Are you considering taking Pentester Academy's Attacking and Defending Active Directory course? Read on and find out more about it and whether or not it's for you!
CRTP Course Review
Attacking and Defending Active Directory is Pentester Academy's beginner to intermediate level course on maneuvering through an Active Directory environment. The course covers topics including:
Local Privilege Escalation
Domain Privilege Escalation
Cross Forest Attacks
Unconstrained and Constrained Delegation
Detection and Defense of AD Attacks
The course comes in two formats: on-demand via a Pentester Academy subscription and as a bootcamp purchased through Pentester Academy's bootcamp portal. The on-demand version is split into 25 lecture videos and includes 11 scenario walkthrough videos. The bootcamp version is split into 4 3-hour sessions led by none other than Nikhil Mittal. Nikhil has an impressive resume. He is the developer behind Nishang and also has spoken at DEFCON and BlackHat among other high visibility conferences. In addition to the interactive sessions, the bootcamp version includes an exam attempt and 30 days of access to the Active Directory lab, which I strongly recommend having if you plan on attempting CRTP.
I took the bootcamp version of the course. The strong benefit to taking the course interactively, besides the included lab environment, is the Discord server that allows you to interact with Nikhil and ask questions during the session. You are also able to interact with other folks taking the course and ask questions throughout the week while you're working on the included labs. This becomes very helpful; even if you're more of an introvert and don't anticipate yourself interacting with classmates, don't be surprised if the discussions and questions that pop up in the Discord lead you to interacting and engaging with your peers. At minimum the ongoing conversation may be beneficial because folks tend to encounter similar issues and have similar questions about the material.
Nikhil is very thorough in his topic coverage and breaks the content down to a digestible level. I went into the course with minimal Active Directory experience and moderate PowerShell/scripting experience and felt as though I could keep up. One thing I did that helped me personally was getting the course material printed and bound at the Staples/OfficeMax/etc. This allowed me to highlight/annotate the course content with what Nikhil lectured instead of trying to keep up by typing out notes and commands. It also offered me the opportunity to skim and review some of the course material at bedtime. Sounds intensive, but I was putting my all into this with the intent of taking the exam a week after the course terminated and I wanted to be as ready as I could for it.
You are also provided with a recording of each session a few hours after each one takes place. Being new to Active Directory, I capitalized on this and went back and re-watched some of the content to "gap fill" where I lacked fundamental knowledge.
CRTP Exam Review
The exam is 24 hours long and not proctored. You get an additional hour to configure and set up your lab environment as you see fit, totaling 25 hours of access to the environment. The exam consists of 5 target servers aside from the box you start on and the goal is to get OS-level command execution on all 5 targets. Note that this does not mean that you need administrative privileges on all targets, just command execution (hostname, whoami, dir, etc).
Once the 24 hours of access to the lab environment expire, you have 48 hours to generate and submit a report in PDF format. The report should include your methodology, tools used, screenshots of outputs, etc. The report should walk the reader through the how and why of your methodology. Pentester Academy emphasizes that the better the report, the better the scoring, with better reporting including references to external articles and talks.
Everything you need to pass the exam is taught in the course. Also note that this is not an exam where you have to go hunting on exploit-db; as part of the course materials you are provided with a .zip file containing the tools necessary. Uploading these to the lab environment is part of the exam setup, but you should not need to go searching for additional open-source tooling or resources to achieve the exam objectives.
For my specific exam experience, I started the test around 11:00 AM local time. It took me some time to get set up, being that you have to import the tools you wish to use in the exam. It took me a long time (probably longer than it should have) to compromise the first target. From there, the attack path starts to gain some bounds/scope and it got easier for me as it went on. I completed the environment compromise in roughly 18 hours. I took some short breaks for meals and just to get up and walk around, but I didn't get any sleep during that time frame; I was too "wired" to be able to wind down and get proper rest.
One thing I did and I highly recommend to others interested in pursuing this exam was generating a rough draft of the report as I went through the test. This allowed me to get the screenshots I needed while I still had access to the exam environment and also enter notes that gave me enough context regarding what I had done. After I finished compromising the environment, I went back and refined my report to read more smoothly, but most of the work was already done.
I submitted my report about an hour after I completed the exam. Almost immediately I received a confirm of receipt email letting me know that it could take up to 7 business days to receive formal results.
Resources for CRTP
"He Perfected a Password-Hacking Tool - Then the Russians Came Calling" by Wired (story behind Mimikatz)