> For the complete documentation index, see [llms.txt](https://xenon-2.gitbook.io/projects/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://xenon-2.gitbook.io/projects/certifications/cape.md).
# CAPE
## Motivation and Background
Wanted to take this because I heard it was the hardest AD cert in the market. I also enjoyed doing Active Directory pentesting, having taken OSCP and CRTE after CPTS in 2023.
I've been doing HTB Seasonal machines as well as Vulnlab chains and RTLs on and off.
## Preparation
I finished the entire path in about \~2 months, mostly speeding through it which i regretted in hindsight.\
I was considering between HTB Prolabs and Vulnlab's RTLs and opted for the latter, which costed about 24 SGD a month.
I did all of their [RTLs ](https://wiki.vulnlab.com/guidance/)(excl Shiva) and some of the chains/machines just to familiarize myself with AD attack vectors and pivoting which helped in building up my methodology and intuition. But it is **NOT** necessary to pass the exam, many aspects of the labs are out-of-scope, i merely did it because i thought it was fun and thought it was great supplementary material.
This took me about a month and a half and about \~1 week before the exam, I just re-did the skills assesments for topics I was not familiar with but frankly i yolo started it on the weekend.
### Latency...
HTB Exams only have support for US/EU labs at the moment. Using Academy's EU VPN already brought me \~200-300 ms of latency which was not it.
Thankfully, i read this insightful [review](https://gatari.dev/posts/cape-experience/) and decided to provision my own GCP instance in EU, setting up SSH and RDP access and downloading the sufficient tools for the exam.
```bash
## RDP
gcloud compute start-iap-tunnel kali-2-vm 3389 --zone=europe-west3-b --project=nothing-nothing --local-host-port=localhost:3389
xfreerdp3 /v:localhost /u:root /p:'y0U9g%(z|~04' /dynamic-resolution
## SSH
gcloud compute start-iap-tunnel kali-2-vm 22 --zone=europe-west3-b --project=nothing-nothing --local-host-port=localhost:22
ssh root@localhost -v
```
I then tested latency with HTB's EU-Academy-6 and got \~5ms which was pretty nice.
## Exam Experience
I managed to obtain the passing mark in about \~4.5 days and took a break to do the report. On my 6th day, I continued working on the final flag and managed to obtain it under 2 hours!
I then spent the next 2-3 days doing my report which was longer than what I did for CPTS, ending my report at \~100 pages.
I uploaded my report on 10th August and recieved my results on 19th of August. In that time, I touched grass.
### Reflection and thoughts
If you have done CPTS or any HTB cert before, 10 days of exam time is honestly a long yet stressful duration. I personally was lucky enough to be able to commit \~9 hours a day but even then it was pretty brutal at some points.
I remember having no progress for the first two days straight which can be pretty demoralizing.
Like some reviews have mentioned, the exam has very little rabbitholes so most of the time if your methodology is solid enough, you will spend a lot of time thinking of **how to perform X attack** which requires good understanding of the course materials (which i learnt the hard way).
I found that taking multiple breaks during the exam helped in clearing my mind and seeing things in a different prespective.
As for latency, i had little to no lag from GCP instance to the exam network, but there was still input lag in my SSH terminal to the GCP instance as i am in SG.
## Tips and Tricks
* Research on multiple ways of doing the same attack as tools will break
* Preparation through labs (E.g HTB Machines, Vulnlab) is ok, just don't overdo it and overthink complex attack vectors **not taught** **in the course**
* If youre in Asia, please use a VPS in EU, you don't want to be debugging whether your attack is failing due to latency
* Test your payloads/shellcode on the latest version of defender on a VM
## Do what next
Probbaly OSEP/CRTO next. CWEE looks fun but I don't think i can do another 10 day exam without a significant decline in my mental health.
## References/Links that are useful
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://xenon-2.gitbook.io/projects/certifications/cape.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.