Greetings, My name is THOVITI SIDDHARTH, and I’m passionate about cybersecurity, machine learning, computer vision, web development. Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.
Blog Posts
CRTP Review – Certified Red Team Professional
Introduction
Certified Red Team Professional (CRTP) is an Active Directory-based red teaming certification. The course, titled “Attacking and Defending Active Directory: Beginner’s Edition,” serves as an introductory guide to understanding and executing Active Directory attacks and defenses. The course is taught by Nikhil Mittal. In this blog post, I will review the course and share my experience with the course materials, lab environment, and exam.
Pre-Requisites
While the website lists only two prerequisites:
- A basic understanding of Active Directory
- The ability to use command line tools on Windows
it is essential to have a fundamental understanding of penetration testing and PowerShell scripting. I already had substantial HackTheBox experience and the eCPPTv2 certification. For anyone considering this course, I highly recommend completing HackTheBox’s Active Directory path or solving a few machines related to Active Directory.
Who should take CRTP?
- Professional penetration testers who need to compromise Active Directory environments.
- Those curious about red teaming in Windows environments and wanting to learn evasion, privilege escalation, lateral movement, persistence, and other techniques.
- Experts in Active Directory exploitation and red teaming might find the course too basic but can benefit from reinforcing their knowledge.
Course Material
The course material includes:
- Comprehensive video content totaling over 14 hours.
- Course slides and a lab manual.
The video content features both pre-recorded sessions and live Bootcamp recordings. I chose the Bootcamp material because I found Nikhil’s humor and industry insights helpful. The Bootcamp videos also include answers to student questions, which is beneficial for online learners. The course is divided into four modules:
- Enumeration and Local Privilege Escalation
- Lateral Movement, Domain Privilege Escalation, and Persistence
- Domain Persistence, Dominance, and Escalation to Enterprise Admins
- Monitoring, Architecture Changes, Bypassing Advanced Threat Analytics, and Deception
Understanding Active Directory concepts is crucial, as solving the labs or exam with off-the-shelf exploits from the internet won’t suffice.
Lab Environment
The lab is an Active Directory environment featuring Windows Server 2022 machines with SQL 2017 and 2019 setups. It includes two forests and follows an “assumed breach” scenario, providing access to a dedicated student VM as a low-privileged user. This setup requires you to escalate privileges, move laterally, and eventually compromise the domain controller and enterprise admin. You can access the lab through Guacamole via a browser (the easiest method), VPN, or RDP. Although file transfer is straightforward, the lab is equipped with all necessary tools, so there’s no need to transfer anything.
The slides and lab manual provide commands for performing attacks using various tools such as PowerView, Mimikatz, BetterSafetyKatz, Rubeus, and Kekeo. There’s a dashboard to submit 40 flags, but the lab isn’t designed like a CTF. The flags represent information obtained through enumeration, privilege escalation, and lateral movement.
You can start your lab time within the given timeline. I opted for the 30-day lab subscription, which was sufficient to solve it twice and experiment further. AlteredSecurity support is quick to respond via email and Discord if any issues arise.
Course and Lab Tips
- Watch the Bootcamp videos first to thoroughly understand the concepts, then move on to solve the lab. The videos help clarify concepts and provide a walkthrough of the lab.
- If you prefer solving the lab independently, pause before the walkthrough. The lab manual PDF offers step-by-step instructions with commands.
- Take notes! Use a note-taking tool to record concepts and commands. These will be helpful during the exam.
- Don’t proceed with the lab unless you understand what’s happening behind the scenes. Understanding the concept is crucial to avoid getting stranded in the lab and exam.
- Re-watch the videos after completing a lab to ensure the methodology is clear.
- Create a concept and lab summary in your notes to have a clear mindmap of the attack.
- Keep checking the Attack Path diagram provided in the course material to understand your progress from point A to point Z during lateral movement.
- Install and test your BloodHound locally using the lab’s collector data before using it on the exam.
- Reboot the student VM if something doesn’t work.
- Note down error messages and their solutions for quick reference during the exam.
- Solve the lab at least twice using simple tools and once with a C2.
- Don’t waste time if you’re stuck. Check the lab manual or seek help from the Discord channel.
- If you have extra time after completing the lab, experiment with malware development or test custom tools in the lab environment.
- Make friends on the Discord server to discuss topics and questions with your peers.
Exam
The exam mirrors the lab environment, providing a Student VM in an “assumed breach” scenario with fully patched Windows machines. It is a 24-hour exam with an additional hour to transfer tools onto the exam machine. Any tool can be used, provided it’s explained properly in the report. There are five target servers across domains with different configurations and applications. The goal is to achieve OS command execution on all target servers, not necessarily with administrative privileges. However, compromising all machines and preparing a detailed, professional report is recommended. The report must be submitted within 48 hours.
If you’ve done the lab and understood the methodology, the exam should be manageable. Enumeration is the most challenging part. I started my exam at 10 AM on a Sunday and finished in about four hours. Local privilege escalation was easy, but moving to the next machine took time. I initially tried command-line enumeration but found it overwhelming, so I ran BloodHound and quickly compromised the first machine. The rest of the machines were straightforward if you’ve done the lab. However, my payloads were detected at the final stages, so I used a different AMSI bypass. Keep an eye on Twitter and GitHub repositories before the exam for the latest AMSI bypasses. I took screenshots while solving the machines and double-checked them for clarity and completeness. I then took a break and attempted other ways to compromise the machines. Afterward, I spent about four hours writing my report, which included a walkthrough with PoCs and remediation. I submitted the report the same day and received the result and certificate within a week.
Exam Tips
- Study your prepared notes.
- Plan your exam well in advance.
- Get a good night’s sleep before the exam.
- Prepare only the necessary tools in a zip file for easy transfer. Do not upload the entire “tools.zip” provided by AlteredSecurity for the lab.
- Reboot your VM or any problematic machine.
- Always dump hashes when compromising a user or machine.
- Take a screenshot of “
whoami; hostname; ipconfig
” as evidence of compromising the machine. - Use BloodHound when stuck. Check every node, relationship, ACL, and trust.
- If stuck, create a quick diagram/overview of your attack path and lateral movement, then check if further enumeration is needed. Avoid potential rabbit holes and think realistically.
- Take short breaks, stay hydrated, stretch, and talk to people to refresh your mind.
Pros and Cons
Pros
- It is beginner friendly with no “try-harder” concept. It has a clear and guided approach to each concept and lab.
- Affordable, especially at $250, with engaging course material and active support. I bought it during a Black Friday deal for an even lower price.
- The engaging course material includes prerecorded videos, Bootcamp videos, lab walkthroughs, slides, a lab manual, lab infrastructure, and an attack path diagram.
- Insights on EDR-MDE and access to the MDE dashboard to observe logged activities and malicious tool triggers.
- Well-explained detection and defense techniques.
Cons
- Beginner-friendly approach might feel too guided for some.
- Some lab flag verification questions could be clearer.
- Insufficient emphasis on BloodHound, despite its potential.
- The lab manual could use more context before each lab to explain why specific commands are run and to clarify attack paths.
- No Linux-based machines in the environment.
- Evasion and AMSI bypass techniques could benefit from more practical examples, although they are in the “beta” phase due to their evolving nature.
Conclusion
I found the course to be an excellent introduction to Active Directory attacks and defenses. It helped me better understand the attacks I performed on HackTheBox and other platforms. I feel much more confident in using these skills in real engagements.
Resources
None. The course material is sufficient for the course, labs, and exam. Make notes of the concepts and create a cheat sheet while going through the course.
You can refer to my rough notes prepared during the course: CRTP Notes and Cheetsheet
Part 3 – Projected Gradient Descent (PGD)
Welcome to Part 3 of our blog series on Adversarial Machine Learning! In this installment, we will delve into the intricacies of the Projected Gradient Descent (PGD) method—a powerful iterative technique for crafting adversarial examples. We will explore how PGD enhances the Fast Gradient Sign Method (FGSM) by iterating and refining the perturbations, leading to more robust and effective attacks. I will also provide a step-by-step code implementation of PGD using PyTorch and compare the attack success rates of FGSM and PGD.
Read MoreManager – HackTheBox Writeup
Machine Name: Manager
IP: 10.10.11.236
Difficulty: Medium
Summary
Manager is a medium difficulty machine that starts with enumerating usernames and password spraying them to login to MSSQL shell. The MSSQL shell was used to fetch a configuration file containing user credentials that were used to obtain the user shell. Privilege Escalation consisted of abusing the Active Directory Certificate Services (AD CS) misconfiguration to issue an administrator certificate that was used to obtain the TGT hash and authenticate as administrator.
Read MoreCozyHosting – HackTheBox Writeup
Machine Name: CozyHosting
IP: 10.10.11.230
Difficulty: Easy
Summary
CozyHosting, an easy machine, initially involves understanding its SpringBoot application, discovered through a generic error page uncovered during directory enumeration. Further exploration revealed sensitive SpringActuator endpoints, leading to the acquisition of a session token belonging to user KAnderson. Leveraging this token facilitated the theft of the user’s session, providing access to the admin’s dashboard featuring an exploitable SSH configuration. Exploiting the SSH configuration vulnerability allowed for remote code execution (RCE) and subsequent acquisition of a shell. The next step involved decompiling a JAR file, uncovering plain-text database credentials that enabled access to the Postgres database. Within the database, user hashes were uncovered and subsequently cracked to unveil the user password, granting entry as Josh. Finally, privilege escalation was achieved through an SSH sudo misconfiguration, facilitating the acquisition of an interactive shell as root via SSH.
Read MoreAppSanity – HackTheBox Writeup
Machine Name: AppSanity
IP: 10.10.11.238
Difficulty: Hard
Summary
AppSanity is a hard difficulty machine that starts with subdomain enumeration and manipulation of the registration process. Utilizing JWT for session hijacking, the journey led to SSRF and finally gaining a user shell through bypassing file-type restrictions. For privilege escalation, analysis of the ExaminationManagement.dll revealed a registry key, providing user credentials. Reverse port forwarding via Chisel unveiled the service on port 100, enabling exploitation of DLL hijacking to escalate privileges and eventually access administrator shell and root flag.
Read MoreKeeper – HackTheBox Writeup
Machine Name: Keeper
IP: 10.10.11.227
Difficulty: Easy
Summary
Keeper is an easy machine which starts with logging into a Request Tracker dashboard using default credentials and discovering SSH user credentials. A KeePass database file is discovered which is then cracked using the CVE-2023-32784. Although the credentials for root are obtained from the exploit, the password needs to be used along with a key to log into SSH. The key found is a putty key which needed to be converted to OpenSSH key format to log in as root.
Read MoreChasing Dreams at TATA Mumbai Marathon 2024 – My Race Report
What once seemed an impossibility a year ago became my reality on the 21st of January, 2024. After a grueling four-month training block involving running and weight training, achieving a half-marathon personal best at 01:52:58 and a sub 03:55:00 on my debut marathon is still something I’m unable to process. In this blog, I aim to reflect on my unfathomable experience of running the Tata Mumbai Marathon 2024.
Read MoreSau – HackTheBox
Machine Name: Sau
IP: 10.10.11.224
Difficulty: Easy
Summary
Sau is an easy machine that starts with discovering a port that runs Request Basket. The application is vulnerable to an SSRF which led to discovering the Mailtrail application running on port 8338 was being forwarded. The Mailtrail application was vulnerable to an unauthenticated command injection. The RCE was obtained by chaining the SSRF to redirect us to the vulnerable “/login” page where the payload was injected. Privilege Escalation involved abusing sudo right to run systemctl as root.
Read MorePilgrimage – HackTheBox Writeup
Machine Name: Pilgrimage
IP: 10.10.11.219
Difficulty: Easy
Summary
Pilgrimage is an easy machine which starts with identifying the ImageMagick tool that the target web application uses to shrink images. The tool is vulnerable to Arbitrary File Reads which enable us to fetch the credentials from a database file. These credentials were used to SSH and gain a user shell. The privilege escalation consists of exploiting Binwalk that runs inside a cron script.
Read MoreTopology – HackTheBox -Writeup
Machine Name: Topology
IP: 10.10.11.217
Difficulty: Easy
Summary
Topology is an easy machine which starts by exploiting LaTeX injection to read files on the server that contain password hashes. After cracking the password hash, it was possible to login via SSH and obtain the user flag. The privilege escalation consisted of enumerating for processes that are run by root. One of the processes being run by root executed “.plt” files in a particular folder to which the user had write permissions. Finally, it was a simple matter of looking up the documentation on running OS commands for that particular extension and use it to gain a shell as root.
Read More