I’m currently planning to focus more on web exploitation/web pentesting, and before fully committing to a platform, I wanted to ask for opinions from people who have already used both.

In terms of:

• quality of content
• labs/practical exercises
• learning experience
• difficulty progression
• overall comfort/UI/community

Which do you think is better for learning web exploitation: PortSwigger Web Security Academy or Hack The Box CWES and CWEE Path?

I’m still a student, so I’m trying to choose where I should invest more of my time first.

I’d really appreciate hearing your experiences, especially from people who completed either platform/path. Thanks!

Hi, I am currently about to complete the “Web Penetration Tester” Job path and looking forward to get the CWES certificate. However, I’ve heard that it’s a pretty hard cert to get. I would really like some help with knowing:

1. Are there any boxes or a platform to practice it more before applying for the certification?

2. Any points I should keep in mind before or while giving the exam?

3. Anything else that I might not know but would be helpful since this is my very first certification.

Any help would be greatly appreciated. Thank you!

Hello, those that have taken the CPTS, which boxes should I redo before taking the CPTS? I’ve completed about 80 boxes to include the CPTS track and ippsec’s playlist. I want to make sure that I am as ready as I can be.

Any recommendations would be appreciated.

Hey everyone,

(Note: Direct links are in the comment section below to keep this post clean and compliant with filters!)

I’ve spent the last few months grinding through the HTB Academy CPTS (Certified Penetration Testing Specialist) path.

I'm also preparing to add my personal writeups for the COAE (Certified Offensive AI Engineer) path very soon which is another awesome practical cert by HTB where I managed to score a perfect 100/100 on the exam.

Like most of us, my local obsidian/markdown notes were starting to look like an absolute mess, so I decided to clean them up and host them publicly as a personal study blog.

It’s completely free, ad-free, and I just finished translating all 37 writeups and study sheets to English so they can help others in the community.

This personal blog basically covers my study workflows and notes for both certifications: 👉 docs[.]pwnvader[.]com (Direct link in comments!)

What’s in my study blog?

I tried to make my writeups as practical as possible heavy on command syntaxes, quick checklists, and actual pentesting workflows:

• Active Directory (CPTS notes): Domain enumeration, GPO auditing, Kerberoasting/AS-REP, delegation, and enterprise network attack paths.

• Web Vulnerabilities: In-depth checklists for API audits, GraphQL, SQLi, LFI/RFI, and server-side configurations.

• PrivEsc (Windows & Linux): From SUID/Sudo/Capabilities and kernel security to token impersonation, service auditing, UAC bypass, and memory credential hunting.

• Pivoting: Exact command recipes for Chisel and Ligolo-NG (double/triple pivoting setups).

• Offensive AI (COAE prep - Coming Soon): The exact study notes and writeups I used to get the 100/100 score, covering prompt injection vulnerabilities, model evasion, and LLM data poisoning.

The Design

I designed the blog using a custom Catppuccin Mocha theme, JetBrains Mono, and a retro CRT monitor/scan-line aesthetic because why not. The search is indexed locally using Pagefind, so it's super fast when you're looking up commands in the middle of a lab.

GitHub & Other Projects

This entire blog is open-source. You can follow my work and check out my other security projects directly on my GitHub profile: github[.]com/pwnVader

Also, as a side project, we’ve been building a serverless web tools suite at hacking[.]pwnvader[.]com (it includes a connection command generator, a passive CMS/WordPress auditor, a JWT inspector, and a network tunnel designer).

I'll probably do a dedicated post on those tools later once we finish polishing a few more modules, but feel free to check them out in the meantime if you're working on a lab.

Let me know if you have any feedback or if there's a specific methodology you think is missing!

Sorry for the AI text :p

https://preview.redd.it/verpf6smn82h1.png?width=1080&format=png&auto=webp&s=710db9c9e925a909ecf6259c7395d4b18bbc9f0a

https://preview.redd.it/hzeaes6nn82h1.png?width=1080&format=png&auto=webp&s=b0a5968ab835c3d91e994d50cb9e0d0caa3c85d7

Mine is the Password Module. This is kicking my ass.

Öncelikle bu konunun bir reklam olmadığını, sadece liseli gençler olarak düzenlediğimiz bu etkinliğin daha fazla kişiye duyurulması amacıyla paylaşıldığını belirtmek isterim.

Kısaca: Biz 4 kişi HASBL CTF adında Jeopardy formatında olacak bir CTF düzenliyoruz, katılım linki en aşağıda mevcuttur.

Peki CTF nedir? CTF yani; Capture The Flag (Bayrağı Yakala), siber güvenlik alanında farklı kategorilerdeki becerilerimizi test etmek ve geliştirmek amacı güden bir yarışma formatıdır. Amacımız kategoriye göre verilen sorudaki açığı bularak cevaba (flag'e) erişmektir:

Kendimizden bahsetmem gerekirse biz sosyal bilimler lisesinde 11. sınıf öğrencisi olan 4 kişiyiz ve birçok CTF'e katıldıktan sonra; "Neden soru yazmayı da denemiyoruz?" dedik ve kendi CTF yarışmamızı yapmak istedik. Elimizden gelenin en iyisini yaparak bir şeyler yaptık işte...

Etkinlik detaylarına geçmek gerekirse:

Kategoriler:​

• Web: Açtığınız Instance'da zafiyet bulup flag'e ulaşmak.
• OSINT (Açık Kaynaklı Bilgi/İstihbarat): Soruda verilen foto/video, sosyal medya hesap adı vb. ortamlarda kanıt inceleme ve analiz ederek flag'e ulaşmak.
• Cryptography (Kriptografi): Şifre kırma diyebiliriz basitçe. Kod ve/veya verinin mantığını çözerek şifrelenmiş flag'i okunabilir hale getirerek flag'e ulaşmak.
• Reverse/Reverse Engineering (Tersine Mühendislik): Derlenmiş bir yazılımı yada makine kodunun bazı programları kullanarak nasıl çalıştığını çözüp okunabilir hale getirme ve flag'e ulaşmak.
• Pwn (Zaafiyet/Sömürü): Hedef olarak verilen sistemin güvenlik açıklarını bularak sisteme sızıp yetki yükseltme ve flag'e ulaşmak.
• Forensic (Adli Bilişim): Dijital kanıtların (log, disk görüntüsü, wireshark vb.) inceleyerek flag'e ulaşmak.

Kategorilerin tanımını yaparken ben bile kötü bir şey yapıyormuş hissiyatına kapıldım ama emin olun öyle bir şey yapmıyoruz kesinlikle 

Tarih:​

• 29 - 30 - 31 Mayıs tarihlerinde 48 saat sürecek.

Platform:​

• CTFd altyapısı üzerinden kendi sunucularımızda (Google Cloud) gerçekleşecek.
• CTF Time üzerinden de yarışma duyurusu yaptık ama kabul bekliyoruz, CTF'lerde önemli olduğu için kabul aldığında eklerim buraya.

Kurallar: Kurallar sitemizde yer almakta ama kısaca önemli birkaç kurala değineyim.​

• Takımlar en az 1, en fazla 4 kişilik olabilir.
• Flag paylaşımı yapmak yasak.
• Yarışma boyunca write-up yayınlamak yasak.
• Yarışma sürecinde yarışmacıların birbirine saygılı olması ve sportmen olması önem arz etmekte.

Kayıt ve Daha fazla bilgi için:​

• Kayıt ve daha fazla bilgi için sitemizi bağlantı kımından ziyaret edebilirsiniz.
• Yarışma sürecince kayıtlar açık olacak ve belirli bir şart olmaksızın isteyen herkes katılabilecek.
• Ödüller daha belli değil (TBA) maalesef..
• Lise düzeyinde kısıtlı süre ve bütçede hazırladığımız bu etkinlikte hata olacaktır ama bunları düzeltmeye ve kendimizi geliştirmeye özen gösteriyoruz.
• Sitede ve yarışma genelinde bir öneriniz, sorunuz olursa; bunları duymakta, cevaplamakta ve geliştirmekten memnuniyet duyarız.

Şimdiden ilgi gösteren herkese ve CuteTopia Sub'ına bu konuyu açamama izin verdiği için teşekkür ederim.

Hi,

NEED HELP LOL
as the title suggests - when i paste the ip address in the browser i.e. http:// ip. the website doesn't load.

I visited the HTB forum page about the Oopsie machine but it didnt help me either.

1. Firstly i added the ip in the /etc/hosts file.

ip thetoppers. htb

2. i flushed dns.,

3. i was able to ping the ip but it still didnt show any response.

4. i did try the curl command and the response was weird.

5. i switched to mobile hotspot but it didnt help me either.

6. tried resetting and restarting the machine but didnt work either.

7. refreshed the vpn file and it didnt work.

ATTACHING SOME SS.

https://preview.redd.it/crnfd88fj52h1.png?width=659&format=png&auto=webp&s=87a96556f1066ea078c24acce5569c1ae9f4bb9c

https://preview.redd.it/inol088fj52h1.png?width=1025&format=png&auto=webp&s=cdefad56aac5b4d5986cf0fe67ec2501f6869d58

https://preview.redd.it/ocpd988fj52h1.png?width=1546&format=png&auto=webp&s=dd83f0d81a3a2d1c72209d090460d6cf616102f0

I did try to access the site using http:// thetoppers. htb -- didnt work either

Hello Guys wish u r good I am taking the CPTS path and I know little about web pentesting so I am asking if I could obtain the Certificate so I will be have the knowledge and technical skills required for a junior pentester (This includes solving 30-40 machines and maybe a pro lab) I know the certificate is less recognized but I'm just asking about the Technical skills

So basically I've done ceh and ejpt and thanks to ejpt i knew metasploit and other basic penetration methodology. So i started cpts around 35-40 days ago, i was going all slow and trying to learn everything, obsidian copy paste everything as everything was so detailed and deep. Then the pace changed, especially on web related stuff like php, file inclusion and all that i skipped their labs completely and only read the theory to understand some concept. At one point also because i was frustrated how badly configured their academy labs are at password cracking module, no matter what i did, even after htb own walkthroughs i couldn't get the flags peacefully. (I have tried their non academy labs and they are amazing!) So basically i got into the- read the theory and skip the labs mode, only will do the AD and priv esc labs. Rest I'll skip. Then when the cpts path is completed, I'll do all the easy and medium labs on htb and thm and then attempt exam. Is this the right way? Am i doing something wrong?

How long did yall spend on this module? I feel like if youre actually taking notes, there is no way you can get through this is 2 days. Am I tripping?

Trying to figure out if I need to change how I'm executing this or not

Hey, I'm currently preparing for the CRTP certificates (not purchasing it yet), and I need modules that I can study along side with labs to play in hack the box (in order please), because I don't now much about the htb platform

I can’t go any further, and kibana died, so I’m thinking in reset the machines and kibana (you can’t just reset one ), and lose all my progress, thinking I’m not good enough why should I even try …. Losing my shit XD

Recently started the journey of CPTS and some of my notes are shells.

At first Windows was deleting this as malware, and I had to make it an exception for the physical folder and OneDrive shared folder I use to continue my learning when I'm not at home.

Turns out, now that I want to resume, some of the shells notes can't be updated because OneDrive is downloading it and stopping it.

I made an exception on this other laptop where I was trying to download (sync) my notes, but it keeps breaking - unable to visualize my notes.

Is there any way to fix this without altering my "workflow" of taking notes? I dont want to turn it into a .txt , zip it, or none of that.

Don't know if this is a silly question... asked AI and it gave me so BS, so I'm looking to see if this has happened to anybody else, and if they were able to fix it.

The other option is go with obsidian subscription, which will encrypt the data in transfer, solving the issue.

Wondering if there's a free way around it.

Thank you in advance!

Hi, I'm a total beginner. I have done a few tryhackme labs like mrrobot, pickle rick and 3 machines of starting point htb. Also did some owasp juice shop and metasploitable here n there.

I want to get serious. Not be a script kiddie and not be a tutorial junkie. I want to learn things at the core. Go in depth and fully technical with stuff. If i can commit 2-3 hrs daily to HTB how much time do you think a total noob can get to a cpts level. I dont care about the cert - i want that level of expertise in this domain.

My question again: how much time will it take for a noob to reach there + what can be the best resources except the official htb cpts path + can prolabs or mini prolabs help me get there?

Sorry if ts is naive

Hello!

I’ve been cramming all active easy boxes, so it’s time for my first medium difficulty one.

What’s the easiest one to get started??

Thanksss