cwoellner.com ~ personal website & blog

CPTS and OSCP - 2025 Review

Published on: Thursday, Jan 1, 2026

In January 2025 I started a new position as a Security Specialist. The job involved a lot of red tape, which meant that some days there was a fair amount of downtime, so quite early into the year I made the decision to use this time (and a fair amount of my free time) to “get cracked” in the field of penetration testing.

My goal back then was to get either the Hack The Box Certified Penetration Testing Specialist (CPTS) or the OffSec Certified Professional (OSCP) certification. Especially the OSCP had my fascinated since 2018 when I first started doing Boxes on HTB, the practical 24-hour exam seemed more elite and prestigious than any other certification I had seen so far. The CPTS was still quite new but with a similar format it appeared as an interesting alternative and since I still had an active subscription from my old job for the HTB Academy I decided to work on the CPTS.

Completing the CPTS

As just mentioned I already had an active subscription and already started the penetration tester path, which needs to be fully completed before you are allowed to take the exam. I was at around 30% completion and needed two more months to complete the rest of it. Most of my time was spent in the Active Directory module, while I was able to leverage my existing CTF knowledge to blitz through most other modules, this was a completely new topic to me and a big part of the course and exam. What I really like about the course is that it introduces multiple tools for most tasks and leaves you pick what ever works best for you, which leaves you with your own personal arsenal at the end of the course.

The last module of the course is a mock exam and was a humbling lesson for me. While I was able to identify exploit vulnerabilities, I realized that my pivoting skills were quite lackluster, and I often ended in an “Ok what now?” situation where I did not know what to do next after obtaining a flag, which pulled me out of my flow state. My pivoting issues were solved with ligolo-ng, which makes pivoting really comfortable. For the workflow issues I went back to the material and tried to look at it in a broader scope, which helped a fair bit.

For the actual exam I took a week off of work, since the exam gives you ten days to complete the challenge and to write a professional report. In order to pass the exam you need to compromise multiple simple web applications, escalate privileges, move latterly and compromise multiple domains. I sadly can’t go much into much more details without breaking the rules of confidentiality. The topic I struggled the most during the exam was post-exploitation, something I did not practice a lot. It took me four days to complete to obtain all required flags another three to write the report, which ended up being around 70 pages.

Nine days after submitting my report, I got an e-mail form HTB congratulating me on my passed exam. It was only April and my goal for the year was already completed.

Min-Maxing the OSCP

After spending the summer on other hobbies, I felt bored around early September. I still had could not get my mind off the OSCP as the golden ticket to wealth and prestige so, after deliberating over its high price tag, I made the decision to invest in myself and bought the 90-day package for the course and exam.

The course was not quite as good as the HTB one and they both had a lot of overlap, which is to be expected for since they are in the same domain, but I caused me to lose interest within a couple of days after starting the course. So after taking a 30-day break I returned in early October and booked my exam for late October, since I already had some vacation time approved for that timeframe. Instead of continuing the course and getting bored out again, I skipped to the end and did the three mock exams. For all three of them I needed to check the OffSec Discord for the occasional hint. When I got stuck it was mainly because I was not used to the Offsec style of challenges and could find the “entry point”, not because knowledge the fundamental knowledge to exploit it. So even though the mock exams did not go perfectly, after reviewing the privilege escalation chapters of the course, I felt like they got me familiar with the exam structure to take the actual exam, and so I did.

Offsec gives you 24 hours to obtain enough flags in their environment to pass the exam. The environment consists out of a 3-machine Active Directory set and three standalone machines. For the standalone machines you need to gain access yourself, while for the set they provide you with a user. In order to pass the exam you need to obtain 70 out of 100 points, the AD set gives you 40 points and the standalone machines give you 20 each (10 for user access and 10 for admin access). The biggest challenge is to find the vulnerability, which was something I already learned for the mock exams, this results in a very “loud” approach where you run as may scanners you manage to come up with, something I did not quite like about the exam. In my attempt I was able quickly compromise two machines from the AD set and then got stuck on a rabbit hole in said set. After a small break I decided to go for the standalone machines next and was able to get both user and root of two machines quite quickly, which left me with 60 out 70 points. For the third machine I was not able to find anything remotely exploitable, so returned to the AD set. After wasting another couple hours on the rabbit hole, I realized that it might not be the intended path and tried a couple different angles which worked out rather quickly and gave me another 20 point, resulting in a total score of 80 points. By that time I was already 15 hours into my exam, so I went through my screenshots and took a couple screenshots I forgot to take in the heat of the battle, finished the exam and went to bed. The next day I wrote my report which ended up being 29 pages, I used noraj Markdown template to generate the report from a markdown file, which is lot faster than editing a Word-file once you take an hour to learn markdown.

During the waiting period I was a bit more worried this time, since I was unsure about the length of the report, but four days after my submission I got e-mail congratulating me on my OSCP.

Closing thoughts

After these two courses and exams I feel a lot more knowledgeable on penetration testing and developed my own methodology, but I still would not consider my self “cracked”. Reaching that level requires a fair amount a real world experience, which is something I will work on in 2026, something that now feels reachable thanks to these certs.