24 October 2021 / REVIEW, CRTP, AD CRTP Review I have recently completed the Attacking and Defending Active Directory course from Pentester Academy and wanted to share my thoughts for anyone looking to take the course and take the CTRP exam. The course is very beginner friendly, no prior knowledge of attacking active directory or using PowerShell is required. However, I do recommend understanding the basis before the course. Resources like TryHackMe will provide a good overview of basic terminology, privilege escalation and reverse shells etc. At a high-level the course covers: Domain Enumeration Local Privilege Escalation Lateral Movement Domain Persistence Domain Privilege Escalation Cross-Forest Attacks Forest Persistence Detection and Defense As part of the course you get all the learning material and access to a AD lab to practice the attacks in a controlled environment. For the lab access you can choose 30, 60 or 90 days of access. I only took 30 days but I think this is plenty to cover all the material and complete the labs but of course it depends on the time you can spend on it. I would spend a few hours a couple of evenings a week and a good 4 or 5 hours on a weekend. The Course Once you have registered you will receive access to a portal which provides: Course videos Course slides Lab guide Lab walk through videos You will also be asked when you wish to obtain access to the labs. I think this a great option as some people will prefer to watch everything then focus on the labs. However my methodology was: Watch the video for a section Read the section slides and notes Complete the learning objective for that section Watch the lab walk through Repeat for the next section I preferred to do each section at a time and fully understand it before moving on to the next. The course videos are good, I think they are missing some post production flare as its just the instructor with some slides and demos, however that being said the content (which is the important bit really) is fantastic. Nikhil Mittal clearly breaks down each subject and explains each attack and provides a demo of how it works. At the end of each learning section is a learning objective to complete in the labs. These are not like the OSCP labs, this environment is to be used with the learning material to try out each attack. Additionally, on the portal is a flag verification tab with questions, the answers are to be discovered whilst completing the labs. These aren’t like CTF hash flags but snippets of information such as ‘NTLM hash of UserX’. While completing the course I had no issues at all with the labs, they are shared with other students but this didn’t cause me any problems. The Exam The exam was fun! You are given 24 hours to enumerate and compromise a AD environment of 5 machines. You are provided with an additional machine to provide a foothold on to the network but that is it. No tools are on the machine, anything you want to use must be first copied over. After the 24 hour period you are given 48 hours to write up your findings and submit a report. A couple of days before the exam started, I created the report template and read through all my notes from the course. I use Onenote for note taking, so I created a new section specifically for the exam with a sub section for each machine and some general sections for notes, credentials etc so I could quickly copy and paste details. I started the exam at around 11.30, by 15.00 I had managed to gain privesc on the foothold machine and compromise two others but then came hell, machine 3. I was stuck, for hours…… 11 hours later at 02.00 I decided I needed sleep and managed to sleep until 05.00. I was sure I knew how to compromise machines 4 and 5 based on the enumeration I had done but the machines needed to be done in order. However, at 05.30 I had access! I was completely overthinking it, having the break and stepping away allowed me to start again and look it with a fresh (but tired) pair of eyes. By 06.15 I was able to compromise the remaining machines. I went though and got all my notes and screenshots so I could create my write up and by 10.00 submitted my report. I got confirmation they received it and would get back to me with result. 6 days passed and then I finally I got the confirmation I passed! Final Thoughts I highly recommend the course to anyone involved in attack or defending AD. From a offensive perspective the course gives a good understanding of some of the attacks available and hands on experience testing them and moving around a domain. From a defensive perspective, its a must! 30 days is plenty of time to complete all the material and the labs multiple times. The exam is tough but fair and as long as you understand all the course material you can pass the exam. Im proud to say I’m now CRTP! Thanks for reading! ============================================================ Any comments or feedback welcome! You can find me on twitter.