CAPE
CPTS's big brother
Motivation and Background
Wanted to take this because I heard it was the hardest AD cert in the market. I also enjoyed doing Active Directory pentesting, having taken OSCP and CRTE after CPTS in 2023.
I've been doing HTB Seasonal machines as well as Vulnlab chains and RTLs on and off.
Preparation
I finished the entire path in about ~2 months, mostly speeding through it which i regretted in hindsight. I was considering between HTB Prolabs and Vulnlab's RTLs and opted for the latter, which costed about 24 SGD a month.
I did all of their RTLs (excl Shiva) and some of the chains/machines just to familiarize myself with AD attack vectors and pivoting which helped in building up my methodology and intuition. But it is NOT necessary to pass the exam, many aspects of the labs are out-of-scope, i merely did it because i thought it was fun and thought it was great supplementary material.
This took me about a month and a half and about ~1 week before the exam, I just re-did the skills assesments for topics I was not familiar with but frankly i yolo started it on the weekend.
Latency...
HTB Exams only have support for US/EU labs at the moment. Using Academy's EU VPN already brought me ~200-300 ms of latency which was not it.
Thankfully, i read this insightful review and decided to provision my own GCP instance in EU, setting up SSH and RDP access and downloading the sufficient tools for the exam.
## RDP
gcloud compute start-iap-tunnel kali-2-vm 3389 --zone=europe-west3-b --project=nothing-nothing --local-host-port=localhost:3389
xfreerdp3 /v:localhost /u:root /p:'y0U9g%(z|~04' /dynamic-resolution
## SSH
gcloud compute start-iap-tunnel kali-2-vm 22 --zone=europe-west3-b --project=nothing-nothing --local-host-port=localhost:22
ssh root@localhost -vI then tested latency with HTB's EU-Academy-6 and got ~5ms which was pretty nice.
Exam Experience
I managed to obtain the passing mark in about ~4.5 days and took a break to do the report. On my 6th day, I continued working on the final flag and managed to obtain it under 2 hours!
I then spent the next 2-3 days doing my report which was longer than what I did for CPTS, ending my report at ~100 pages.
I uploaded my report on 10th August and recieved my results on 19th of August. In that time, I touched grass.
Reflection and thoughts
If you have done CPTS or any HTB cert before, 10 days of exam time is honestly a long yet stressful duration. I personally was lucky enough to be able to commit ~9 hours a day but even then it was pretty brutal at some points.
I remember having no progress for the first two days straight which can be pretty demoralizing.
Like some reviews have mentioned, the exam has very little rabbitholes so most of the time if your methodology is solid enough, you will spend a lot of time thinking of how to perform X attack which requires good understanding of the course materials (which i learnt the hard way).
I found that taking multiple breaks during the exam helped in clearing my mind and seeing things in a different prespective.
As for latency, i had little to no lag from GCP instance to the exam network, but there was still input lag in my SSH terminal to the GCP instance as i am in SG.
Tips and Tricks
Research on multiple ways of doing the same attack as tools will break
Preparation through labs (E.g HTB Machines, Vulnlab) is ok, just don't overdo it and overthink complex attack vectors not taught in the course
If youre in Asia, please use a VPS in EU, you don't want to be debugging whether your attack is failing due to latency
Test your payloads/shellcode on the latest version of defender on a VM
Do what next
Probbaly OSEP/CRTO next. CWEE looks fun but I don't think i can do another 10 day exam without a significant decline in my mental health.
References/Links that are useful
Last updated