Learning Paths

Nine modules covering every technique that appears on the OSCP exam — from DNS recon and cleartext protocols through to Active Directory and buffer overflows. Work in order for the best results.

Seven modules aligned to the HTB CPTS curriculum — network footprinting, common service attacks, web exploitation, databases, LDAP enumeration, and a full Active Directory engagement. Deeper coverage of modern enterprise attack paths than OSCP.

Eight modules of professional-grade scanning technique — host discovery, TCP scan types, UDP scanning, service & version detection, OS fingerprinting, NSE scripting, masscan/RustScan pipelines, and firewall evasion. Every module includes structured per-lab assignments practised against live machines, not screenshots.

Six modules covering every FTP attack technique — anonymous access, banner grabbing, credential brute-force, TFTP unauthenticated file retrieval, writable FTP shell delivery, and full protocol chaining across FTP, SMB, and rsync. Practised against live machines with structured per-lab assignments.

Null sessions, share enumeration, SYSVOL credential harvesting, and GPP decrypt. Progress from anonymous access to domain credential extraction across live Windows-like machines.

UDP discovery, community string brute-force, full MIB tree walking, and credential extraction from NET-SNMP extend OIDs. One machine, two modules, root shell.

Service fingerprinting, auth method probing, credential attacks, and full SSH tunneling. Local port forwards, dynamic SOCKS proxies, ProxyJump, and sshuttle VPN pivoting.

Anonymous bind, root DSE queries, full object enumeration, and credential extraction from description fields. Module 2 scales to Active Directory with windapsearch and ldapdomaindump.