SecurityTube Advanced Red Team Lab training - Worth it ?22 Sep 2020
Quick answer: Totally !
I would like to talk a bit about the SecurityTube red team labs, specifically the Advanced Red Team Lab which leads to the CRTE (Certified Red Team Expert) certification. P.S: i’m not affiliated with securitytube.
Some great reviews are already existing, so i will focus on why i chose this lab and certification. I will give you some hints about how to approach your targets. Most importantly, i would like to introduce you a tool that i developped which will help you during your journey, Invoke-Recon.
I was looking for a another professional and challenging cert focused on Windows AD. My prerequisites were:
- no jeopardy style
- real life scenarios which will be found in real engagements
- a environment not too crowded. I met this situation with others platforms and i spent much of my time contacting the support to revert the VMs because of others bad exploitation or persistence, getting the machines you’re working on totally unstable.
Finally the Advanced Red Team Lab was the answer.
Companies are more and more looking for online qualitative trainings because of the actual sanitary crisis. Think to ask to your company for a financial support.
What i really liked
- Reactive and helpful support
- Updated servers and workstations with AppLocker, AV running and Powershell in Constrained Language Mode.
- Relevant AD exploitation paths and local privilege escalation
- Nikhil Mittal and his team are really friendly and you definitely can contact them on twitter to share your thoughts on this lab
And why not, while you’re diving into this journey, you may probably see how the tools you are using may be improved to match your needs (don’t hesitate to PR - mine with PowerUpSQL) or may be you will develop your own tool. What i mean is that this is a virtuous circle, you will learn and you will share with the infosec community.
What should be / will be improved
- The possibility to revert VMs on our own during lab and cert (in dev on their side)
What you will learn
Obviously, the difficulty level depends on your experience as a pentester, but be sure that after this cert you will be able to :
- Properly enumerate an AD (basic / more complex stuff) and which tools to use (we will about it later)
- Find AD exploitation paths, weak ACLs
- Spearphish users
- Exploit Kerberos delegation and to know how the S4U extensions are working (for ex: kerberos constrained delegation with protocol transition)
- Exploit domain / forest trusts (SID Filtering, SID History, …)
- Exploit MSSQL servers (this part was really interesting as i did not have so many opportunities to exploit MSSQL instances during engagements)
- Find your way to perform local privilege escalation on fully patched servers with AppLocker and AV running
- Many other cool stuff
Hints (that you may not find in others blog posts)
Your will start as domain user on a Windows Server where you will be able to RDP. I advice you to get SYSTEM on this machine, to disable Defender and some restrictive Firewall and AppLocker rules. Then take off your shoes and feel comfortable at home.
Sometimes in this lab you will be able to move forward the unintended ways, i mean with your own kind of exploitation (to give you just an idea, read this blog post from itm4n). Even if you succeed in compromising all the forests, i would strongly recommend you to try to get the all the boxes the intended way, because you may miss something for the D-day.
Also do not overlook the post exploitation part. And don’t forget to note where you struggled at, during the exam it will be a pity to lose time on a thing you already faced.
Not so many services will be exposed, and you also will be firewalled.
Talking about firewalling, we agree that sometimes it’s more comfortable to have a RDP session rather than any command line session. In the following example we will assume that we have a shell on a server and we have just a few ports which are accessible. 5985 is a good candidate but WinRM is already running on the server.
In the following example, be aware that if you execute the following commands from a Remote Powershell session, you will be disconnected because we set the RDP listen port to 5985, so we will have to
sc.exe stop WinRM before running Remote Desktop Service.
Set RDP listen port and start the Remote Desktop service ‘without rebooting’:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1 Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 5985 sc.exe stop WinRM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Now let’s talk a bit about an interesting part, what kind of tools did i have on my Windows VM (did not mean i used all of them) ? Here is my list :
|ADModule||Use AD powershell module for enumeration without installing RSAT|
|agentransack||Fast files / directories crawler|
|mimikatz||Do we really have to introduce this tool ?|
|Nishang||Exploitation framework from Nikhil “SamratAshok” Mittal|
|Empire -> Invoke-DCSync.ps1||DCSync|
|PowerSploit -> PowerView.ps1||AD Enumeration - Harmjoy Powerview 3 tricks|
|PowerSploit -> Invoke-Mimikatz.ps1||Mimikatz thanks to Powershell|
|PowerSploit -> Invoke-PortScan.ps1||Ports scanner in Powershell|
|PowerSploit -> Invoke-TokenManipulation.ps1||Manipulate logon token and create impersonation token|
|Invoke-SDPropagator.ps1||Invoke SDPropagator mechanism - for example if you backdoored the AdminSDHolder|
|Invoke-SocksProxy.psm1||Proxy socks in Powershell|
|IPv4PortScan.ps1||Another ports scanner in Powershell|
|powercat.ps1||Netcat in Powershell|
|Set-LHSTokenPrivilege.ps1||Enable / disable your local privileges|
|PowerUpSQL||MSSQL exploitation framework|
|PrintSpoofer.exe||Exploit the printer bug locally|
|Rubeus||Useful when you will have to deal with kerberos tickets|
|BloodHound||Find AD exploitation paths|
|SpoolSample||Connect to the RPC RpcRemoteFindFirstPrinterChangeNotification to trigger the printer bug|
|SysinternalsSuite||All MS utilities|
|lolbas||Living Off The Land Binaries and Scripts|
And last but not least, as i said previously this journey was a good opportunity to gather a lot of my recon commands in one single Powershell tool: Invoke-Recon.
Give a try to Invoke-Recon and let me know, i’m still developping this tool, and i will introduce it later in a next blog post. But if you are already asking yourself what kind of stuff you can enumerate with it:
- Find all DCs (check if ADWS are accessible in order to be able to use the Active Directory powershell module)
- Password domain policy
- Domains / forests trusts
- All domain users / groups / computers
- Privileged users with RID >= 1000 (recursive lookups for nested members of privileged groups, not AdminCount = 1 to avoid orphans)
- Users / computers / Managed Service Accounts with unconstrained (T4D) and constrained delegation (also look for constrained delegation with protocol transition (T2A4D))
- Services with msDS-AllowedToActOnBehalfOfOtherIdentity
- Exchange servers
- Users with mailboxes
- Exchange vulnerable to PrivExchange and CVE-2020-0688
- Computers with deprecated OS
- Users with Kerberos PreAuth disables (AS_REP Roasting)
- Kerberoastable users
- Principals (RID >= 1000) with Replicating Directory Changes / Replicating Directory Changes All
- Enumerates MSSQL instances (looking for SPN service class MSSQL)
- Find MSSQL instances accessible within current security context and get their versions
- Find linked servers from each accessible MSSQL instances
- Bruteforce common credentials
- Look for xp_cmdshell enabled through linked servers of each accessible instances
- Audit each accessible MSSQL Instances for common high impact vulnerabilities and weak configurations
More to come
To keep on talking about AD enumeration, i would like to share with you some of my Cypher queries i use with BloodHound to spot some very interesting stuff during an engagement. I will also dive a bit more into Invoke-Recon.
Keep in touch, and don’t hesitate if you wanna more information about this lab, if you are stuck or anything else, i’m always glad to help. I answer back to a lot of questions by email or twitter, some dealing with my switch from web developer to technical auditor for the french gouvernment. Contact me.
Wish you a nice day, may the force be with you (i let you choose which side).