CAPE Preparation Guide

This guide serves as an unofficial preparation path for the CAPE (Certified Active Directory Pentesting Expert) exam. At the time of writing, no official preparation path exists beyond the course material itself, I’ve left a little advice and a list that compiles recommended labs and boxes that will help build what I believe to be the necessary skills.

The Challenge

The primary challenge when preparing for CAPE is finding suitable lab environments that replicate the exam’s multi-domain, multi-machine setup. Unlike shared HTB boxes or single-machine challenges, CAPE requires hands-on experience with complex Active Directory attack chains across multiple systems.

VulnLab’s chain style labs were perfect for addressing this gap, offering dedicated multibox environments that closely simulate real enterprise AD configurations - however VulnLab is being shut down and fully absorbed into HTB in the next month or so. Their chains are moving to HTB’s ProLabs tier, which is significantly more expensive and uses shared infrastructure that can complicate practice scenarios. If VulnLab is still accessible when you’re reading this, prioritise working through the chains there first. Once the migration completes, ProLabs will be your only option for this style of content.

As of mid-January 2025 HTB moved to a “dedispawn” model where you get your own instance for standalone boxes, but the ProLabs instances remain shared. With VulnLab going away entirely, this is just the reality you’ll be working with going forward.

Critical Skills Beyond the Course

While the course material is comprehensive and should be your primary resource, there are a few practical skills that will make your exam experience significantly smoother: Have an exploit development environment ready to go. You need to be comfortable quickly modifying and compiling exploits, and be familiar with a C2 framework. I used Adaptix during my exam, and even though I didn’t rely on it heavily, knowing how to use it made certain parts very trivial.

Also, be ready to write your report, SysReptor host templates you can use, which make it fairly trivial. In the case that this is your first HTB exam, get familiar with SysReptor. There are sample reports available too, these are a great example on how to format your report, what information to present, and how. I was knocked back on my first CPTS submission because the report was not up to par, the sample report was presented with the feedback and I was successful the second time around.

Essential Tooling

Automated tools are valuable in this exam, but manual enumeration will be your best friend. If you can understand why something works, or have a keen eye for key configs that automated tools may miss, you’ll have a strong advantage.

BloodyAD was probably my star of the show where other tools fell short, or I needed to get right into configs/settings to identify attack paths. As already mentioned, a C2 can make certain parts trivial, so get familiar with one you like to use. The real key in all this is knowing your tools well enough that you aren’t fumbling through documentation and furiously googling, you’ll be doing that enough otherwise.

I’ve since been put onto powerview.py by a few people, which I did use a little in the course and not pay much attention to. On a bit more of a review it seems like a very well developed tool, and I would recommend learning how to use it for the course, you shouldn’t be limiting your toolbox because you prefer one tool over another.

For pivoting, I used ligolo-ng thanks to how trivial I found it. I learned this tool a while ago so I still set everything up manually, and it appears to have a fair amount of automation in it, but I will always recommend learning how to set your tunnels and interface manually, since if something doesn’t work you’re not gonna know how to troubleshoot it. Naturally for pivoting do it however you find it easiest, but I’ve found ligolo really does make it trivial, especially as soon as you get to a double pivot and beyond.

Time Management and Preparation

I completed the exam in about 3 days, but this was a solid amount of focused work each day. The reason I could move through it relatively quickly was preparation. I had a solid base of notes and cheatsheets I’d developed over months of practice, so when I hit situations during the exam I wasn’t scrambling to remember commands or googling basic techniques. The flip side of this is knowing when you’re actually ready versus falling into practice paralysis. You can always do one more box, one more chain, one more certification before attempting CAPE. At some point you need to trust your preparation and just go for it. If you’ve gone through the course material thoroughly, practiced on the recommended chains, and feel comfortable with your enumeration methodology, you’re probably ready. The exam isn’t trying to trick you, it’s testing whether you can apply what you’ve learned in a methodical way under pressure. Trust your prep work and commit to the attempt rather than endlessly postponing it.

About the Lab List

The boxes and chains listed below aren’t meant to be exam spoilers, many of the attacks aren’t 1:1 with what you’ll see in CAPE, and some techniques may not even appear at all. The goal here is to build strong AD enumeration and exploitation fundamentals, which is the most valuable skill you can have going into the exam. I’ve deliberately left out ProLabs (besides Ifrit) because I don’t really think they’re good prep, but with VulnLab shutting down and merging into HTB, Cybernetics and Offshore may be worth a look if you exhaust everything else listed here and grab a ProLabs sub for Ifrit.

I really can’t stress this enough: the best resource for learning how to pass the exam is the course material itself. These labs are supplementary practice to reinforce what you learn in the course, and hone your skills.

If you have any ideas, suggestions, or questions you can reach me on the HackTheBox discord as VegeLasagne, usually active in the #cape channel. If I’ve left something out it’s probably because I’ve considered it too far out of scope, too web-focused (ew), too simple/complicated, or I’ve just plain missed it, feel free to make a suggestion to me in discord.

If a box doesn’t have a link, its either because it’s still active on HTB, I can’t find a decent writeup/video for it, or I’ve just forgotten.

Recommended Boxes/Chains

HackTheBox

• Tombwatcher (1) (2)
• RustyKey (1) (2)
• Certificate (1) (2)
• Certified (1) (2)
• Voleur (1) (2)
• Fluffy (1) (2)
• Signed
• DarkZero
• Eighteen
• Puppy (1) (2)
• Scepter (1) (2)
• EscapeTwo (1) (2)
• Vintage (1) (2)
• Manager (1) (2)
• Rebound (1) (2)
• Authority (1) (2)
• Escape (1) (2)
• Absolute (1) (2)
• Sekhmet (1) (2)

VulnLab (Discontinued Mar 26, 2026)

• Ifrit (RTL) (1)
• Heron (1) (2)
• Breach (1) (2)
• Delegate (1) (2)
• Baby2 (1) (2)
• Redelegate (1)
• Lustrous (1) (2)
• Puppet (1)
• Reflection (1) (2)
• Sendai (1) (2)
• Cicada (1)
• Trusted (1)(2)

HackSmarter

• Triathlon (1) (2)
• NorthBridge Systems (1)

Last updated 18 Feb 2026.

Not written by AI. If you see emdashes, vulgar use of dot points, and vague info, run away.