CPTS practice,
one technique at a time.
Build the methodology into muscle memory. CPTS tests breadth and a clean, chained methodology across a realistic engagement. PwnKata drills each technique in the Penetration Tester path on its own, then welds them into single-host chains so you practice the connective tissue — pivoting from foothold to root — not just isolated tricks.
The CPTS skills, as drillable reps.
Each exam area maps to a set of single-technique drills you can grind until recognition is automatic.
Linux and Windows local privesc, the way the path drills them.
File Capability Privilege Escalation
Linux file capabilities can grant one binary more power than intended. Drill finding and abusing that mistake.
easysudo -l Privilege Escalation
A misconfigured sudo rule is one of the most common real-world Linux privesc paths. Drill it until `sudo -l` is the first thing your fingers type.
easySUID Binary Privilege Escalation
A stray SUID bit on the wrong binary is an instant root. Drill enumerating and abusing SUID binaries until it's automatic.
easyWeb exploitation
Web Exploitation →Injection, inclusion, upload, SSRF — the foothold catalogue.
SQL Injection: Auth Bypass
Drill authentication-bypass SQL injection by matching the payload to the query context.
easyOS Command Injection
Find where user input reaches a shell, then pick a payload form that survives the filter and response style.
mediumSSRF via URL Parameter
Make the server fetch what it shouldn't. Internal targets are simulated safely inside the drill.
mediumActive Directory
Active Directory →The AD attack primitives that anchor the engagement.
Kerberoasting
Kerberoasting is a workflow: identify the right SPN, request the ticket, crack offline, and prove the credential works.
hardAS-REP Roasting
Find the account with Kerberos pre-authentication disabled, then turn that misconfiguration into a credential.
mediumAD Graph Enumeration Simulator
AD Graph Enumeration Simulator distilled into repeatable single-technique reps on isolated targets.
mediumService enumeration
Network Services →Walking services thoroughly enough to find the loot.
SNMP Community Strings
A valid community string is only the first step. Walk the tree and identify the OID that proves impact.
easySMB Share Enumeration and Loot
SMB Share Enumeration and Loot distilled into repeatable single-technique reps on isolated targets.
easyFTP Anonymous Enumeration
FTP Anonymous Enumeration distilled into repeatable single-technique reps on isolated targets.
easyKnow you're ready — don't guess.
When the techniques feel automatic, run an Exam Sprint: a timed battery of unseen, blind items weighted to the CPTS blueprint. It returns a readiness report by skill area, so you find your weak spot here instead of in the exam.
- Blind items — identify the weakness yourself, like the real thing
- Solved-vs-attempted by skill area, with time outliers flagged
- A readiness verdict you can actually act on
Start your CPTS reps
Free to start — live isolated targets, a fresh variant every rep.
Still choosing between the two? Read the honest 2026 comparison. →