Certified Red Team Expert

https://www.pentesteracademy.com/redteamlab

Disclaimer: This post contains my personal opinion and does not represent the opinion of my previous or future employers or any organisations I am affiliated with.

Introduction

The purpose of this post is to outline my experience of Nikhil Mittal's Windows Red Team Lab course hosted by Pentester Academy, and provide some insight into the course content, what's involved, level of prior knowledge required etc. that hopefully will be helpful to potential future candidates who may be considering taking the course.

What is the CRTE

The Certified Red Teaming Expert (CRTE) is a completely hands-on certification. It is the next step in Pentester Academy's progression of Active Directory oriented certifications after the Certified Red Team Professional (CRTP). The course provides an Active Directory Environment that allows for students to practice sophisticated attacks against misconfigured Microsoft infrastructure and enterprise applications, conducted from an assumed breach perspective.

Duration

There are 3 options to opt for the labs 30 Days, 60 Days, 90 Days. Students can choose any option depending on the time they will spend on the lab and prior knowledge of Active Directory (AD) and associated attack techniques. I personally opted for 30 Days lab time as I felt that I already had a good grasp of AD attack techniques. For folks who are not comfortable with operating in an AD environment then perhaps you may want to check out the Pentester Academy Attacking and Defending Lab (https://www.pentesteracademy.com/activedirectorylab) first, as it is intended as a practice lab for you to practice the techniques taught instead of thinking how to apply them in tricky environments.

Course Content

  • Active Directory Enumeration

  • Abusing built-in functionality for code execution

  • Local Privilege Escalation

  • Credentials Replay

  • Using administration tools to compromise other machines

  • Bypassing countermeasures such as Application White-listing and anti-virus.

  • Pivot through windows machines to bypass Firewall rules.

  • Domain Privilege Escalation using Kerberoast, Kerberos delegation, Abusing protected groups, abusing enterprise applications and more.

  • Domain Persistence and Dominance using Golden and Silver ticket, Skeleton key, DSRM abuse, AdminSDHolder, DCSync, ACLs abuse, host security descriptors and more.

  • Forest privilege escalation using cross trust attacks.

  • Inter-forest trust attacks

  • Abusing SQL Server Trusts

  • Lateral movement and hunting for business secrets using built-in Windows tools.

Lab Objective

The objective of the Windows Red Team Lab is to equip students with the ability to emulate tactics, techniques and procedures of would be attackers, to hunt for misconfigurations and "leads" in a modern Windows Active Directory environments, exploit them and ultimately obtain access to critical data (Personal Identifiable Information (PII) / Financial Transaction Information). I think it's important to note that lab is intended as a challenge, and the course content does not cover everything you need to know, so additional research is necessary.

Lab Review

There was a total of 12 machines in the lab with multiple domains and forests configured. Each student will be provided access to a Windows 10 lab machine via RDP with a low privilege domain account, as part of the assumed breach testing approach. The machine is one of many workstations within the AD environment, equipped with up to date Antivirus enabled. Students are tasked with escalating their privileges on the student machine to gain local administrator privileges and disabling the antivirus, in order to be able to install additional tools which will help them to progress throughout the lab environment.

The student can choose to operate in "Easy" or "Hard" mode, which determines whether the provided host can directly connect back to the student's personal testing machine or the student will operate from the provided host machine via RDP only. I went through the lab in "Hard" mode just because, but personally I don't see any benefit of doing it except for unnecessary suffering of having to go through the process of installing and running tools only compatible on the Windows Host.

It's important to note that while the machines in the lab will revert back to their original state once a day, the provided host will not. Therefore you do not have to worry about having to install the tools on the provided host repeatedly.

As mentioned previously, the provided course material will not be sufficient for typical students to get through the lab without additional research, as students are required to evade antivirus and AMSI, perform phishing attacks, abuse database misconfigurations, retrieve important artifacts and elevate from compromised child domain controller to parent domain controllers and compromise external forest, plus more.

While the lab was definitely challenging to get through, it was also realistic. Therefore I really enjoyed my time spent working through the lab. One important thing I think should be highlighted that I believe is one of the most attractive aspects of this course is how responsive and helpful the support team were. From the start of the course, I would email the support team almost daily to check if the approach I was trying was the intended approach and I would request for more information on the flags. The support team responded to my queries promptly without fail and were always very helpful. However, that being said, while they were very helpful in providing directions on where the flags are, they did not reveal any information on "how" to get them which was great. I really cannot stress enough how good the customer support was!

Exam

I completed the lab in just under the 30 days and booked the exam by emailing the support team. There are 6 systems in the exam environment. Students are given 48 hrs to complete the exam, and have to compromise at least 3 machines. When the exam is over students are given an additional 48 hours to submit a high quality report. The report should contain a detailed walkthrough on compromising the machines and recommendations to remediate the issues identified.

I found the exam relatively straightforward with some twists, and was able to compromise all machines. I would like to say that if you have completed all the challenges then the exam should be ok, otherwise you may find it difficult to solve all the machines.

Result

I received a confirmation email informing me that I had passed the exam one day after submitting the report.

Worth It or Not?

I think Pentester Academy's Active Directory oriented courses are massively underrated. I would highly recommend this lab to every Pentester or Red-Teamer as it provides huge value as there will always be something to learn. At the very least it is a great place to practice TTP's and to get more familiar with your tooling.

PreviousAbout MeNextIntroduction

Last updated