Introduction

I recently took advantage of PentesterAcademy’s Discounts due to the global pandemic and completed PentesterAcademy’s Certified Enterprise Security Specialist (PACES) Certification. This course provides an Active Directory lab where students can test out cutting-edge technologies, abuse and bypass many of the recommended defense mechanisms. The course is once again authored by Nikhil Mittal who is a seasoned AD penetration tester and researcher.

High Level Overview of the Lab

The Course

This course is made up of a few hours of instructional videos, lab manuals and the challenge lab. The instructional lab materials serve as an introduction to the cutting edge TTPs encountered in the challenge lab in no particular order. The course covered 46 challenges across 12 sections. The end goal of the challenge lab was to find a secret code that can be used to launch malicious bank transfers. Most of the learning concepts and attack methodologies were new to me and it was even more fun to spend extra time to learn about how they can be mitigated too. Some of the concepts covered were:

  • PAM Trusts
  • LAPS (Local Administrator Password Solution)
  • PSWA (PowerShell Web Access)
  • RBCD (Resource Based Constrained Delegation)
  • PrinterBug
  • JEA (Just Enough Administration)
  • WSL (Windows Subsystem for Linux)
  • Exchange Permissions

While I managed to barely scrape by in 30 days duking it out in the labs, this approach isn’t recommended at all. I recommend the 60 days or more depending on your work-life balance.

The Exam

The exam duration was 48 hours and had equal weightage to both attack and defense. Basically, the exam endgame was to gain OS command execution on all target systems and to mitigate the misconfigurations after full compromise of the exam lab. After the exam time had expired, I had 48 hours to write and submit a detailed report of both my attack paths and applied mitigations.

There’s a weird feeling one gets when you’ve hacked your way to Enterprise Admin only to realize you are only half done. Personally, I felt this made the exam even more brutal than it already was.

However it was nice to learn just how easy it was to apply the mitigations to some of the attack paths. While the lab is thin on the defensive side of things, the lab does an excellent job at covering everything needed in the exam.

I got a personal email from the course author Nikhil Mittal thanking me for a well accomplished exam, writing a great report and a job well done. I was then able to provide detailed feedback on what I liked during the course and what could be improved upon to enhance the student experience.

The Conclusion

The challenge lab and accompanying exam was truly an eye opening experience. If you feel you are familiar with AD Attacks and want more of a challenge, then I can’t recommend it enough. If you love the TRY HARDER mindset then this is definitely for you.

Special Thanks

Once again, special thanks to Nikhil Mittal and PentesterAcademy for creating and hosting an awesome course. Also great thanks to the lab support during the lab and the exam.

Shoutout to Antony Mutiga and Gabriel aka VIVI for reviewing this short post.

Feel free to message me on twitter with any questions.