Certified Kiosk Breakout Professional

Certified Kiosk Breakout Professional
(CKBPro)

The Certified Kiosk Breakout Professional (CKBPro) is an intermediate-level exam designed to validate a candidate’s ability to safely and creatively break out of a locked kiosk-style Windows environment and perform further attacks. The exam simulates realistic kiosk deployments where the candidate begins in a constrained user context (single-app/Assigned Access) and must use permitted UI features, dialog boxes and local misconfigurations to achieve in-host code execution, discover seeded artifacts, and perform a same-host context shift to reach the final objective.

Note: The exam details will be sent to you on/before 30th October, 2025.

  • Practical
  • 4 Hours
  • Online
  • On-demand
  • Real world pentesting scenarios

£250

Buy Now Add to Cart

Who should take this exam?

CKBPro is intended to be taken by pentesters, red teamers, security consultants, SOC staff, blue team leads, and security professionals who need to demonstrate practical skills in kiosk/locked-session breakout, local artifact discovery, and short, safe host-level escalations. Ideal for those who perform endpoint assessments, physical kiosk audits, or secure kiosk deployments.

What is the format of the exam?

CKBPro is an intense 4-hour-long practical exam. It requires candidates to connect to a lab environment and RDP into a single Windows kiosk-like host (locked/session constrained). The exam contains a compact set of real-world style tasks that require using UI features and local vectors to perform constrained enumeration, chain dialog/app interactions to reach execution vectors, obtain artifacts, and perform escalation attacks to reach a final objective. All activity is restricted to the single lab host and must be non-destructive. The exam can be taken online, at any time (on demand) and from anywhere.

What is the pass criteria for the exam?

The pass criteria are as follows:

  • Candidates scoring over 60% will be deemed to have passed the exam successfully.
  • Candidates scoring over 75% will be deemed to have passed with merit.

What is the experience needed to take the exam?

This is an intermediate-level exam. Candidates should have practical, hands-on experience with Windows endpoint security, basic post-exploitation, and familiarity with kiosk/Assigned Access behaviors and common local misconfigurations.

Note: As this is an intermediate-level exam, a minimum of two years of pentesting or endpoint security experience is recommended for this exam. Candidates must be comfortable with Windows tools (PowerShell/cmd), file/dialog abuse, and basic privilege escalation techniques in constrained environments.

What will the candidates get?

On completing the exam, each candidate will receive:

  • A certificate with their pass/fail and merit status.
  • The certificate will contain a certificate number, which can be used by anyone to validate the certificate.

What is the exam retake policy?

Candidates who fail the exam are allowed one free exam retake within the exam fees.

What are the benefits of this exam?

CKBPro validates a candidate’s ability to identify and exploit kiosk-specific weaknesses, prove short, safe attack chains, and recommend practical mitigations. The credential is useful for endpoint security roles, consultancy engagements focused on kiosk/point-of-sale systems, and teams responsible for secure kiosk lifecycle management. It demonstrates practical, scenario-based competence in a niche but widely deployed attack surface.

How long is the certificate valid for?

The certificate does not have an expiration date. However, it will include the exam version and issue date. As the exam is periodically updated, candidates are encouraged to retake newer versions to stay current with kiosk attack & defense techniques.

Will you provide any training that can be taken before the exam?

Being an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience and practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.

Learning Resources

Secquest’s Blog

Free/Paid:free

Type:Training

Payatu’s Blog

Free/Paid:free

Type:Blog

Github Cheatsheets

Free/Paid:free

Type:Cheat sheets

Nviso’s Blog

Free/Paid:free

Type:Blog

Security Risk Advisory Blog

Free/Paid:free

Type:Blog

Hexnode’s Blog

Free/Paid:free

Type:Blog

Exam Syllabus

Introduction & Core Concepts

  • Kiosk modes, Assigned Access and real-world kiosk use cases.
  • Windows user contexts: kiosk vs standard vs admin.
  • Basic OS behavior that matters for breakout (file handling, protocols, handlers).

Reconnaissance & Surface Mapping

  • Spot pinned apps, keyboard shortcuts and allowed UI flows.
  • Probe file-open dialogs, help/print/search menus and reachable directories.
  • Rapid OS fingerprinting: build, services, installed apps and visible processes.
  • Find writable folders, public shares and exposed program paths.

Dialogs, Shortcuts & App Chaining

  • Use file/open dialogs and shortcut properties to reach local resources.
  • Abuse LNK/context menu behaviors and launch paths.
  • Chain permitted UI actions to invoke alternate apps or handlers.

In-session Execution Vectors

  • Exploit compatibility/handler paths and local file handling to trigger execution.
  • Use safe, lab-controlled script/html artifacts to demonstrate execution vs sandboxing.
  • Convert allowed UI actions into concise command invocation (non-destructive).

Browser / Handler Interaction

  • Understand how kiosk browser/renderer modes affect local file handling and protocol launches.
  • Leverage registered URI handlers, shell protocols and legacy compatibility where present.
  • Inspect page source, temp storage and cached files via permitted flows.

Static & Dynamic Analysis

  • Inspect webpage content and local files without privileged dev tools.
  • Use contextual menus, Help and keyboard quirks for passive analysis.
  • Observe caching, temp folders and local storage for exploitable artefacts.

Host Enumeration & Sensitive Artefacts

  • Enumerate temp, profile, cache and public folders for flags/secrets.
  • Locate accessible registry keys, scheduled tasks and autoruns.
  • Identify credential stores, cached tokens and user privilege boundaries.

Bypassing Surface Restrictions

  • Abuse UNC/UNC-like inputs, unassociated protocols and path handlers.
  • Leverage menu functions (Search, Help, Print, Open) to reach unexpected code paths.
  • Exploit misconfigured file associations and protocol handlers safely.

Kiosk Escape Techniques

  • Hotkey abuses, sticky-keys and accessibility helper vectors.
  • Use temporary files, downloads or profile dirs to stage content.
  • Safe exploration of ActiveX/COM or scripting interpreters for lab demos (where permitted).

Lateral Movement & Same-Host Escalation

  • Identify and abuse writable service folders, unquoted service paths and misconfigured scheduled tasks.
  • Reuse discovered credentials/tokens to change user context on the host.
  • Use mapped drives, IPC or redirected resources (printers/drives) for confined pivots.

Security Misconfigurations & Risk Patterns

  • Writable directories, unsafe file execution and weak ACLs.
  • Legacy/compatibility settings that enable local script execution.
  • Misconfigured browser or file association behavior in kiosk deployments.

Hardening & Defensive Considerations

  • Simple configuration mitigations: restrict reachable paths, tighten AppLocker/GPO, disable legacy handlers.
  • Hardening of browser kiosk settings and file associations.
  • Monitor creation of unexpected files/process chains in public folders.