PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free HTB CPTS Practice Questions

HTB Certified Penetration Testing Specialist practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is the purpose of the 'search_type' option in hashcat's --username flag when cracking dumped credential files?

A
B
C
D
to track
Same family resources

Explore More Hack The Box Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

HTB Certified Active Directory Pentesting Expert (CAPE)

Practice Questions

HTB Certified Defensive Security Analyst (CDSA)

Practice Questions

HTB Certified Junior Cybersecurity Associate (CJCA)

Practice Questions

HTB Certified Web Exploitation Expert (CWEE)

Practice Questions

HTB Certified Web Exploitation Specialist (CWES)

Practice Questions

HTB Certified Wi-Fi Pentesting Expert (CWPE)

Practice Questions
2026 Statistics

Key Facts: HTB CPTS Exam

10 days

Exam Duration

Hack The Box

12/14 flags

Minimum Passing Requirement

Hack The Box

~8 machines

Target Machines in Exam

Hack The Box

28 modules

Path Prerequisite

HTB Academy

~$490/yr

Student Subscription

Hack The Box

Report required

Commercial-Grade Report

Hack The Box

HTB CPTS is a 10-day practical penetration testing exam requiring candidates to capture at least 12 of 14 flags across approximately 8 Linux and Windows machines in a simulated enterprise environment (including Active Directory), then submit a commercial-grade report. Prerequisites include completing all 28 modules of the HTB Academy Penetration Tester path. This practice exam covers knowledge areas: Nmap, ffuf, BloodHound, Kerberoasting, Metasploit, SQLi, LFI, privesc, and AD attacks.

Sample HTB CPTS Practice Questions

Try these sample questions to test your HTB CPTS exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Nmap flag performs a TCP SYN (half-open) scan without completing the three-way handshake?
A.-sS
B.-sT
C.-sU
D.-sA
Explanation: -sS sends a SYN packet and waits for SYN/ACK or RST without completing the handshake, making it stealthier than a full TCP connect scan. It is the default scan type when run as root. The incomplete handshake reduces logging on many systems.
2Which Nmap flag enables service version detection on open ports?
A.-O
B.-sC
C.-sV
D.-A
Explanation: -sV probes open ports and attempts to determine the running service and version. This is essential during footprinting to identify exact software versions that may have known CVEs. Without -sV, Nmap only reports the port state.
3During footprinting, you want to enumerate all 65,535 TCP ports on a target. Which Nmap flag set achieves this?
A.-p-
B.-p 1-1024
C.--top-ports 1000
D.-F
Explanation: -p- is shorthand for -p 1-65535 and instructs Nmap to scan every TCP port. This is critical during thorough penetration tests because services running on non-standard ports (e.g., a web server on 8080 or SSH on 2222) would be missed by the default top-1000 scan.
4What is the primary purpose of the Nmap Scripting Engine (NSE) category 'vuln'?
A.Check for known vulnerabilities using scripts that produce actionable results
B.Enumerate open shares and user accounts
C.Brute-force service credentials
D.Fingerprint the operating system by TTL values
Explanation: The 'vuln' NSE category runs scripts designed to detect specific known vulnerabilities (e.g., ms17-010 for EternalBlue, http-shellshock). These scripts produce results that directly support the vulnerability assessment phase of a penetration test.
5Which ffuf flag specifies the wordlist used for web directory fuzzing?
A.-w
B.-u
C.-d
D.-H
Explanation: -w specifies the wordlist file path in ffuf. A typical command is: ffuf -u http://TARGET/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt. The FUZZ keyword in the URL is replaced with each wordlist entry during fuzzing.
6You are fuzzing for virtual hosts on a web server. Which ffuf flag tells it to match only responses with a specific HTTP response code?
A.-mc
B.-ms
C.-mr
D.-fc
Explanation: -mc (match code) filters results to only show responses with specified HTTP status codes. For example, -mc 200,301 shows only successful or redirected responses. This is essential when fuzzing vhosts or subdomains to filter out noise from default 404 responses.
7What does the 'FUZZ' keyword in an ffuf command represent?
A.A placeholder replaced by each wordlist entry during the scan
B.The output file path where results are saved
C.The authentication token for the target application
D.The filter pattern to exclude false positives
Explanation: FUZZ is the injection point marker in ffuf. When placed in the URL, headers, or POST body, each wordlist entry replaces FUZZ in turn. Multiple injection points (FUZZ, FUZ2Z, etc.) can be used for multi-parameter fuzzing simultaneously.
8Which protocol does Kerberoasting attack to retrieve service account ticket hashes for offline cracking?
A.NTLM
B.LDAP
C.Kerberos
D.SMB
Explanation: Kerberoasting exploits the Kerberos protocol. Any authenticated domain user can request a TGS (service ticket) for any SPN-registered service account. The TGS is encrypted with the service account's NTLM hash, which can be extracted and cracked offline using tools like hashcat or John the Ripper.
9Which tool is used to perform Kerberoasting from a Linux host, requesting TGS tickets for all SPNs in a domain?
A.BloodHound
B.Rubeus
C.GetUserSPNs.py (Impacket)
D.CrackMapExec
Explanation: Impacket's GetUserSPNs.py is the primary Linux-side tool for Kerberoasting. It authenticates to the domain, enumerates all service principal names, requests TGS tickets, and outputs them in hashcat-crackable format (-request flag). Rubeus is the Windows-side equivalent.
10AS-REP Roasting is possible when a user account has which specific attribute set?
A.Do not require Kerberos preauthentication is enabled
B.Account is a member of Domain Admins
C.Account has an SPN registered
D.Account has a password that never expires
Explanation: AS-REP Roasting requires the 'Do not require Kerberos preauthentication' (UF_DONT_REQUIRE_PREAUTH) flag set on the account. Without preauthentication, the KDC responds to any AS-REQ with an AS-REP containing a part encrypted with the user's hash, which can be cracked offline without providing credentials.

About the HTB CPTS Practice Questions

Verified exam format metadata for HTB Certified Penetration Testing Specialist is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.