Pentester Academy - Active Directory Lab & Certified Red Team Professional

Hi everyone, I recently passed the Certified Red Team Professional exam from Pentester Academy. I briefly wanted to give a quick update and very small review of my experience with Pentester Academy's "Active Directory Lab" course and the "Certified Red Team Professional" exam.

Active Directory Lab:

I registered for the 60 days lab time.

The AD lab course teaches you 23 learning objectives and 59 tasks.

You are provided 36 course videos.

1 lab manual with solutions.

1 course pdf slides and notes.

Course starts off by guiding you through the basics of powershell, but not much time is wasted here. Before attempting this course you should know the basics of powershell and active directory. You will enter into heavy domain enumeration (which is key to passing any test), local privilege escalation (pentester hat goes here), domain privilege escalation (red team hat goes here), domain persistence and dominance (ah this is what red team is like), cross trust attacks (I feel legendary now), forest persistence and dominance (can anyone stop me?), & defensive tactics (Thanks Boss for paying, here is what I learned). Each red team killchain requires its own tools, yes these tools overlap from time to time, but is a needed methodology standard to follow.

Image: https://www.evernote.com/shard/s426/res/763dfae1-586d-4c81-aca3-2d5d0ba35d24

I was able to get through all the course videos and lab work within 2 and a half weeks. The videos were clear and concise. I did NOT have any hard time understanding the concepts or what is being taught. Support was very fast in responding to any questions or VM resets I had. By week three and four of my lab time I had gone through all the concepts and lab practice for the second time. I was now ready to take the exam.

Exam Certified Red Team Professional:

Took the exam which was a 24 hr exam and failed. I was only able to get a local privilege escalation to the VM host you are given. I wasn't able to even lateral move or get to own any other host. I was stumped and unmotivated at certain points. I guess it wasn't my day and wasn't in the right spirits.

You are given VPN access to a VM that is joined to a domain, all infrastructure is fully patched windows 10 and windows server 2016 (2016 domain features). There are NO software exploits here. This is similar to the lab, but not the same environment obviously.

I took the week off to rest and was now left with 24 days of lab time. I studied and labbed all the concepts once again but this time paid more attention to the bloodhound results I worked on. I spent 3 weeks going over bloodhound and the data I had. I found many hints and possible clue that would lead me somewhere. I honestly could say I was thinking differently now.

I took the test a second time and my time spent on bloodhound paid off. I was able to see certain patterns, some methods I thought would work, didn't, but some did. In the end I was able to pull through and get full forest root domain access. It took me 12 hours, longer than most people I suppose, but I am now a Certified Red Team Professional

Overall I am highly satisfied with the course and exam. I plan to work on the Expert level certification and lab they have. For right now, I am here in vegas for BH and defcon. Tomorrow I start Pentester Academy's - ACTIVE DIRECTORY ATTACKS FOR RED AND BLUE TEAMS - ADVANCED EDITION which is a two day course.

Sorry this is a very crude, run on sentence, non technical review of the course and exam. I plan on doing a proper one after the blackhat course. I will be working on my new blog coming out soon

If you have any questions let me know.

Find more posts tagged with

Comments

securityorc

Very interesting, thanks for sharing your experience! Getting into AD exploitation and more red teaming exercises is something I aim for after I will be done with OSCP. Looking over their red team labs, the price tag is pretty high, at this moment I'm leaning more towards the Offshore and Rastalabs environments from HackTheBox.

chrisone

I heard good things about those two subscriptions. However, do they teach you and guide you with videos, course pdf, lab manual? I am really asking cause I don't know lol As for the pentester academy perspective you get taught something and guided with a full blown lab you can practice on.

securityorc

As far as I know, there's no accompanying course for those labs. There is indeed an advantage to having videos and slides, but there's also a high price tag to come with it. I had same opinion about the eLS PTX course. I wouldn't mind them if the company would pay for them though hehe

Danielm7

I was under the impression this was included in the $39/month subscription. Glad I checked further because it seems this course is separate from that and far more expensive.

chrisone

@Danielm7
The subscription does get you the video training material for everything they put out. You just need to pay for lab time. Trust me you learn a lot in those videos, its worth it for one month's payment of $39. Aside from streaming unlimited videos, you get to download up to 100 videos in one month.

Danielm7

Oh i'm sure, I heard the owner on Security Weekly podcast, I'm pretty sure it was for this. He was describing the labs and the hosts were going nuts and he kept saying you get everything for $39, so that seems not entirely accurate.

chrisone

Ok you are getting confused with the labs and perhaps in the podcast there was some confusion as well. The Active Directory and the Red team lab are one thing (an actual VPN connection into a live domain environment).

Pentester Academy and your monthly subscription get you access to another lab called www.attackdefense.com which has thousands of hands on labs, corresponding to most of their course materials.

Perhaps they are moving the active directory /red team lab access to the attackdefense portal as well for the same or upgraded fee. Maybe that is what was talked about.

See attached picture.
Check this guy's review for more information
http://lockboxx.blogspot.com/2018/11/pentester-academys-attackdefense-labs.html

yoba222

Thanks for this great write up. I am actively forcing myself not to go on Pentester Academy right now and make plans to dig into this in the next few weeks. I need to just get OSCP done with first and then move on. But this is so tempting and I could use some AD knowledge strengthening, which I know I won't get in the PWK course.

McxRisley

yoba222 said:

I could use some AD knowledge strengthening, which I know I won't get in the PWK course.

Should someone tell him? No? Ok, I'll let him figure it out then lol

chrisone

If you look at it closely he clearly is saying he already "knows" he won't get AD knowledge from OSCP.

but i digress

#derailed

yoba222

For those 2 and half weeks, how many hours would you say you put into it?

chrisone

I would say 4-6 hrs. 3-4 at work and 1-2 extra hours at home. Don't tell my boss lol

McxRisley

chrisone said:

If you look at it closely he clearly is saying he already "knows" he won't get AD knowledge from OSCP.

but i digress

#derailed

Oh I read it correctly, you just misunderstood what I was trying to say lol You will gain SOME AD knowledge from the course, it is required to root a few of the boxes.

#notderailed

LonerVamp

I'm a PA subscriber, so I can try to answer some questions. And yes, their website is extremely confusing about these topics.

ATTACKDEFENSE LABS: These are included with a general subscription. They're a bunch of one-by-one exercises to perform attacks with (atackdefense . com). This lab system is used in some of the courses as the lab portion of that particular video. So if you learn attack X, you can practice attack X in this particular lab. These are pretty new, and I've not had a chance to do much, but they seem well worth the price of a sub alone. Some are related to courses while others are just standalone topics. Unlike courses, I don't believe there are any restrictions on usage. Every month, I get 100 "downloads" of videos on their site, so I can go through a course with 100 videos and watch it, and then wait until next month to do more. But, with these lab items, I don't think they are metered at all, and you can slam through them at your leisure.

RED TEAM LABS: ADVANCED RED TEAM LAB: is not inclued in my subscription. This looks like a VPN econnection into a lab, much like PWK or HTB. There is a "course" called Red Team Labs that is a companion to the lab. I've not looked at it (I could, I have the 8 videos downloaded), but it appears to be quick initial guidance on phases of an attack. I do have access to this course with my subscription. It also looks like you get access to that course if you purchase lab access, but seeing it through a general site sub would be a more economical way to preview the lab.

RED TEAM LABS: ACTIVE DIRECTORY ATTACK-DEFENSE LAB: is not included in my subscription. Looks like this is a VPN connection into a lab, much like PWK or HTB. There is a course called Attacking and Defending Active Directory by the same author that I have access to with my sub (36 videos, 14 hours, with objective walkthroughs). I really believe this is the companion course to that lab. Again, I have these downloaded so I can peruse a few. Looks like you'd get access to this course with the lab, but it would be cheaper to see it through a site sub and thus preview what you're in for.

FluffyBunny

Ooofffff what a day and what a night! But here I am, I've also managed to fight my way through CRTP. The jury's still out on whether I've passed, or not. But that's okay, because here's my review -> https://www.kilala.nl/index.php?id=2460

chrisone

Congrats! I am sure you will pass as long as you show evidence\screen shots on your progress results. Create a post on your experience once you get a chance. Would love to hear everything about your journey.

FluffyBunny

chrisone said:

Create a post on your experience once you get a chance. Would love to hear everything about your journey.

Noticed the link I put in my previous message? It's already typed up and I even refer to your opening post of this thread.

chrisone

very cool! sorry I didn't see the link. Sitting in a Varonis training session right now hahaha

I also appreciate the mention in your blog!

hmayvin

Can we contact to share some issues in the lab?? Thanks!! Very good report!

nikostz

Thanks for the nice review. I have just failed my CRTP exam. I have seriously underestimated its difficulty. I supposed that after OSCP this one would be an easy exam, only applying the techniques demonstrated during the course. It is way more difficult.
I have only managed to privesc on my foothold machine and get access/code execution on the first target machine. I could not step any further from there.
Do you have to suggest any additional material or an environment to get some practice before I retake the exam? Thank you!

FluffyBunny

nikostz said:

Do you have to suggest any additional material or an environment to get some practice before I retake the exam? Thank you!

All you need for the CRTP exam was taught during the classes. You will not need any additional study materials or tooling.

Remember the actual goal/subject of the training: attacking Active Directory.

The first privesc was attacking Windows (as covered in the course) and from there on out you need to map your way across the AD domain in the exam environment. Bloodhound will certainly help you with this. There is one step along the way that trips up almost everybody and which took me at least two hours to find. As I suggested: you will have to scour all you learned about AD to find "the missing link".

crytpokni8

When you took the exam second time did you get the same lab domain ? Or a different one ?

chrisone

Hi @crytpokni8 you continue on the same domain environment.