CAPE - What Went Right and What Went Wrong

Introduction

I am elated, shocked, exhausted, stoked, surprised, insert other emotion here, about my results. This is a 10 day, pretty extensive exam. I am going to say it was more like a 30 day exam for me because I took it three (3) times. This test really pushed my limits. It forced me to think about how to use the exploits and techniques learned in the course in exciting new ways, and I genuinely feel better for having taken both the course and the exam.

I also feel a weird sense of loss, like I can never go back and do that test again. Sad.

I keep thinking about this one thing: “I took this exam three times.” I think I have a bit of imposter syndrome, like maybe taking it three times means I am not worthy of the certification? I am not sure, but hey, I will take it.

The badge says somewhere around 100 people have earned it for completing the exam. I know the real number is higher because folks who have an enterprise version and take this with their employer (hello, it is me) will not earn the badge on their personal Hack The Box account. Still though, I feel like I am in an exclusive group.

Expectations vs. Reality

I took OSCP before, and before starting CAPE, I expected:

• Because there are 10 flags, I figured each one would be a pretty simple, straightforward path.
• A reasonable amount of time to complete the exam.
• Confidence in using the attack box environment.

What I did not fully anticipate was:

• For me, 10 days was almost not even enough time. I was rushed.
• Some attack paths are pretty extensive.
• How much dedication the coursework and the test really required.

The biggest challenge: Dedicating. Time.

Dedication

For anyone who is going to tackle the CAPE certification, I strongly urge you to truly block out time for this. I do not have an accurate estimate of how long it took me to complete the coursework, but I worked full time as a penetration tester, and my employer was gracious enough to allow a generous amount of work time dedicated to this professional development.

I was privileged, and I recognize that.

And still, it took me FOR-EV-ER (hello, Sandlot fans).

Once you start the test, you have 10 days. That sounds like a lot. While it is definitely enough time, if you are not an Active Directory hacking wizard, you will need all of it. I took time off work, sat at home, and my full time job was working on this exam.

What to Expect when You Are Expecting (to Take the Exam)

I will be doing no such thing as identifying the testing environment. I will do my best to give you as much information as possible to help you get yourself prepared. Please bear the following in mind.

1. You KNOW the testing environment.

   • You have been doing the modules.
   • You have connected to VPNs.
   • You have used the provided ParrotOS or you have found ways to use your local host.
   • You have used their environment and you know what to expect.
   • Have a plan for how you will proceed once the test begins.

2. Allllllll the tools you need are provided. Trust.

   • I was that guy: I hopped in and this environment was just a liiiiiiiittle bit quirky. I messaged HTB to say things were not right. They assured me that they were. Later I realized everything was there, I was just not using it correctly.

3. This goes without saying: E-NUM-ER-ATE.

   • I will repeat it again if you skimmed that part. ENUMERATE.
   • Have an enumeration plan.
   • If you find new creds, go back and enumerate everything all over again. Pretend you are starting from scratch.
   • You never know what you might find.

4. Be creative.

   • Everything you need is in the modules.
   • Some things will feel very familiar, like “I have seen this used before exactly as it is in the modules.”
   • Others might feel more like “I learned this tool in the modules, but I think I need to apply it in another way.”

5. Write the report as you go.

   • This might sound obvious, but with my ADHD brain (undiagnosed, but I swear it is there), I get excited. I find new creds, discover a new path forward, and immediately start executing the exploit. Then I realize I made no notes.
   • Writing up the vulns as you find them saves so much time.
   • I saved the entire report for the end and rushed it.
   • Do not be like me.

Prep.

I mean, first and foremost, do the modules. Do them again… You heard me. Do them again. Practice. Get the exploits down, You will use them I promise.

Secondarily to ensuring you are familiar with the material. Go out and do some of the ProLabs. Yes it is like $50 USD per month. The investment in that will be nothing compared to the benefits you get from practice, practice, practice. Here are a few good ones:

1. Zephyr
2. Cybernetics
3. Dante

If you manage to finish all three of those, you are likely ready.

I would like to put in a plug for HackSmarter: https://www.hacksmarter.org. I do not own this site, I am not endorsed at all by them, but they are doing great work. Tyler Ramsby is a great public speaker and instructor that this is a value add to your learning. Its affordable too and has quite a few AD environments from easy to hard that will help you out.

Join These Discords, the people there helpped in my general AD prep:

• HackSmarter: https://discord.gg/sBg3stKG
• Active Directory Kamasutra: https://discord.gg/ap6ssZhw

I Will Leave You With This

Take breaks. Take care of yourself. If you have a family, take care of them too. The rest will fall into place.

You got this.