As of October 2019 I am a Certified Red Team Professional. This post summarises my journey in which I overcame the challenges in Attacking and Defending Active Directory Lab and became a Ceritified Red Team Professional.

Motivation

TL;DR - My lack of knowledge in active directory and how much it intimidated me.

Unknown

The Lab

I purchased one month lab on 19th August 2019 and started my lab on 20th. Below image will give an overview of the lab environment.

ADLAB

After purchasing the lab access, I received the following stuff:

  • VPN connection details to the lab.
  • Windows machine / user details.
  • Academy Attacking and Defending Active Directory course videos/slides/lab notes

After VPN is connected, one can RDP to the student machine and start doing various lab exercises. The course videos are very beginner friendly and the instructor clearly and consicely explains various active directory concepts and demonstrates different attacks. At the end of each video, there are “Learning Objectives” which asks the student to apply whatever concept was explained in the video to solve the objective. The instructor encourages the students to solve the objectives by themselves and if they are facing difficulties, there are walkthough videos and notes which cover these objectives.

The course covers the following topics in depth:

  • Active Directory Enumeration. Use scripts, built-in tools and MS ActiveDirectory module to enumerate the target domain.
  • Local Privilege Escalation
  • Domain Privilege Escalation
  • Domain Persistence and Dominance
  • Cross trust attacks
  • Forest persistence and dominance
  • Defenses - Monitoring
  • Defenses and bypass - Architecture and Work culture Changes
  • Defenses and bypass - Deception
  • Defenses and bypass - PowerShell

For me, one month lab duration was more than enough to go trough the whole course and do the learning objectives.

Once I felt confident that I can tackle the certification exam, I scheduled it on 3rd October 2019.

The Exam

The exam lab is a seperate Windows environment, which is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment. The students are required to compromise a fixed number of machines. The exam is designed in such a way that a student will be forced to apply all the different things taught in the course.

To be successful, students must solve the challenges by enumerating the environment and carefully constructing attack paths. At the end of the exam, students need to submit the detailed solutions to challenges along with practical mitigations.

My exam was scheduled to start on 4:30PM. Exactly at 4:00 PM, I got an email from the ADLAB team with the exam lab connection details. I was on my way back home from work. Once I reached my place, freshened up and started the exam at around 4:45PM.

It took me whole 24 hours to compromise all the machines, This would vary for each individiual depending on the level of preparation and how well they have taken note of things during the enumeration process.

In my case, I compromised one box within an hour and was stuck for the next 22 hours. I could see the whole path to the end and had all the information needed to proceed. I failed to notice one bit of information and I lost considerable amount of time. Despair and hopelessness.

despair

In between these 22 hours I constructed an attack path and was pretty much sure this is the way to the goal. But as I mentioned earlier, there was a disconnect or a gap in the path.

Breakthrough

4th October 2019, 03:26PM - As a last resort, I went though all the information I had collected hoping to find any bit of information that I might have overlooked and to my surprise, I came across one little detail. I got what I needed to bridge the gap in the path I had imagined.

Within the next one hour I compromised the rest of the machines and finished the whole thing by 04:27PM. I had all the screenshots and notes taken. I went out for a coffee and rested for a while to compensate for the sleep I lost.

I prepared a detailed report (50 pages) and submitted for evaluation in the next 24 hours (48 hours allowed).

The Outcome

On 10th of October 2019 at 09:08PM, I got an email from the ADLAB team saying that I cleared the certification exam.

result

After few days, I recieved another mail from Pentester Academy with my CRTP certificate.

cert

The Instructor (Nikhil Mittal), took the time to write an email to me congratulating me on clearning the exam and told me that he liked my report as it was very detailed and easy to follow.

I learned an important lesson here; dont get sloppy during enumeration. Don’t overlook anything. Enumerate everything, take note of every bit of information.

TL;DR

An awesome beginner friendly course on active directory security from pentester academy.

I would highly recommend this course to anyone who wants to learn about active directory security.