PNPT practice,
one technique at a time.
Own the domain, then explain how you did it. The PNPT is an external-to-Domain-Admin engagement that ends with a live debrief — you don't just exploit, you justify. PwnKata drills the path it tests: a web or service foothold, the Active Directory attack chain toward Domain Admin, and the privilege-escalation reps in between, until the methodology is automatic.
The PNPT skills, as drillable reps.
Each exam area maps to a set of single-technique drills you can grind until recognition is automatic.
The way in: enumerate exposed services and web apps until one gives you a shell.
SQL Injection: Auth Bypass
Drill authentication-bypass SQL injection by matching the payload to the query context.
easyOS Command Injection
Find where user input reaches a shell, then pick a payload form that survives the filter and response style.
mediumSSRF via URL Parameter
Make the server fetch what it shouldn't. Internal targets are simulated safely inside the drill.
mediumActive Directory to Domain Admin
Active Directory →Kerberoasting, AS-REP roasting, and the lateral-movement chain the PNPT is built around.
Kerberoasting
Kerberoasting is a workflow: identify the right SPN, request the ticket, crack offline, and prove the credential works.
hardAS-REP Roasting
Find the account with Kerberos pre-authentication disabled, then turn that misconfiguration into a credential.
mediumAD Graph Enumeration Simulator
AD Graph Enumeration Simulator distilled into repeatable single-technique reps on isolated targets.
mediumLinux and Windows local privesc — the rungs between a foothold and full control.
File Capability Privilege Escalation
Linux file capabilities can grant one binary more power than intended. Drill finding and abusing that mistake.
easysudo -l Privilege Escalation
A misconfigured sudo rule is one of the most common real-world Linux privesc paths. Drill it until `sudo -l` is the first thing your fingers type.
easySUID Binary Privilege Escalation
A stray SUID bit on the wrong binary is an instant root. Drill enumerating and abusing SUID binaries until it's automatic.
easyService enumeration
Network Services →Methodical enumeration is what turns a flat network into an attack path.
SNMP Community Strings
A valid community string is only the first step. Walk the tree and identify the OID that proves impact.
easySMB Share Enumeration and Loot
SMB Share Enumeration and Loot distilled into repeatable single-technique reps on isolated targets.
easyFTP Anonymous Enumeration
FTP Anonymous Enumeration distilled into repeatable single-technique reps on isolated targets.
easyKnow you're ready — don't guess.
When the techniques feel automatic, run an Exam Sprint: a timed battery of unseen, blind items weighted to the PNPT blueprint. It returns a readiness report by skill area, so you find your weak spot here instead of in the exam.
- Blind items — identify the weakness yourself, like the real thing
- Solved-vs-attempted by skill area, with time outliers flagged
- A readiness verdict you can actually act on
Start your PNPT reps
Free to start — live isolated targets, a fresh variant every rep.