All Practice Exams
100+ Free HTB CAPE Practice Questions
HTB Certified Active Directory Pentesting Expert practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
Which technique uses forged Kerberos tickets to maintain persistent access even after the domain admin's password is changed?
A
B
C
D
to track
Same family resources
Explore More Hack The Box Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: HTB CAPE Exam
10 days
Lab Duration
Hack The Box
15 modules
Prep Path Length
HTB Academy
ESC1-8
ADCS Attack Classes Covered
CAPE Syllabus
Expert
Difficulty Rating
Hack The Box
Lifetime
Certification Validity
Hack The Box
10+
AD Attack Domains Tested
CAPE Exam Guide
HTB CAPE is a 10-day practical AD lab exam that proves expert-level skills in Active Directory penetration testing. Candidates must enumerate complex AD environments, chain Kerberos attacks, exploit ADCS misconfigurations (ESC1-8), abuse DACL relationships using BloodHound, relay NTLM to LDAP and ADCS endpoints, attack cross-forest trusts, and operate a Sliver C2 framework — all while avoiding detection and submitting a professional report.
Sample HTB CAPE Practice Questions
Try these sample questions to test your HTB CAPE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which PowerView function enumerates all Active Directory users in the current domain?
A.Get-DomainUser
B.Get-ADUser
C.Get-DomainGroup
D.Invoke-UserHunter
Explanation: Get-DomainUser is the PowerView function that queries LDAP to return user objects in the current (or a specified) domain. It supports filtering by properties such as SamAccountName, adminCount, and servicePrincipalName. Get-ADUser is a built-in Active Directory module cmdlet, not PowerView.
2What LDAP filter would you use to find all accounts with a Service Principal Name (SPN) set, making them Kerberoasting targets?
A.(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))
B.(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512))
C.(&(objectClass=computer)(servicePrincipalName=*))
D.(msDS-AllowedToDelegateTo=*)
Explanation: The LDAP filter (&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)) returns all user accounts that have at least one SPN set. These accounts are Kerberoasting targets because the KDC will issue a TGS ticket encrypted with their NTLM hash, which can then be cracked offline.
3During Kerberoasting, which component of the ticket is cracked offline to recover a service account's plaintext password?
A.The TGS ticket's service-ticket portion encrypted with the service account's NTLM hash
B.The TGT encrypted with the KDC's krbtgt hash
C.The PAC encrypted with the domain controller's machine account hash
D.The AS-REQ pre-authentication timestamp
Explanation: When a TGS is requested for a service with an SPN, the KDC encrypts part of the response (the service ticket) using the RC4 or AES key derived from the service account's password hash. An attacker can request this ticket and crack the encrypted portion offline to recover the plaintext password.
4Which Impacket tool is used to perform AS-REP Roasting against accounts that do not require Kerberos pre-authentication?
A.GetNPUsers.py
B.GetTGT.py
C.GetUserSPNs.py
D.secretsdump.py
Explanation: GetNPUsers.py (No Pre-Auth Users) requests AS-REP hashes for accounts where the DONT_REQUIRE_PREAUTH flag is set in userAccountControl. The returned encrypted AS-REP blob can be cracked offline with Hashcat mode 18200 to recover the account's password.
5In BloodHound, what relationship edge indicates that a principal has the ability to modify the msDS-KeyCredentialLink attribute of another object, enabling a Shadow Credentials attack?
A.WriteDacl
B.WriteOwner
C.AddKeyCredentialLink
D.GenericWrite
Explanation: The AddKeyCredentialLink edge in BloodHound indicates that a principal can write to the msDS-KeyCredentialLink attribute of a target object. An attacker exploits this by adding a certificate credential to the target account, then authenticating as that account via PKINIT Kerberos to obtain its TGT and NT hash.
6What ADCS misconfiguration (ESC1) allows any domain user to enroll in a certificate template and specify an arbitrary Subject Alternative Name (SAN)?
A.The template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag set and allows domain user enrollment with client authentication EKU
B.The template allows client authentication and the CA enforces manager approval
C.The certificate template uses only the machine authentication EKU
D.The CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag but template restricts enrollment
Explanation: ESC1 occurs when a certificate template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag set (allowing the requester to specify the SAN), combined with low-privileged enrollment rights (e.g., Domain Users) and a Client Authentication EKU. An attacker can request a certificate specifying any user's UPN in the SAN, then use that certificate to authenticate as that user.
7Which Certipy command is used to find vulnerable ADCS certificate templates and CA misconfigurations in a domain?
A.certipy find -username user@domain.local -password pass -dc-ip 10.10.10.1
B.certipy req -username user@domain.local -password pass -ca CA -template Template
C.certipy auth -pfx admin.pfx -dc-ip 10.10.10.1
D.certipy shadow auto -username user@domain.local -password pass -account target
Explanation: certipy find performs enumeration of ADCS configuration, certificate templates, CA permissions, and identifies misconfigurations that match ESC1 through ESC11 vulnerability categories. It outputs results in JSON and BloodHound-compatible formats.
8ESC8 in ADCS involves relaying NTLM authentication to which service to obtain a certificate for a privileged account?
A.The Web Enrollment HTTP endpoint of the AD Certificate Services CA
B.The LDAP service on a domain controller
C.The RPC endpoint of the CA using MS-ICPR
D.The SMB service on the CA server
Explanation: ESC8 exploits the AD CS Web Enrollment interface (typically running on HTTP without Extended Protection for Authentication). An attacker relays NTLM authentication from a machine account (e.g., a DC forced via PetitPotam or printerbug) to the CA's /certsrv/ endpoint to request a certificate on behalf of that machine, enabling domain compromise.
9Which tool is most commonly used in HTB CAPE path to perform NTLM relay attacks, including relaying to LDAP and ADCS endpoints?
A.ntlmrelayx.py
B.Responder
C.CrackMapExec
D.mitm6
Explanation: ntlmrelayx.py (part of Impacket) is the primary tool for relaying NTLM authentication to various services including LDAP, SMB, MSSQL, and ADCS HTTP endpoints. It supports automatic exploitation modes like RBCD setup, secretsdump, and shadow credentials once a relay succeeds.
10What is the purpose of the PetitPotam technique in an NTLM relay attack against AD CS?
A.To coerce authentication from a Windows machine using the MS-EFSRPC protocol, forcing it to send NTLM credentials
B.To extract LSA secrets from a domain controller using MS-LSAD
C.To enumerate shares on a target using SMB null sessions
D.To perform pass-the-ticket using Kerberos TGTs obtained from memory
Explanation: PetitPotam exploits the MS-EFSRPC (Encrypting File System Remote Protocol) to coerce a Windows machine (including domain controllers) into authenticating to an attacker-controlled server. The resulting NTLM authentication can then be relayed to ADCS Web Enrollment (ESC8) to obtain a certificate and compromise the domain.
About the HTB CAPE Practice Questions
Verified exam format metadata for HTB Certified Active Directory Pentesting Expert is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.