Active Directory Labs/exams Review

If you know me, you probably know that I've taken a bunch of Active Directory Attacks Labs so far, and I've been asked to write a review several times. After passing the CRTE exam recently, I decided to finally write a review on multiple Active Directory Labs/Exams! Note that when I say Active Directory Labs, I actually mean it from an offensive perspective (i.e. a red teamer/attacker), not a defensive perspective. Furthermore, I’m only going to focus on the courses/exams that have a practical portion. Those that tests you with multiple choice questions such as CRTOP from IACRB will be ignored.

Whoami

I graduated from an elite university (Johns Hopkins University) with a master’s degree in Cybersecurity. I have a strong background in a lot of domains in cybersecurity, but I'm mainly focused in penetration testing and red teaming. I am currently a senior penetration testing and vulnerability assessment consultant at one of the biggest cybersecurity consultancy companies in Saudi Arabia where we offer consultancy to numerous clients between the public and private sector. I hold a number of penetration testing certificates such as:

• OSEP
• OSCE
• OSCP
• CRTE
• CRTO
• GPEN
• eCPTX
• GWAPT
• OSWP
• CREST CRT
• eCPPTv2
• ECSA (Practical)

Additionally, I hold a certificate in Purple Teaming:

• GDAT

My current rank in Hack The Box is Omniscient, which is only achievable after hacking 100% of the challenges at some point. More information about me can be found here: https://www.linkedin.com/in/rian-saaty-1a7700143/

General Recommendation

As a general recommendation, it is nice to have at least OSCP OR eCPPT before jumping to Active Directory attacks because you will actually need to be good network pentester to finish most of the labs that I'll be mentioning. If you think you're good enough without those certificates, by all means, go ahead and start the labs! These labs are at least for junior pentesters, not for total noobs so please make sure not to waste your time & money if you know nothing about what I'm mentioning. Moreover, some knowledge about SQL, coding, network protocols, operating systems, and Active Directory is kind of assumed and somewhat necessary in most cases. You should obviously understand and know how to pivot through networks and use proxychains and other tools that you may need to use. Specifically, the use of Impacket for a lot of aspects in the lab is a must so if you haven't used it before, it may be a good start. The use of at least either BloodHound or PowerView is also a must. Antivirus evasion may be expected in some of the labs as well as other security constraints so be ready for that too! The reason I'm saying all this is that you actually need the "Try Harder" mentality for most of the labs that I'll be discussing here. In fact, most of them don't even come with a course!

Introduction

Some of the courses/labs/exams that are related to Active Directory that I've done include the following:

HackTheBox's Endgames:

• P.O.O
• Xen
• Hades

HackTheBox's Pro Labs:

• Offshore
• RastaLabs

Elearn Security's Penetration Testing eXtreme

• eLearnSecurity Certified Penetration Tester eXtreme certification (eCPTX)

Pentester Academy's Windows Red Team Lab

• Certified Red Team Expert (CRTE)

Zero-Point Security's Red Team Operator

• Certified Red Team Operator (CRTO)

Evasion Techniques and Breaching Defenses (PEN-300)

• Offensive Security Experienced Penetration Tester (OSEP)

There are of course more AD environments that I've dealt with such as the private ones that I face in "real life" as a cybersecurity consultant as well as the small AD environments I face in some of Hack The Box's machines. (I will obviously not cover those because it will take forever). Also, note that this is by no means a comprehensive list of all AD labs/courses as there are much more red teaming/active directory labs/courses/exams out there. There are 2 in Hack The Box that I haven't tried yet (one Endgame & one Pro Lab), CRTP from Pentester Academy (beginner friendly), PACES from Pentester Academy, and a couple of Specter Ops courses that I've heard really good things about but still don't have time to try them. Once I do any of the labs I just mentioned, I'll keep updating this article so feel free to check it once in a while!

I'll be talking about most if not all of the labs without spoiling much and with some recommendations too! All of the labs contain a lot of knowledge and most of the things that you'll find in them can be seen in real life. In fact, I've seen a lot of them in real life! I will also compare prices, course content, ease of use, ease of reset/reset frequency, ease of support, & certain requirements before starting the labs, if any.

Note that I've taken some of them a long time ago so some portion of the review may be a bit rusty, but I'll do my best :)

To begin with, let's start with the Endgames. Endgames can't be normally accessed without achieving at least "Guru rank" in Hack The Box, which is only achievable after finishing at least 90% of the challenges in Hack The Box. This includes both machines and side CTF challenges. This can be a bit hard because Hack The Box keeps adding new machines and challenges every single week. However, once you're Guru, you're always going to be Guru even if you stopped doing any machine/challenge forever. The good thing is, once you reach Guru, ALL Endgame Labs will be FREE except for the ones that gets retired. I've done all of the Endgames before they expire. To make things clear, Hack The Box's active machines/labs/challenges have no writeups and it would be illegal to share their solutions with others UNTIL they expire. So far, the only Endgames that have expired are P.O.O. & Xen. The catch here is that WHEN something is expired in Hack The Box, you will be able to access it ONLY with VIP subscriptions even if you are Guru and above! Additionally, solutions will usually be available for VIP users OR when someone writes a writeup for it online :) Another good news (assuming that you haven't done Endgames before) is that with your VIP subscription, you will be able to access 2 Endgames at the same time!

Endgame Professional Offensive Operations (P.O.O.):

I've completed P.O.O Endgame back in January 2019 when it was for Guru ranked users and above so here is what I remember so far from it:

Price: Comes with Hack The Box's VIP Subscription (£10 monthly) regardless of your rank. If you ask me, this is REALLY cheap!

Ease of use: Easy. You get an .ovpn file and you connect to it.

Ease of reset: Can be reset ONLY after 5 VIP users vote to reset it. This is actually good because if no one other than you want to reset, then you probably don't need a reset!

Ease of support: Community support only! Meaning that you'll have to reach out to people in the forum to ask for help if you get stuck OR in the discord channel.

Course: Doesn't come with any course, it's just a lab so you need to either know what you're doing or have the Try Harder mentality!

Goal: "The goal is to compromise the perimeter host, escalate privileges and ultimately compromise the domain while collecting several flags along the way."

Certificate: N/A. You'll just get one badge once you're done.

Exam: N/A.

Difficulty: Intermediate

Release Date: March 2018.

Retired: June 2020.

The lab itself is small as it contains only 2 Windows machines. Not really "entry level" for Active Directory to be honest but it is good if you want to learn more about MSSQL Abuse and other AD attacks. It is worth mentioning that the lab contains more than just AD misconfiguration. It needs enumeration, abusing IIS vulnerabilities, fuzzing, MSSQL enumeration, SQL servers’ links abuse, abusing kerberoastable users, cracking hashes, and finally abusing service accounts to escalate privileges to system! Overall, a lot of work for those 2 machines! If you think you're ready, feel free to start once you purchase the VIP package from here: https://www.hackthebox.eu/home/endgame/view/1 Since it is a retired lab, there is an official writeup from Hack The Box for VIP users + others are allowed to do unofficial writeups without any issues. SPOILER ALERT Here is an example of a nice writeup of the lab: https://snowscan.io/htb-writeup-poo/#

Endgame Xen:

I've completed Xen Endgame back in July 2019 when it was for Guru ranked users and above so here is what I remember so far from it:

Price: Comes with Hack The Box's VIP Subscription (£10 monthly) regardless of your rank. If you ask me, this is REALLY cheap!

Ease of use: Easy. You get an .ovpn file and you connect to it.

Ease of reset: Can be reset ONLY after 5 VIP users vote to reset it. This is actually good because if no one other than you want to reset, then you probably don't need a reset!

Ease of support: Community support only! Meaning that you'll have to reach out to people in the forum to ask for help if you got stuck OR in the discord channel.

Course: Doesn't come with any course, it's just a lab so you need to either know what you're doing or have the Try Harder mentality!

Goal: "The goal is to gain a foothold on the internal network, escalate privileges and ultimately compromise the domain while collecting several flags along the way."

Certificate: N/A. You'll just get one badge once you're done.

Exam: N/A.

Difficulty: Intermediate

Release Date: June 2019.

Retired: June 2020.

Even though the lab is bigger than P.O.O, it only contains only 6 machines, so it is still considered small. Not really "entry level" for Active Directory to be honest but it is good if you want to learn more about Citrix, SMTP spoofing, credential based phishing, multiple privilege escalation techniques, Kerberoasting, hash cracking, token impersonation, wordlist generation, pivoting, sniffing, and br