HTB CAPE Review

Hi all, in this short blog post, I want to share my experience with the CAPE exam, where I struggled, and how to prepare for this incredible challenge.

But what is the CAPE exam?

“The HTB Certified Active Directory Pentesting Expert (HTB CAPE) is a highly hands-on certification assessing candidates' skills in identifying and exploiting advanced Active Directory (AD) vulnerabilities. HTB CAPE certification holders will possess technical competency in AD and Windows penetration testing, understanding complex attack paths, and employing advanced techniques to exploit them. HTB CAPE certification holders will demonstrate proficiency in executing sophisticated attacks abusing different authentication protocols such as Kerberos and NTLM and abusing misconfigurations within AD components and standard applications in AD environments such as Active Directory Certificate Services (ADCS), Windows Update Server Services (WSUS), Exchange, and Domain Trusts. Furthermore, they will be adept at leveraging specialized tools to exploit AD from Linux and Windows and utilizing Command and Control (C2) frameworks for post-exploitation operations. They will also be able to conduct internal penetration tests professionally against modern AD environments.”

The certification is Turing complete on almost all aspects of on-premises AD Pentesting, and I learned a lot during the process of studying the path and taking the exam. If your sole focus is AD, then this is the Cert for you!

What are the prerequisites?

As Hack The Box states this is an “Expert” Certification, so the learning path is not beginner-friendly and the knowledge they give you in CPTS is considered as granted when students enroll in the path, I did CPTS, CRTO, and CRTL before doing CAPE and I would say that none of them is required, but the experience I gained from doing those exams helped me a lot during the final challenge. I also completed CyberNetics before the exam just to get a refresher on AD exploitation, even though I found CAPE much harder.

My Exam experience

The final challenge is a 10-day-long exam in which you are required to do a full internal AD penetration test and write a commercial-grade report in the same period.

This was without a doubt the hardest exam I did and also the most fun! Don’t get me wrong, hard doesn’t necessarily mean frustrating and makes “no sense”, it actually poses a great challenge that is supposed to push you to greater heights. I got all 10 flags in less than 5 days and worked on the exam for about 35 hours. I think taking regular breaks and relaxing is essential to not go into burnout after a few flags. The exam is long, and it is easy to feel overwhelmed by the amount of information inside it. I had a linear experience and relied on my intuition and methodology. Don’t expect there to be many rabbit holes, that is the neat part, you probably know what to do but have no idea how :)

Why is the Exam so damn HARD?

What makes this exam so hard Is the understanding of AD you are required to know in order to pass, just copy-pasting commands from sections won’t help you, and a lot of modifications are required to make work what you learn in the path. You need to understand the attacks and why they work. Some attacks from section A are indirectly linked to attacks from section B, read between the lines and always #thinkoutsidethebox! Also, I can’t (for obvious reasons) discuss the actual exam, but if I could give some tips are the following

Tips for the exam

• Take your time, think of the CAPE as a 20-day-long exam since you are given a second free attempt in case you fail the first one

• Understand at least 85% of every module

• Understand at a deep level how AD authentication protocols work!!!!

• Being proficient with PowerView/dacledit will save you when BloodHound fails (MOST OF THE TIME IT DOES)!!!!

• ENUM, ENUM, ENUM....

• Do CyberNetics and Zephyr Prolab, from my experience, developing a strong methodology is key to passing any exam

• Using a C2 is not mandatory, but if you know how to use one it will be extremely helpful, also test your payloads in a local lab with the latest defender version to be 100% sure that what you are crafting can be used out of the box during the exam. (My blog is more oriented on BOF development but can be useful for starting out with Havoc)

How does this exam Compare to CPTS?

If we compare CPTS and CAPE on web exploitation, then CPTS is effectively an infinite amount of times harder than CAPE because no Web exploitation is required in the exam, but when it comes to Active Directory, just think of CPTS flag 9 being 2x easier than the easiest flag in CAPE.

How do I know when I am ready?

This is a good question and there isn't a real answer to it, but if you are able to pwn Cybernetics (THE AD RELATED STUFF) or any similar prolab (To develop a strong methodology) & the Skill Assessments of each module with few or any hint at all then you will be just fine, but don't expect the exam to be a walk in the park either.

Do I recommend this Path/exam?

100%, by far the best AD Pentesting certification with absolutely no match at the moment, I am sure HTB is starting to get recognition worldwide and will become the standard for future Cyber Security jobs. Even though the PATH has some things I would have done differently, some modules are way too “heavy” and go into deep detail from the start; I would take a more gentle approach to the problem/attack first, reviewing at a high level how it works and why and then proceed to the details, other modules like the CrackMapExec/NetExec, LDAP enumeration, PowerView enumeration are great but are probably a level II (100 cubes) rather than a level III (500 cubes) since the same material can easily be found for free on the NetExec and PowerView documentation, another module that felt unnecessary was the BloodHound module. On the other hand, my favorite modules were the NTLM relay attacks, ADCS attacks, Active Directory Trust Attacks, MSSQL, EXCHANGE, and SCCM attacks.

To all the HTB academy team, who brought to life this amazing Certification BRAVI!!!