Certification Preparation with HTB

Map your HTB journey to professional security certifications.

Certification Paths

The gold standard for penetration testing. Focus on manual exploitation, no automated tools.

Recommended Easy Machines:

Machine	OS	Key Skills	Writeup
Lame	Linux	Samba RCE (CVE-2007-2447)	0xdf
Legacy	Windows	MS08-067, MS17-010	0xdf
Blue	Windows	EternalBlue (MS17-010)	0xdf
Devel	Windows	FTP + ASPX webshell, Kernel exploit	0xdf
Optimum	Windows	HFS RCE, MS16-098	0xdf
Shocker	Linux	Shellshock (CVE-2014-6271)	0xdf
Nibbles	Linux	CMS file upload, sudo abuse	0xdf
Bashed	Linux	PHP webshell, cron abuse	0xdf
Valentine	Linux	Heartbleed, tmux session hijack	0xdf
Arctic	Windows	ColdFusion RCE, JuicyPotato	0xdf
Grandpa	Windows	IIS WebDAV, Token Impersonation	0xdf
Jerry	Windows	Tomcat default creds, WAR deploy	0xdf
Active	Windows	GPP cPassword, Kerberoasting	0xdf
Forest	Windows	AS-REP Roasting, DCSync	0xdf
Sauna	Windows	AS-REP Roasting, WinRM	0xdf
Buff	Windows	Gym Management RCE, CloudMe BOF	0xdf
Love	Windows	SSRF, AlwaysInstallElevated	0xdf
Cap	Linux	PCAP analysis, capability abuse	0xdf
Knife	Linux	PHP 8.1 backdoor, GTFOBins	0xdf

Recommended Medium Machines:

Machine	OS	Key Skills	Writeup
Cronos	Linux	DNS zone transfer, SQLi, cron	0xdf
SolidState	Linux	Apache James RCE, cron privesc	0xdf
Poison	Linux	LFI, VNC tunneling	0xdf
Bastard	Windows	Drupal RCE, JuicyPotato	0xdf
Bounty	Windows	IIS upload bypass, JuicyPotato	0xdf
Jeeves	Windows	Jenkins Script Console, KeePass	0xdf
Conceal	Windows	IPSec VPN, SNMP, JuicyPotato	0xdf
DevOops	Linux	XXE, Git secrets	0xdf
Irked	Linux	UnrealIRCd backdoor, stego	0xdf

HTB’s own penetration testing certification. Aligned with HTB Academy modules.

Recommended Machines:

Machine	OS	Key Skills	Writeup
Active	Windows	GPP abuse, Kerberoasting	0xdf
Forest	Windows	AS-REP Roasting, DCSync	0xdf
Cascade	Windows	LDAP enumeration, .NET reversing	0xdf
Monteverde	Windows	Azure AD, password spraying	0xdf
Resolute	Windows	DNS admin DLL injection	0xdf
Blackfield	Windows	AS-REP, backup operators privesc	0xdf
Intelligence	Windows	DNS records, GMSA, constrained delegation	0xdf
StreamIO	Windows	SQLi, MSSQL, LAPS	0xdf
Escape	Windows	MSSQL, ADCS ESC1	0xdf
Vintage	Windows	Pure AD exploitation chain	0xdf
Certificate	Windows	ADCS certificate abuse	0xdf

Recommended ProLabs: Dante, Offshore

Red team operations with Cobalt Strike methodology.

Recommended Machines:

Machine	OS	Key Skills	Writeup
Reel	Windows	Phishing, AppLocker bypass, AD	0xdf
Mantis	Windows	Kerberos MS14-068, AD	0xdf
Sizzle	Windows	ADCS, Kerberos, CLM bypass	0xdf
Multimaster	Windows	SQLi, DLL injection, AD	0xdf
APT	Windows	IPv6, RPC, domain recon	0xdf

Recommended ProLabs: RastaLabs, Zephyr

Advanced Active Directory attacks and defenses.

Recommended Machines:

Machine	OS	Key Skills	Writeup
Blackfield	Windows	AS-REP, backup operators	0xdf
Multimaster	Windows	Complex AD chain	0xdf
Object	Windows	AD ACL abuse, GenericWrite	0xdf
Cerberus	Windows	ADCS, cross-domain trusts	0xdf
Rebound	Windows	Advanced Kerberos, RBCD	0xdf

Recommended ProLabs: Cybernetics, APTLabs

Focused on web application security.

Recommended Challenges (Web category):

Recommended Machines:

Machine	OS	Key Skills	Writeup
Talkative	Linux	Rocket.Chat exploit, Docker escape	0xdf
Forgot	Linux	Redis cache poisoning, password reset	0xdf
Bagel	Linux	.NET WebSocket, deserialization	0xdf
Sandworm	Linux	SSTI in GPG, Firejail escape	0xdf
Clicker	Linux	NFS, PHP SQLi, LFI chain	0xdf

Level	Cert	HTB Focus	Timeline
Beginner	OSCP	Easy/Medium machines, Dante ProLab	3-6 months
Intermediate	CPTS	Medium/Hard machines, Offshore ProLab	4-8 months
Advanced	CRTO	Hard machines, RastaLabs/Zephyr	2-4 months
Expert	CRTE	Insane machines, Cybernetics/APTLabs	3-6 months
Web Specialist	eWPT	Web challenges, web-focused machines	2-4 months