Skip to main content

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review.

The course -
Certification - Certified Red Team Professional

The Course Content -
After paying the course fee, you will get the course content which contains -
1. Videos explaining AD pentesting concepts
2. Videos explaining walkthroughs of tasks
3. Lab guide containing walkthroughs of tasks
4. Lab access ( You can start your lab access withing 90 days from the day you bought the course)

Videos has good quality content explaining each stuff in detail and all the course is beginner friendly.

The Exam -
The exam is of 24 hours and is a completely dedicated exam lab with multiple misconfigurations and hosts. You are required to use your enumeration skills and find out ways to execute code on all the machines. There are 5 systems which are in scope except the student machine. You will get the VPN connection along with RDP credentials for student machine which will be part of the domain. I can't disclose much information on what needs to be done but you will definitely figure it out if you have gone through all the tasks and videos taught in the course. You need to gain code execution in all the 5 systems. However there are exceptions, if you manage to hack 3-4 machines and you made a great report with all the steps and practical mitigation techniques then only you are one step closer to crack this exam. It took me 24 hours to pwn the machines which always depends person to person as there are some of my friends who has done it within 4-5 hours of time.  You will have to prepare a good report containing the steps as well as practical mitigation of each attack. You are free to use your own report format but it should contain all the information about commands and tools which are used to gain access. You will get 48 hours of time apart from the exam time to prepare a report.

Certification -
I got my result within two days after submission of the exam report. Below is a sample mail when you pass the exam -

Just after this mail, I received an appreciation mail from the author Nikhil Mittal ( Course Instructor ) for writing a good report. I strongly recommend you to write a summary of the report on the first page containing your approach while pwning the machines. Below is the mail which made my day -

Although my report was short but it had all the information that was required. I strongly recommend you to write a detailed report if you have hacked less than 5 machines in the exam lab. 

Tools that can help you during Lab or Exam -
1. Powerview
2. Powerup
3. PowerupSQL
4. Nishang
5. Powercat
6. Netcat 
7. HeidiSql
8. Kekeo
9. Mimikatz
10. BloodHound
11. Wmiexec

You are free to use any tools you want ;) Just mention it in the report.

Some Resources -

Summary -
I have learnt a lot from the course and recommend it to everyone who wants to brush up his skills in AD pentesting or someone who want to begin with AD pentesting. The course is beginner friendly and test your basic concepts in exam. 

If you are a red teamer and want more fun and torture then you can surely go for the other course - Advance red team lab ( ). A very good review was written by my friend Chirag Savla which can be found here -

Other reviews of active directory lab -


  1. Congratulations! Would love to chat to you more about this - where can I reach you?

    1. Thanks ..
      @hexachordanu on twitter/facebook/linkedin :)


Post a Comment

Popular posts from this blog

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu

Hacking Thick Clients – Authorization Bypass

Hello Readers, This post will be focused on setting up a vulnerable thick client application and finding vulnerabilities. The blog post is an unofficial part of the on going series of post by NetSPI. NetSPI has released a vulnerable thick client app called BetaFast which has two versions - BetaBank and BetaFast based on 2-tier and 3-tier architecture respectively. The app is coded by Austin Altmann  and he is writing the walk-through series. Note: At the time of writing this blog, the walk-through/write-up for authorization bypass vulnerability was yet to be published by NetSPI and therefore I decided to create this blog post. All the credit for developing and maintaining this app goes to Austin and NetSPI team. You can find some of the cool write-ups here . Let's start. Setting up Betafast - 1. Download the files from github -  . 2. Extract and open the .sln file with