so challenges are just like a standard capture flag competition if you've ever done a CTF you'll know that you have a variety of categories so you can see here Pawn or binary exploitation Hardware crypto mobile reverse engineering game hacking forensics miscellaneous and web and again this is the same you can access all these active challenges as a new one every week and you can play those for free they give you points and the retired challenges you can't play for free you need the VIP membership but you're able to get access to walk throughs and they don't give you points whenever a machine is retired or a challenge is retired the points go away so it's not like uh pay to win sort of thing anyway apart from that you also have starting points these are kind of like mini boxes or machines that were created just to help you learn so each one will try and teach you a core concept and unlike the machines where you just the only goal is to get the user and the root flag for the starting point machines you also have some questions to answer which will basically teach you as you go again there are some that are free and then there are some that are VIP as you can see here I did make a video for all of the starting point machines so you can have a look at the playlist on my channel if you want any help with these or if you just want to see if there's any different ways of doing things apart from that then we have this Battlegrounds which is like uh player versus player hacking sort of thing we've also got there's some Pro Labs as well end games fortresses and pro Labs which are more complex networks that again you have to pay extra for those and then we also have the academy which is where the pen testing job role is so let's jump over to that so this is the academy dashboard you can see how far you've got through the modules you can go and have a look at modules individually as you can see here you can have a look at the modules you've completed and stuff like that some of them are as you can see here tier three so the silver subscription which I have access to you get tier two and below for free and then if you want to unlock any of these you'll need to use some of your cubes which you can see here I've got 510 cubes so I could unlock this one and then if I complete the module I'll gain 100 back so there's a few different ways you can pay for these sort of things um let's have a look you can go to paths as well so we can have a look at skill paths which will basically be a combination like a playlist of some of these modules for specific things so cracking is this passive cracking or is this okay I think this is just teaching you how to use hack the Box cracking into hack the Box you've also got one on local privilege escalation binary exploitation Etc and you can see that it tells you how many cubes you'll get as a reward how many it costs how long the estimate it'll take so I think this is supposed to be five times eight hour days how many sections we've got the difficulties stuff like that you can click on one of those then you can see here the modules and it'll tell you these are the four modules and then if you want to break those down you can see again this one's got 13 sections you can click on it go and have a look and see what are the sections and what's the summary of the module is it gonna be worth buying or is it gonna be worth taking is it something that you you want to learn but in this case what we're interested in is a job role path so we're looking at the penetration tester job role path you can see I've completed this or 28 modules there's also the bug Bounty Hunter path which there's a certification cbbh which I wouldn't mind doing as well I'm going to work through this job role and then we'll see if I can get time to do that exam but you can see that this is quite a bit shorter than the penetration tester one and a lot of the content that's in the penetration tester certification in that job role path will also be in the bug Bounty Hunter path so I think by the time I finish this penetration tester one I was about 60 through the bug Bounty Hunter so then there's just a few other modules you need to go and complete if you want to do that so we'll have a quick overview here of the modules as well but let me actually just let's go over to the news that they gave here I've put this on to 150 Zoom because this is really designed for mobile or a vertical monitor I normally would use Academy on my virtual monitor I've got like two horizontal monitors and then to the left I've got a vertical Manner and I find myself using that more than anything these days but I'll try to zoom in just so this is a bit clearer so what is it the hack the Box certified penetration testing specialist AKA cpts is a highly Hands-On certification that assesses the candidates penetration testing skills certification holders will possess technical competency and ethical hacking and penetration tests in domains and intermediate level they'll be able to spot security issues and identify Avenues of exploitation that may not be immediately apparent from searching cves or known exploit pocs so this is a a big selling point of the certification I know that from doing the oscp there's a big focus on cves on vulnerable software and stuff like that which is good but there's also a lot more to penetration tests than namely find in vulnerable misconfigurations and weak access controls things like that so the course is not just aimed at penetration testers it's also good for security analysts vulnerability analysts instant handlers and anybody with a cyber security related duty you need to complete the penetration tested job role path before you're able to attempt the exam so you need to do all the modules and they'll give you a deep understanding of the tools the attack tactics and the methodology used during a pen test there are 28 different modules and scalable difficulty and logical order to enable a great learning experience each module is accompanied by practical lab exercises and skill assessment exercises and by the end of the past students will have the opportunity to conduct nine simulated yet realistic penetration tests and attack over 270 targets so here's uh the introduction here we've got our enumeration attack planning exploitation web exploitation and post exploitation there's all of our different modules we've got a short review here what about the exam okay we'll go into that shortly let's just go and have a quick look at this job role path again so I went through all of these modules in order I did make sure to read everything on each of the modules in some cases what I would do is at the end of each section you have some questions to answer and normally some practical exercises quite often I would jump straight down to the bottom and answer those questions try to answer them and then afterwards I would read the content because then you're kind of testing yourself on each module on each section I think that's the best way to learn is if you first try to do something and once you fail you can go and learn how to do it and that'll sink in a lot better but you can see the order of this it's a good order you know we're starting off with the numeration footprinting information gathering and then we're going to move on to all the other stuff so exploitation shells payloads Etc you do have some cheat sheets as well so every module will have a cheat sheet you can download someone will have resources like username lists or password lists and things like that that they want you to use in the exercises and this took me around I spent around 10 weeks doing the course some days I wasn't doing anything I was you know busy with other things some days I would spend eight hours some days I would spend an hour so it's quite hard to say how long this is going to take each individual person it really depends not just on how long you spend on it but also on your prior experience I'd already done the oscp three or four years ago I've been playing at the box and doing pen tests and stuff and ctfs for a while so going in with that experience and knowledge will make things a little bit easier I guess and each section is different as well so I mean the web sections I found I could get through a couple of them in a day whereas the active directory it took me a couple of days to get through one section so yeah it's going to vary from person to person I did notice that on some days the progress marker would go up like five six percent and then other days I'll spend the same amount of time but it would go up like 0.5 percent so it depends again what you're comfortable with and just how dense with information some of the topics can be I particularly found the active directory to be the most difficult maybe that's just due to my experience but I did think it was quite information heavy I would say that about three months is probably a good average estimate but you know some people it might take six months some people it might take a month there are also a lot of boxes so sometimes you get the end of one of these sections and it'll say you should go and try out these two or three hack the Box machines because they will help you solidify some of the things that you've learned during this module in most of those cases I had already done those boxes so if I hadn't done those I guess I would have spent a bit more time on the course content just to give you an idea what one of these looks like then let's pick one here's the pivoting tunneling and port forwarding and you can jump into this get the module summary again here's all of our sections so you can see that these are just containing information you can see here document whereas these have some interactive elements so exercises that you need to complete and one of the really cool things is you'll generally find that modules will show you various ways to do things so in this case we've got a tunnel and port forwarding but you can also achieve the same goal using a variety of different tools be it so carts or so cart SSH um DNS cut chisel uh s shuttle you know so there are various different tools and some of them might work for different reasons or might work better in certain scenarios than others sometimes you might need to use a certain tool in order to get around firewalls and things like that so I think it's good to show you a range of options for doing things quite often as well you'll be shown how to do something manually and the kind of slow and monotonous way before you'll be shown how to do it with an automated tool which is also good I realized I forgot to go over the price and let's just before we have a look at the exam let's just go back to this pricing page so I'll talk about this a little bit later when comparing it to the oscp which is obviously the most industry recognized certification but also probably the one of the highest priced out of out there I've got the silver annual subscription so 350 pounds you have your exam voucher which should have a retake if you fail it which has to be done within either 10 days or two weeks of getting your feedback from the first exam and this gives you access to all modules so it's worth bearing in mind that even if you finish this penetration tested job role path after two or three months it's not like that year of subscription is gonna not be useful for the rest of the year because you have a lot of other modules you might want to do you might want to do that bug Bounty path or go and learn something about binary exploitation you know there's a lot of other modules on there that you'll be able to take advantage of however if you're a student and you're able to get the six pound monthly then you could just pay for the exam so you can pay for the exam 150 pound and that it doesn't contain doesn't give you access to the penetration tester job role path so you either then need to buy the modules with cubes which you can just go and buy cubes I'm not too sure what the pricing is we can go and buy the cubes and redeem them to get that path or you can use this student subscription to get access to it for six pounds a month and that means if you did this in three months you've got you know 18 pounds on that and then 150 pounds you could do the whole certification for you know 170 pounds if that was the case the other alternative is if you're not a student and you don't get the yearly subscription you can pay 160 plus 150 plus Vats and that will give you the penetration test path and an exam voucher so let's return to the exam information what are the necessary skills to pass the exam so you must have fully completed the penetration tested job role path as I mentioned a few times so you've got to go through at least all the exercises and questions prerequisites for completing exam will pass an exam I've been able to interpret a letter of Engagement having intermediate knowledge of web and infrastructure penetration testing Concepts knowledge of web applications operating systems and networking basics being able to comfortably profile and navigate a Target Network conducting manual and automated exploitation of various vulnerability classes and professionally communicating and Reporting vulnerabilities just a bit more information about how you do that the report is important you have a module focused on documentation and Reporting which really goes through what's expected of you in the exam and in a real penetration test okay we've reviewed some of the information available on the hack the Box website and on the academy so I'm going to jump over to a PowerPoint presentation which is just going to help me keep on topic and hopefully not rant to the point where this is like a two hour video I have to be kind of careful what I say about the exam because there isn't very much information on the hack the Box website it doesn't tell you how many machines there are or what the setup of the network is what the structure is or anything like that so I can't really spoil any of that what I can say is the exam is 10 days long and if you fail the exam on the first attempt you do get another attempt you have to use your second attempt within 10 days it's either 10 days or 14 days from receiving feedback so it might take them a week or two weeks to give you feedback and in that time you could be going and trying to review any modules that you think you're not too comfortable with Etc and then whenever you get your feedback they'll tell you well they'll recommend some modules they'll say they can't obviously just give you the flag and tell you exactly what where you needed to go next but they can give you some general advice and tell you what modules to focus on and what areas you might have missed there's no proctoring in the exam so having done the uscp I had to have like a webcam set up and screen sharing for the whole 24 hour exam that's not the case here you've got 10 days to complete it they're not going to sit and watch you on the webcam for 10 days while you're while you're struggling there is no restriction on tools so in the oscp you are only allowed to use interpreter or a Metasploit once in the exam so on one machine if you use it more than that you'll fail the exam and also there are other tools you're not allowed to use I remember I think superhero one past the the oscp exam but he'd run either Lin peas or linen not realizing that it had recently been updated with some kind of technique which basically broke the rules in the exam which is very unfortunate having completed the exam I would say that every single module that you do is important I was actually surprised at how much they were able to include in the exam so I would say from every one of the 28 modules you'll see at least a few elements on that content if you're used to hack the Box doing hack the Box machines on a weekly basis I would say the exam is quite a bit more realistic not only are you dealing with a network obviously multiple machines and all the things that then come with it I mean you saw in the module structure there you have modules on pivoting and tunneling which aren't things you typically see in hack the Box because it's normally just one machine at a time apart from that hack the Box quite often the machines don't have any additional software on them so if you're doing a real penetration test it's not likely that the only software running on the machine is going to be the software with the vulnerability the you know you're going to be on a corporate Network the employees will have a variety of different tools a lot of different files around the place and it's your job as a pen test to try and work out what to focus on what software might be vulnerable what misconfigurations might be what files are worth checking for passwords and things like that so say it's a bit more realistic in that sense and you have to submit the report even if you fail so this caught me out I did fail the first exam I got 50 by the end of it and it got to like two days before the exam was over and I just went and read the kind of terms conditions or the small print and realized that you don't get an exam retake if you fail to submit the report so you have to submit a report in order to get an exam retake another thing I want to mention which isn't a criticism of the certification or hack the box but it's just generally an observation about pen testing is that things are quite interconnected so there's a lot of dependencies and that's quite different to how assessments are done in Academia for example let me just bring up a picture just as an example this isn't exactly the image I was looking for but let me just use this as an example let's say you are a mechanic and you want to do a certification and the certification is all about how to fix different faults with cars how to do car repairs so you learn all the material you find out how to fix the engine you know how to change tires you know I don't know much about cars so that's as far as my examples go but you learn how to do these things and then it comes time for your exam and your exam basically says okay there are 20 cars here and you need to fix all of those 20 cars so each of those cars is going to utilize different material that you've learned during the course and you should know how to do all of those things but let's just say you're here and you've only got all of your tools and you know this thing to lift the car and whatever all of that is at the front and all of the other cars are queued behind so in order to even attempt to fix the 19 cars in the queue you need to First fix the first car so you might take a look at that first car and maybe the first thing you think is oh there's something wrong with the battery I need to change the battery it needs a new battery so you change the battery and it doesn't work the car still won't start so you start going through your methodology that you've learned you go through each of the different modules for example and you're trying all these different techniques to see does this fix it so you go through all of that and by the time you get to the end you still haven't fixed the car so you've taken the engine apart you've rebuilt the engine you've changed loads of Parts none of it worked and then you find out that the steps that you took at the beginning your intuition was that the battery needed to be changed you find out that actually you just put in the wrong battery or you put in another battery which was also faulty or something along those lines so all of the other steps that you did didn't actually weren't useful so you just change the battery and then that's it you can move on to the second car and that means you basically have to re repeat that process again right because it's not likely to be the battery on the second car because it's going to be testing you on something new so you'll start going through that process again but maybe you'll miss something or maybe you'll go through every module until you get to the solution for that car and this essentially creates this dependency where if you don't know how to fix that first car you'll never get to the second car you'll never get to the third car you'll never get to the fourth car and that's why whenever it comes to things like Academia you might have an exam and you've got 20 questions on the exam and the idea is that you want to test a student on all of the different material but knowing that they're not going to remember everything or they're not going to be able to answer every question so a student might go into an exam and if the exam if the first question was something they didn't know the answer to but they know the other 19 questions then they can get 95 but if the first question is required in order to answer question two and question two is required to answer question three and they can't answer question one then they'll get zero percent so it's just an observation it's not something which you can really do anything about because you know that's how penetration testing is you can't do a penetration test for a company and you know say okay I wasn't able to get the foothold I wasn't able to get onto the website can you just give me a user account so I can log into the network and then I'm sure I'll be able to compromise everything from there it doesn't work like that right you you have to be able to do each one of these steps otherwise whenever it comes to your job or your work you're not going to be able to actually conduct a penetration test properly so again it's not a criticism of hat box or the certification this is just general you know even it applies to doing a hack the Box machine as well if you miss something if you miss a port at the port scan at the beginning or you don't find a sub domain then nothing else that you try is gonna work if you're missing that key piece of information but if you have just a big chain of key pieces of information that you need then any one of those links that you miss could basically prevent you from getting any further hopefully that makes sense anyway let's go on to the next slide looking at the bad things so what didn't I like about the course and the exam or what might some people not like like about the course of the exam one of the first things was this no machine software which I actually I spoke to ipsec he said that this was being phased out so I think this was used in more modules in the past and they replaced no machine with RDP the reason this was so annoying is basically like a software that could be used instead of RDP and you had to on some of the modules you would have to use this no machine software to access a VM and you couldn't copy and paste between them it had a mandatory US keyboard so you had to go and try and work out you know even the password had characters in it which were different for me on the UK keyboard and it was just very very slow constantly disconnecting and was pretty annoying at the time luckily I think it only came up on one or two modules and they are phasing it out they might have phased it out completely already but if anybody does come across that you'll probably see what I mean the other thing is the instant Lifetime and timer bugs so whenever you are doing exercises normally I think it gives you was it 60 Minutes or 90 minutes it'll give you for most exercises and my main complaint with this is you might be working or studying or you know doing something and you might just be kind of moving between Academy for 10 minutes and then going back to work and doing 10 minutes more Academy and if you only have a 16 minute or a 90 minute instance and it just keeps running out and you have to go and repeat all those steps again you have to change the IP addresses and things like that it can just get a bit annoying depending on what the module is some of them are very quick and easy but for example if you're doing a pivoting module and you have to go and set up all these different port forwards and things like that and then the instance resets then you have to go and do it all again the other thing was a timer book so sometimes even though there was a 90 minute timer it would go down at like 10 minutes per minute or even more than that and it meant it was quite hard to actually track even though I think the instances didn't necessarily die any quicker or didn't die whenever you would expect them to it was then hard to track whether the instance was actually up or not and sometimes it might be looking kind of functional like you're able to Ping it but maybe some of the services have been closed down so again these are things that I raise the Hat the Box hopefully they'll look into that I think the instance lifetime thing what they should probably do is just say that each user can have one instance at a time you know so you could have you'd be doing one exercise and it could be a 24 hour instance but you can't go and run an instance on multiple exercises multiple modules at once which is kind of similar to how the hack the Box machines and challenges work you know you can't have multiple running but if you have one running you know you can have it running for 24 hours let's say I did find a couple of questions where the wording was a little bit confusing either the questions or in the actual exercise text I wish I would have taken some examples now I can't remember exactly what these were but there were just times where I read a question I was like that shouldn't really be phrased that way it didn't come up very often but uh something to bear in mind exercise issues so there were a couple of exercises which were kind of annoying notably The Brute Force one or one of the Brute Force Ones where you're given a password list and then one of the passwords that you're supposed to use isn't on the password list or you're given a password list that's really big and you know it would take you a really long time to Brute Force the protocols I think in one case you are given a password list but you're supposed to use a mutated password from an earlier module which you know you you shouldn't really be expected to know those things or to invest the time in brute force in those protocols you're not really learning anything from those I did speak with uh some of the hack the Box stuff regarding that you know they were well aware and they're constantly updating these con the content so the content the exercise and stuff like that are very up to date and there's a Discord Channel where you can go and leave feedback and make suggestions and they get right on it I didn't actually find that until I was about halfway through the course and there were times where I was like reading things and getting frustrated like why why don't they change this this would be really really easy to improve and I didn't really realize that they'd set up quite a an easy Channel which is you know actively monitored by the staff to take action on student complaints or feedback Etc the other thing hint should never be mandatory so I think again this is just like one or two exercises where quite often you have an option to read a hint and I don't like doing that I think a lot of people consider hints cheating you know if you're told that you can do something without a hint then most people want to do it without the hints try and test themselves but there were some cases where I think maybe only one or two cases where I had to check the hint eventually and realize that actually you needed to check the hint there's no way you could have solved the challenge without reading the hint I think if that's the case then the information should just be there it shouldn't be in a hint which some users might look at straight away and other users might waste days before they actually check it the final point I'll put here is the 10-day exam might not be ideal for everyone so again you might consider this good or you might consider this bad it really depends how much time you probably end up spending so the reason that hack the Box have chosen this length of time is so you don't have to you know work Round the Clock trying to trying to do the exam the oscp is 24 hours which means I mean whenever I did my oscp I was basically up all night you know it did um it was kind of a close call I passed it first attempt but it was you know I invested a good amount of those 24 hours on the boxes and I can understand completely why that's not ideal the thing that I do like about that is that you know it's 24 hours so after those 24 hours you can't do any more work whereas if the oscp was 10 days and I hadn't finished the oscp exam within the first 24 hours I would have kept working on it and if they gave me two days I would have worked for two days if they gave me five days I would have worked five days if they gave me 10 days I would have worked for 10 days so you know it really just depends on whether the student is able to solve it in that time I know that you know hack the box would say you shouldn't need 10 full days you know if you if you need 10 full days to do the exam you probably haven't prepared well enough you haven't covered the content enough you should have gone and done the supplementary boxes and things like that which again I totally agree with totally understand but there are a lot of people who maybe they aren't prepared enough for the exam and they might just end up working around clock for 10 days to try and actually pass that's probably a personality thing as well I'm interested to hear what other people think of that how does the 10 days verse 24-hour exam suit most people again you know for oscp you might say well I'm just going to take a day off work and if you fail it you fail it you go back to work but you know most people can't just take 10 days off for a hat-a-box exam and you shouldn't be expected to hack the Box don't expect you to do that but if I was doing the exam and I was working full-time at the same time and the exam wasn't going well I would feel that I needed to invest as much time as possible in doing the exam so again I raised that with hack the box I completely understand the pros and cons of having a longer exam time but I think there are definitely some cons to that as well okay on to the good stuff so as I mentioned in that last slide most of those bad things are things that can quite easily be fixed by at the Box you know it was mostly just small issues of the content which they are very quick to update you know I would say that whenever I did the oscp certification the the course hadn't been updated in a long time I know it was shortly updated shortly after I did the exam but you know a lot of the content that I was dealing with the tools the techniques it was you know years old and you could tell that none of it had been updated whereas at the Box even while I was doing this course you know I'd regularly log in and see that one of the modules has been updated and then you have to go and do the extra exercises or you know see some messages in the Discord to say that some things have been improved or things have been changed which is this arithm irritum I don't know how you say that feedback channel on the Discord so you can go in there and you can basically say this is the module I'm looking at there's a typo here or this is the exercise I'm looking at I don't think it should be this way and they'll take on that feedback and make any corrections that they need to the comprehensive course content so I mean there was just so much in there I think you know compared to again I can only compare this to the oscp and I did it before it was updated but there really was a lot in there you get to see how to use different tools to do the same kind of attacks all very up to date and you know looking at a lot of very new vulnerabilities when it comes to like active directory and stuff like that which I I can't say whether that's included on oscp content now but I would be surprised if it's anywhere near as comprehensive there is a cheat sheet for each module as well so I think I mentioned this already let me actually go over to my GitHub so each module gives you one of these cheat sheets in markdown format so I essentially uploaded them all to a private GitHub repo bearing in mind the the academy content is paid for Content so I'm pretty sure you know you probably can't just go and upload these publicly so you could just create a private repo and keep access to these let's go and take a look at one of them for example here Windows prevask you can see we've got some different categories and it's very easy just go and grab commands here you've got your description on the right and the commands on the left and you have those for each of the modules so that's really good I also imported these to obsidian as well so I started using obsidian at the beginning of the exam I'd been using cherry tree since my oscp about four years ago so it was quite a switch moving over to the markdown note taking app but I really liked it I am really liking it and having all of these imported into obsidian means you can quite easily just search for Content as well so I ended up using that actually quite a bit more than I used the GitHub but it's just good to have a backup here as well so just to try and directly compare the cpts to the oscp certification again just with this caveat and factor that I did the exam and the course quite a long time ago so it has been updated whenever I did the oscp exam there were five boxes he had two 20 point boxes and no three 20 point boxes and two 10 point boxes and you know that one of the 20 point boxes was going to be a Windows buffer overflow and there wasn't any active directory stuff at the time so that has changed I think the Buffalo flow can still come up but just on one of the machines but a key focus is the active directory stuff in terms of the pricing the hack the Box certification is obviously a lot cheaper I mean the example that we looked at earlier I think was five hundred dollars for a year of the silver subscription which gives you an exam voucher and a repeat if you need it oscp for a year of their lab materials and an exam and a retake so you basically the same thing you can get for two thousand five hundred dollars so five times the price it's currently reduced to two thousand dollars so four times the price there's obviously a big difference there and I think the main thing is that the oscp is more industry recognized so if you are applying for a job you know you'll see a lot of companies saying they want people with oscp that they're looking out for that on CVS whereas cpts is a new certification and you're not as likely to see that on the requirements or on the you know desirable qualifications apart from that I would say the cpts exam was a lot more realistic and more challenging it took me two attempts whereas oscp I got that first time maybe that wouldn't be the case with the new oscp exam but I do feel like I have continued to work on at the box and different pen testing related stuff for a few years since I finished the oscp so I don't feel like it's just that I've gotten everything that I learned I feel like I could probably still pass the oscp relatively easily whereas I did struggle more with the cpts the exam structure and length is obviously different you know for comparing those you have 24 hours first 10 days you don't have any proctoring on the cpts and you get a free repeat on cpts although it's worth saying that if you get that yearly package there's 2 500 one for the oscp you do get a exam retake on that as well which is why I've put that little asterisk sir overall I would say oscp is better for your CV and cpts is better for interviews so I think you'll learn more on the cpts I think you'll get more out of the exam and if you get to the interview stage you'll probably be able to explain all of the tools the techniques a lot better or at least I would say maybe not a lot better but I think you'll be able to explain them better than the oscp but if you're actually trying to get to that interview stage have a new SCP on your CV is going to be better I would say then that doing the cpts before doing oscp is probably a good idea because you could do the cpts for you know a quarter of the price or a fifth of the price and because in my opinion it's more comprehensive and the exam is more challenging I think if you complete that you'll be able to get the oscp first attempt without any issues okay so what are my tips for anybody who's looking to take the course of the exam I would say update the cheat sheets as you go so I showed the cheat sheets there I showed one of the cheat sheets on GitHub I just downloaded all those cheat sheets and thought they would be fine but there were times in the assessments the end of module assessments and in the exam as well where I went to the cheat sheets looking for a command which I know was part of the module and didn't find it and then I ended up having to go and search through the module to find it so I would say just keep an eye maybe as you're doing exercises and as you're doing the end of module assessments if you see something a command which is missing from the cheat sheet just go and update it and if you keep on top of that you'll end up having some really good references by the time you go to take the exam I would also say make sure you take good notes throughout it the only time I took notes was during the end of module assessments so at the end of the modules you normally have a beginner a medium and a hard lab and I would take notes for those but I didn't take notes for the general module content or the questions on each module I kind of wish that I had done that although obviously you invest more time in doing that as well I just kind of figured because I did that for the oscp and I was a little short on time and I Was preparing for this as well as I had my PhD viver coming up as well quite shortly you know around the same time I kind of just thought it probably wasn't worth the time for me to do that but if you have the time to do it I would recommend doing it the academy search functionality is really good so you can just go and search for a keyword and it'll bring up all the modules I would like to see this improve a little bit so if there's a bit more fine-grained whereby you could search for keywords on a specific module or maybe do some regex stuff there that would be good because it's good if you're searching for something very specific but if you're just going and searching for the name of a tool or a really common technique it's just going to come up in so many modules that you don't really know where to go if you I would like to see that improved but it was really good it was very useful I would recommend reading everything as well so as I say I would quite often go and complete the exercises at the bottom of the module the bottom of the section and then go and read all of the content afterwards again you're paying for it you might as well read it I think even if you're able to solve the exercises and the questions without reading the content you'll still find something in that content that you don't know before you do the exam you should repeat any modules that you're not confident on so for me the active directory the pivoting and tunnel and stuff and maybe prevask as well particularly Windows where my weak areas so if there's something where you go through the module and you think that was hard or you don't think it all sunk in it's probably a good idea to review it again before you do the exam and also do the boxes so at the end of most of the modules it will recommend a couple of boxes that you can complete to test the skills you've learned in that module and it's definitely worth doing that again just depending how much time you have the more time you're able to invest in the sort of stuff the greater chances you'll have passing the exam and hopefully on the first time some other tips I would say the final module is a good mini test so it does recommend this the final module is called Enterprise penetration testing or something like that or pen test and Enterprise networks and it's basically like a mini simulated pen test so we'll start off you've got to do your enumeration you know you need to get your foothold so there's some web services you need to find out which one's vulnerable how can you get an initial shell how are you going to then enumerate the internal Network and try and find some user accounts you know enumerate the active directory escalate your privileges do a report all of that stuff is like a mini version of the exam and it I mean it is a mini version the the exam is far more comprehensive but if you can do that final module blind so just skip all of the theory and just try and answer the questions and then go and read the theory afterwards if you're able to answer all those questions without reading the content because you're not going to have any of that material to read when it comes to doing the exam so it's just like mini exam really so that's a good idea or another way you could do it is just to go through all of the theory and the questions and then leave it a few days and go back and just try and do the questions without reading any of the content I would say work on the exam report as you go as well I waited until the end because I didn't realize you had to submit the exam report if you were going to fail and for some reason I thought that you would get a different exam on the retake so it wasn't actually worth doing the report but if I would have known from the beginning that you know the retake will be the same exam and the same report I would have done that as I go it's also good because if you get stuck on something you find yourself just reusing the same tools running the same scans trying the same exploits it's good to take a break and the best way you could actually do that is go and start writing up some of your notes because you might see something whenever you're doing that and realize oh actually I should have tried this password that I found earlier here or I should have tried this technique that I discovered earlier here or remember there's this tool running on this system maybe I should investigate that further and it just gives your brain a bit of time to absorb everything that you've already covered and try and work out what might be missing it's of course easier said than done but try not to over complicate things there are various stages in the exam where I was going down rabbit holes looking at things which I kind of should have known were not going to be the solution but it just felt like I was out of ideas at the time and really should have just thought a bit more simple and you know just go and review some of the module content if you're out of ideas if you fail on the first attempt make productive use of your time so if you have a week or two weeks before you even get your exam feedback go and use that time to review all of your notes review your report go and cover any modules that you think you need to go over again I went back during that time and did some more active directory boxes so I went and asked what are the good active directory boxes that are currently active just in the hack the Box Discord got a couple of recommendations and spent some time doing those reviewing the modules and just preparing so never in my second exam attempt started I was ready with a few different things to try you'll also get some feedback which you can use so that will recommend some modules and once you get your feedback remember you have 10 days or 14 days to go and review those modules try some of the boxes that might help and then you'll be ready to start Automation and snapshots so yeah there are a couple of parts of the exam where I end up automating things writing scripts because I found myself having to repeat things quite a lot and I just kind of figured if I make a script for this this will this will make it a lot easier to get back to where I where I am if I need to reset the network or you know if I lose my connection or something like that and if you do come up with like a custom script or thinking like matsplit you can make resource scripts for and kind of automate that process if you come up with something like that put it into your report as well because obviously if you're doing a pen test and you can give like a proof of concept you can give a script or an exploit and just give that to the company and say all you need to do is run the script and you'll see where the vulnerability is you'll see how the exploit works this will get you to the same stage that I'm currently at as I'm writing the report and that'll always look good Google and chat GPT are your friends so there is no restriction on what you can use as say no restriction on the tools you're able to go on Google whatever you need to obviously bear in mind that if you type things into Google or chat GPT you don't know where that information is going so you don't just want to copy and paste things that contain maybe the domain name or system names and things that are going to identify this as a hack the Box exam so take that stuff out but you can go and paste in either error messages that you're getting or just try and search for general information in fact let's go and have a quick look at chat GPT as well just before we look at chat GPT there's also this orange cyber defense mind map which somebody sent me this I was getting towards the end of my first exam take and this is a really great mind map it's an SVG file so it's scalable you can zoom in and out I think you should be able to depending what stuff I use you might be able to copy and paste stuff as well although that's not working for me but this will basically give you a flow of where you can go so how would you start off pen test in active directory maybe you'll try and list the guest access on the SMB share you'll go through you try and find a user and once you've found this user you've got a valid username so here's some of the things that you'll be able to try you can try to do some password spraying you can try to as rep roast curb roasting Etc and you basically keep going through and anytime you get something new or you know you get a new user account a password or you find a vulnerability you can basically just follow these paths and not only does it give you the idea of the exports to try but it gives you the the full command that you can just go and replace uh with your user account your IP address that you're testing and stuff like that so I wish I would have found this a little bit earlier I think this is a great resource and I'll leave a link to this in the description so hopefully you've had a chance to check out chat GPT already it's quite new but this is going to come in very handy for a lot of things but penetration testing is one of them and not everything you get from here is going to be correct you need to be careful what you put into it but that being said if you were trying to find something quite often I would go and I just like search okay port forwarding let's say materpara I gotta start looking for this on go or Google start having a look around smart calls and I'm just not finding what I'm looking for quickly enough and I would go back to chat GPT and say how do I do a reverse port forward it'll probably be okay with all my typos it slowed down a little bit which is the only thing so whenever I was using this a couple of weeks ago it was quite fast now it seems to actually type very slowly you can see here it'll tell us how to perform a reverse port forward in interpreter we can use the port forward command we can search something else how do we want to set up a socks proxy but this has given us very specific examples that we're looking for and if you get to the end of that and you realize okay that didn't quite give me what what I needed you can then correct it or you can give it some additional information and say so how would I use that along with a socks proxy see whether it determines that we can use because Mater Brit has a Sox proxy option so it'll be interesting to see whether it recommends yeah okay interpreter we can set it up so even though I didn't specifically say I want to set up a search proxy in meter it knows that because we were looking for how to do port forward in interpreter it's also going to recommend how we can do that in the meterbra session we could then go and say okay specifically how would I use that to forward RDP from a host machine that is two layers in or how would I do a double pivot so how can I use this to perform a double pivot and I was running through this sort of stuff and asking it okay and you know correcting it as I go saying no actually I need to be able to Tunnel the traffic from host a to host B so that I can access this in host C and it would give some good information let me see if I can open up another window of this as well another tab because I also saw somebody I can't remember who posted but somebody on Twitter had got a pen test executive summary so it kind of said write me penetration test executive summary or the following and then you could say something like xss for initial hold Ms or MySQL password reuse let's say pivot to internal machine and I didn't really specify how that was done but let's just say that and let's say use DC Shadow attack to take over domain so you could basically put in the list of things that you've run through on a penetration test and hopefully they should come back and give you an executive summary for this let's see how it looks but yeah we can go back to our interpreter one here again we've got plenty of options and there's been quite a few times where I've been running through stuff with chat GPT and I respond like no you got that wrong and I correct it and then it ends up correcting me and then I'm like okay actually yeah I got it wrong which has happened a couple of times but there are other times where it just gets things wrong you know I was looking for I think it was netsh.exe the windows tool for port forwarding that I was looking for how to use UDP on and it told me to use like Dash protocol UDP and then whenever I tried that it gave me an error saying I can't know what the error was but I basically responded with that error here and then it's like oh yeah the tool doesn't support UDP it's like okay well you just you just told me it did but yeah all right so here's an executive summary during a recent penetration test we identified several vulnerabilities that would potentially be exploited by an attacker the first was cross-site scripting floor which could be used as an initial foothold for the attacker by injecting malicious code into a vulnerable website etc etc so it's basically given you an example here of what you could use as an executive summary um You probably don't want to just copy and paste this but this could form a basis this could be like a template that you use you go and update it with stuff that's relevant to the client or you go and add additional information go and correct stuff as needed but this could definitely speed up a lot of the monotonous processes of writing pen test reports if you're looking for some scripts or something as well it's really good at writing like python code you know you say I want a script which does this in Python and it will give you an example I've also been copying and pasting the decompiled code in geidra over here I'm just asking it to summarize it or refactor it de-obfuscate it for me and quite often it comes back with some quite uh simplified code that you can read through I was doing a challenge recently on a CTF and I asked it to I gave it the guidra code just copied and pasted it from the decompiler and asked it to rewrite it in Python for me and it pretty much rewrotees it to the point where I could just copy and paste it and run the same code that was being shown in guildra in a python script I also had a case where there was a you know as a pipe it was a C file so again I mean inkedra and there was a encryption function but there's no decryption function so I just said gave it the encryption function and said can you write me a decryption function for this in Python it came back with a a nice script to automate the process so yeah if you haven't checked this out I definitely recommend looking into it the main annoying thing is that quite often one of you asking it questions it will say hacking is illegal or you know it'll it'll come back with a big thing of information about how unethical it is and how you need permission it's like yeah I think you should be able to just turn that off or just say I'm doing this ethically or I'm doing this as a a real penetration test or something like that anyway let's jump back to the slides so finally before I made this video I asked a couple of days ago on Twitter and Linkedin if anybody has any specific questions they'd like me to address I didn't actually get very many which was surprised about I say most of them were asking me to either compare it with the oscp or the ejpt V2 I haven't done the first one I've only done the oscp and as I've said many times throughout the video I did the oscp before they updated the course and the exam so you have to take that for what it's worth hopefully I've compared those well enough in terms of cpts or oscp first somebody had asked me that and I would definitely recommend doing the cpts first I know people who have failed the oscp multiple times and it's very expensive to do that if you can do the cpts first I think you'll definitely pass the oscp in my opinion cpts is more difficult the course is far more comprehensive and at the very least if you're able to pass this exam then you'll have a lot of knowledge and experience that you'll be able to demonstrate your skills in an interview the oscp although it's the most recognized certification when it comes to applying for jobs and things like that a lot of people who have ostp if they get to an interview they can't answer questions you know I've talked to people who have oscp and maybe it's been a long time since they did it which is the same with me and they've not been using those skills in the meantime but sometimes you just kind of wonder how did they pass the exam um I think if you do the cpts there's no risk of that you'll be able to go into an interview and demonstrate that you have the skills needed for a penetration tester I was also asked is the course particularly enough to pass the exam it is everything that's in the exam is in the course materials but the course is Big so there's a lot of modules and the modules can be very dense sometimes it might just be whatever you need it's just on you know a small section of one of the modules um so it's very important that you as I say read all the text and review any modules that you weren't sure about that being said any additional material if you've been doing hack the Box machines if you've done other certifications or you do capture flag competitions or you're just good at programming and networking and all these different skill sets will definitely help you in doing a penetration test or in doing a penetration test and certification and what was the most challenging part of the exam so for me the most challenging part are the the parts that was weak at so as I said already the active directory module and the pivoting and tunneling module were particularly challenging for me and maybe Windows prevask is probably not my strong point anyway so there's just a few modules which were more difficult for me and I would say they were also the more difficult parts of the exam for me I don't think it's spoiling to say that because everything that's in the the modules will not everything that's in the modules but something from each of the modules will be in the exam okay so final thoughts I really enjoyed the course and the exam I was a bit stressed having failed the exam on the first attempt I did spend quite a bit time on it but to be honest I probably learned just as much on those exam attempts as I did in the two or three months that I spent reviewing the the module contents I would definitely recommend taking the certification doing the course and especially if you're looking to do the oscp I think this is a great way to make sure that you'll be prepared for the oscp and that you'll pass the exam without having to spend well I mean you'll still be spending the money if you're doing the ocp certification but you don't want to end up just constantly paying for retakes or buying more lab time particularly if you're paying for that all out of your own pocket and I probably missed some things so yeah leave me a question down in the comments if if I missed something and you can check out John Hammond did a video a week or two ago reviewing or at least kind of summarizing all the stuff it might be a bit more structured than this video I think this is like an hour long now so I'll probably rant a little bit but hopefully it's been helpful to some people and you can also check out William Moody did a exam review and that was a great video you can go and search I'll leave a link actually to both of those videos in the description so you can go and check those out as well they're quite a bit shorter than this video so it might be a bit more succinct and just kind of giving you an overview and yeah less rambling anyway I hope you've enjoyed it if you have any questions or comments you can leave them down below thanks

Info

Channel: CryptoCat

Views: 37,278

Rating: undefined out of 5

Keywords: CPTS, Certified Penetration Testing Specialist, OSCP, Hack The Box, HackTheBox, HTB, Starting Point, academy, exam, certification, CBBH, pentest, penetration test, pen-test, job, career, redteam, offsec, infosec, cybersecurity, training, ethical hacking, review, guide, tips, chatGPT, enumeration, footprinting, vulnerability, assessment, shells, payloads, metasploit, pivoting, port forwarding, active directory, AD, attacks, SQL injection, XSS, LFI, RFI, privilege escalation, privesc, documentation, reporting, bug bounty

Id: UN5fTQtlKCc

Channel Id: undefined

Length: 58min 27sec (3507 seconds)

Published: Thu Dec 22 2022