After passing the OSCP exam last year, I was trying to decide what to do next. I was looking for something that would be a valuable addition to my skillset and decided to do the “Attacking & Defending Active Directory” red team lab from Pentester Academy.
I really liked the premise of an AD focused course that did not rely on patchable vulnerabilities, but instead assumed a fully patched corporate environment and solely focused on misconfiguration, using minimal tooling on the target machine that is nearly always available.
The course was available at a discount but even at the original price it’s a fair deal. You can buy 30, 60 or 90 days of lab access. Because I wanted to do this at a relaxed pace I bought 90 days of labtime at $499.
I only have my OSCP experience to compare this to and I think it is not uncommon for people to follow the same path, so I will be comparing the two here and there in my review.
Course overview
As mentioned before, the power of this course is that it does not rely on patchable vulnerabilities but focuses on misconfiguration in a fully patched environment. In real life, at the very least, an administrator will likely make sure that all systems stay patched, whereas proper and secure configuration of AD can get so complicated that some details are often overlooked. In addition, all you really need on the target is Powershell, which adds to the realism and applicability of what you learn.
The core topics of the course (from the course’s official site):
- Active Directory enumeration
- Local privilege escalation
- Domain and forest privilege escalation
- Domain and forest persistance
- Trust attacks
- Auditing and defending
So, you will learn the internals of AD, how to find holes in the configuration that can be abused, how to abuse them and how to audit and defend against them.
Quite good at this price, right?
The course material
The course material consists of slides explaining the theory and a separate walkthrough with all the learning objectives written out in case you get stuck somewhere. In addition, there are videos narrated by Nikhil Mittal for each learning objective, where he literally goes over the slides and gives some more background information on the subjects. These subjects are really interesting and assume no prior knowledge other than generic Active Directory concepts.
Overall the quality of the material is good, although there is room for improvement on a detail level. Once or twice I found information missing that I had to figure out for myself. Of course, if you’re unable or unwilling to do this, you’re in the wrong business anyway ;)
I’m pretty sure the videos can be of use if this is your way of learning stuff, but they weren’t for me. I am just a little impatient with people explaining things in general :) I preferred to just go through the slides myself and research what I did not understand immediately.
As for the length of the material: it actually doesn’t take a lot of time to complete all the objectives. After a bit more than a week of nightly study I suddenly found myself at the last objective; there were many more pages, but they were about defense against the attacks we perform. I went over all the objectives almost 3 times in total before taking the exam, just to improve my muscle memory on these subjects.
If you’re motivated and at least a bit skilled, 30 days of labtime should definitely be enough.
The lab
Once your lab access has been activated, you can access it either through VPN or the web. To be honest I never tried the web access, since I was used to working with VPN for lab access. The VPN works as expected and has always been very stable. I have heard similar positive stories about the web access.
You are provided a student VM which is a user level foothold into a simulated corporate network, running Windows 10. From there, you can perform all the enumeration and attacks described in the course material. It comes with a zip file prepared for you, containing all the tools you’ll need to complete the objectives.
The other machines are split up across multiple domains and forests and you’ll find application and SQL servers as well as domain controllers. You will also find all other student machines and users during your enumeration, but it is highly advisable for everyone’s sake to leave those alone.
Support
Before we go to the highly anticipated exam, I think the support team deserves its own chapter. Although I have no idea how big this “team” really is, all communication with them just felt good, fast, concise and personal, which seems to get rarer and rarer these days.
So, kudos to support!
The exam
This was by far the best part of the course.
The first positive thing is that you can simply click a button in the portal to launch your exam lab and don’t have to book anything in advance. It’s also not proctored like the offsec exams, which of course does make it a little bit more sensitive to fraud, but to be honest, it felt much better to me personally.
During the exam, you must compromise 5 machines using the techniques you learned and practiced in the course. The cool thing is that this whole exam felt like a story you had to go through. In the OSCP exam, you can do any machine at any time and skip one if you get stuck, but in the CRTP exam you really need each machine to move forward, which was at the very least refreshing.
Since this was my first real Active Directory hacking experience, I actually found the exam harder than I anticipated. It took me about 4 hours to find the first vector and compromise the first machine and 5 more hours before I finally had the second. I can’t explain why because that would require exam details I can not share, but in retrospect it was obviously my own fault :)
After that, the third, fourth and fifth machine were compromised in about 3 hours time altogether.
Even though it is an exam, you actually learn new ways of applying the techniques you learned, which makes it valuable and fun at the same time.
The report and result
Because there were no official report templates supplied like offsec had done for OSCP, I simply created one from scratch with a basic layout and the most essential chapters I could think of: an executive summary and details on each machine, including enumeration, exploitation, screenshots, tool output, remediation, and references to the attack performed and the tools used.
After compromising all 5 machines, I made sure all my notes were complete and all screenshots were taken and then quickly set up a draft version of my report that I would finish next day, then went to bed at 03:00.
Next day, I worked on finalizing my report and eventually submitted it around 12:00.
27 hours later, I received a response:
Conclusion
I had a fun time with this course and especially the exam and would definitely recommend it. In retrospect, I would say 30 days are enough to go over the techniques multiple times if you are in a hurry or can fully dedicate your spare time to it. If you want to take it a bit slower, 60 days is probably your best bet. 90 days, in retrospect, was a bit of a waste because I spent at least a month not even accessing the lab at all.
The good
- great intro into AD hacking
- nice and clear portal with all you need in a single place
- good and stable lab
- very good support
- very nice exam
Things to improve
- you must have a Google account to access the lab portal (I really don’t like being forced into anything :)
- the course material could be a little more professional here and there (then again, there isn’t a huge company behind this like offsec)
- find a way for people to practice the DCShadow attack, which was impossible now
Key takeaways
- go over the techniques multiple times as long as you have lab access
- research the details behind each technique yourself online
- study the internals of things like Kerberos rather than relying on the supplied theory
- make sure you know how to use BloodHound: you can do without it during the exam, but it makes your life a lot easier
- take notes and screenshots of everything you do