One December morning, I was delegated for a “quick” infrastructure test at the customer’s site. There were a lot of different hosts outside while inside there were a lot of Windows hosts entwined in a beautiful AD structure.
After getting inside and taking over the first machine, I realized my level of confusion was too high. It’s not that I didn’t know what I wanted to do, just my AD knowledge was disordered in some logical way. The test ended with taking over the domain, but it also cost a lot of time to rummage through the materials.
And here the idea to restructure my AD knowledge was born. I’ve been looking at PentesterAcademy and their labs for a long time and I thought now it’s the moment to give it a try.
Of course, there is no compromise when it comes to knowledge, so I took the Certified Red Team Expert (CRTE) course. As it turned out, the lab was not that easy. To access the lab, first you need to subscribe to the Pentester Academy separately, so you will have access to other courses that should be done before starting with the lab:
• Attacking and Defending Active Directory
• Powershell for Pentesters
• Abusing SQL Server Trusts in a Windows Domain
• WMI Attacks and Defense
I have very nice memories, when it comes to labs and I highly recommend spending as much as 90 days on it. Considering that each of us works and has a private life, 90 days after work should be enough to absorb the material. The lab user gets access via RDP (guacamole) to the “workstation” from which he begins his adventure to the Domain Admin or the Forest Admin. All the hosts on the network are fully patched up so our path is only through misconfigurations in the domain.
Lab will allow you to practice techniques such as:
• Privileges Escalation on Windows
• Constrained Delegation
• Unconstrained Delegation
• Pass The Ticket
• Abuse of ACL in the domain
• Abusing SQL Server in the Domain
And many more that I may have already forgotten(CLM,AMSI,AppLocker).
What is not a course?
Of course, the course is not something like Willy Wonka’s Golden Ticket Traveling through Active Directory and of course no course ever will be. Remember that the Active Directory test is a constant battle between the Red Team and the Blue Team. The course will give you a very good foundation and the opportunity to practice the basics in AD Environment, but the most important thing in Red Teaming is what you don’t know and how quickly you can learn it.
The video and pdf material provided by Pentester Academy is factual, but it does not cover all aspects that may be useful during the trip, so I recommend that you do the above courses before starting the lab. It still won’t be enough anyway! You will have to do your homework anyway! Some useful blogs that I highly recommend:
• Rubeus, Kekeo
I think this will be enough to succeed. Also Consider some obfuscation techniques.
During the exam, we have 48 hours to take over a domain with 8 computers. Apparently, you can pass the exam by taking over 3 machines and writing a high-quality report, but I would not suggest that. I recommend that you prepare for the exam because what you saw in the lab is just an appetizer and during the exam you might face things that may surprise you.
At this point, I would like to quote myself: “The course is not something like Willy Wonka’s Golden Ticket on its way through Active Directory.” In order not to reveal any intricacies about the exam itself, I will only say: no matter how much you can — it is about how quickly you are able to learn what you cannot. If you are reading this during the exam looking for a solution then:
First — enumeration, Second — strong will, do not give up you will find the way 😊 I found it, so you will succeed too.
My exam started at Friday 17:00CET. After few hours of nothing special I went to sleep, woke up and started enumerating again. After another few hours (21:00 CET on Saturday) I found exit path 😊
I think it is good course to begin with your Red Teaming adventure — in the end, it’s all about having fun 😊
Author: Michal Bazyli, Penetration Tester @AFINE. Check my github repo: https://github.com/punishell