As I write this, it’s the morning of March 20th, 2021. Today marks one year exactly from the day the pandemic really began for me. One year ago from today, I returned home after getting kicked off the Appalachian Trail, woke up in the comfort of my apartment, shaved my gnarly AT beard, poured a shot of espresso, and asked myself, “where do I go from here?”
I had little information to go off. I mean, so did everyone else, really. But I was still piecing the puzzle together after being out of cell phone reception during the initial outbreak. A few days passed of restless pacing about the apartment as we waited for the word about if the pandemic would be handled decisively and life could return to normal.
I kept my AT pack by the door in case that word came in.
Well, spoiler alert, that didn’t happen. So after a few weeks, the reality set in that I wouldn’t be heading back to the trail any time soon.
As the saying goes, “Never let a good crisis go to waste.” I had enough money saved for the AT to stow away in my apartment for an extended time, even without a source of income. Once I unpacked my desktop and got it up and running again, I turned my sights on a list of short to medium-term goals. The idea was simple: skill build.
First item on the list: eLearnSecurity Penetration Tester Professional and the eCPPT certification.
I had planned on doing this cert after returning from the AT, so I ended up knocking it out a lot sooner than I had anticipated. Check out the review for more information; in short, it was a great course that built a lot on the skill base from earlier courses.
With eCPPT knocked out, I was primed for the next evolution; eCPTX, eLearnSecurity Penetration Tester eXtreme. I received a voucher from eLearn’s partnership with VetSec for the eCPTXv1 course, which was updated to eCPTXv2 before I tested for the first time (yes, tested for the first time. More on that later).
What follows is my collection of thoughts about the course and the exam. I’ll give you a TL;DR right here:
eCPTX has incredible course material but falls short on delivery, probably by limitation of the medium. The labs are an absolute must; do not skip them. The exam is brutal, and, in my opinion, you are an actual god if you pass it on the first try. For the rest of us mortals, it might take you the free retake. It took me three attempts total. It was worth it.
You may be wondering, what sets eCPTX apart from the rest of the certs out there?
There’s a sentiment in the red team/pentesting community that I think is pretty accurate when it comes to Other Sorts of Certification Programs.
You know the ones. The lauded, name recognizable certifications that everyone likes to worship. My take on these certs is that there may be some value to them, but they don’t teach much about the most integral parts of the field of security assessment in the long run.
eCPTX centers on one of the most complex and interesting parts of the field; the abuse of misconfigurations in Active Directory and critical internal infrastructure.
Active Directory checks all three boxes for what I refer to as the Unholy Trinity of Cyber-Insecurity: it is complex, it is everywhere, and it is closed-source. Naturally, with any sufficiently complex system that lots of people use, lots of attention is paid to it and lots of bugs are found. Internal red teaming benefits greatly from the myriad ways Active Directory can be exploited through these bugs.
eCPTX begins by teaching Social Engineering tradecraft, which I found equal parts fascinating and confounding. Initially, I tried sitting through the slides in sequence to absorb the material but found it impossible after a few sessions.
This is the principal flaw with eLearnSecurity’s teaching method this time around: in eCPTX, the material is so technical and in-depth that a 300+ slide PowerPoint just can’t do the trick for me. I think my traditional approach to coursework was faltering here; I tried to do the same thing I did in eCPPT: to view the slides in order, take notes, and then do the lab. Eventually, that became impossible due to my inability to absorb the material.
So I started treating the slide deck like an index: if I was interested in a particular subject or was running into something in the labs that I needed help on, I looked it up in the slide deck, read more, performed some follow-on research, and kept moving.
The videos help. The references are astounding. But the approachability of the material on the slides for this course just seems to fall short. I think you’d be hard-pressed to find a self-paced, online course that teaches this depth of material effectively, and this may be a limitation of the medium, but it was still my number one complaint about the course. The strata of the subjects of eCPTX might be well into the “you really need a skilled practitioner in the room to teach you this level of stuff.” I’m not sure if that’s exactly true, but it seemed to be the main blocker on the road to the certification for me.
And that is not to say the material is not valuable in and of itself. Like I said earlier, I now think of it as an index. If I need help figuring out how to develop a custom-built macro that will evade AV detection, I will break out the eCPTX slides and read up on that section. The same goes for the Active Directory Recon and Exploitation section, which I have referenced on more than one occasion now. Same goes for the Defense Evasion section.
My point is, my initial approach of trying to sit through the slides attrited my attention down to a pulp. So, for me, switching up my method and using the course slides as an index worked much better.
I’ve alluded to the course subjects’ level of depth, but it bears repeating: this is a craftsperson’s course. The technical nature of what you’ll be learning in eCPTX is astounding and really scratched the intellectual itch for me. From macro-enabled reflective PE injection to setting up Phishing infrastructure, from enumerating trust relationships in Active Directory to forging cross-domain tickets, these truly are the arcane magiks of red teaming. Even though I found the material hard to absorb, it still did one of my favorite things about courses like these: it further removed that “user of technology” lens that I see the world through. Never again will I look at an Active Directory environment and say “yep, this is all fine!” eCPTX has destroyed that world view for me and I’m thankful for it.
The course material falls short on delivery, but if you treat it like a Necronomicon of sorts and open it up to find some specific method right when you need it, you may find that you get the most value out of it. The same cannot be said for…
The labs are mandatory. Full stop.
If I had to strip mine the course material for value, the labs were a pre-established quarry. Come in, put in the work, and you will leave with something of value.
eLS did something pretty cool with one set of labs: in the Active Directory exploitation labs, the first lab is a dedicated walkthrough. And complicated and dense as this first lab is, I got a ton of value out of the guided tour of initial AD exploitation here. This, to me, is a marked step away from Try Harder towards my favored approach: Teach Harder. I applaud them for taking this step.
This first lab explores Active Directory trust exploitation with Bloodhound, using Covenant as a C2 to perform internal red-teaming, forging inter-realm Golden Tickets, and touches on lateral movement via C2 functions. I’m a huge fan of Covenant, so I was thrilled to see it used here as the primary C2 alongside MSF.
The other two AD labs are integral as well. Again, there are some lab-isms here, but I still approached them as guided walkthroughs by going right to the solutions.
This course’s true value lies in these Active Directory labs and the two labs that center on critical infrastructure red teaming. Unfortunately, there was no lab for Red Teaming Microsoft Exchange servers, but thanks to HAFNIUM, that shouldn’t be a problem now 😉
The ultimate question with courses like these is always: “after the labs, will I be ready for the exam?” I’m not sure I know the answer to this. For me, I did the labs diligently and still failed my first two attempts. As a general rule, when you sit down for the eCPTX exam, you should be able to use a C2 framework to play Active Directory abuse vectors like a fiddle.
Not a violin, a fiddle.
As a non-exact litmus test, ask yourself the following questions to gauge whether you’re comfortable enough with the material to attempt the exam:
- How does Kerberos work and what is (are) its principle flaw(s)?
- How would you enumerate Active Directory trusts?
- What is your comfort level with custom exploitation development? What are the programming/interpreted languages that are used for custom exploit development most frequently?
- Why does the NTLM hash of the Krbtgt account matter?
- Can you pass the hash with a NetNTLMv2 hash? If not, what else can you do with it?
- Can you describe what reflective injection is and why it’s a favored red team technique?
- What is one method to exploit GenericWrite privileges that user A has over user B? What is the noisiest method? What is the least noisy method?
- What service can be used to forge a silver ticket to access a target host’s file share? What do you need to forge a silver ticket in the first place?
- What is Rubeus used for? How can it be used to exploit unconstrained delegation? What else do you need to perform the exploit?
- Are you comfortable pivoting once? Twice?
The above represents a whole bunch of concepts that I picked up during eCPTX. They obviously don’t map one-for-one to what you end up doing on the exam. Still, generally speaking, you should be very comfortable knowing the answers to the above and performing the technical tasks associated with them. It’s a lot to handle. But if you’re up for it, continue on to….
The Exam (for me, the Exams)
Keep reading to get exam spoilers! All the solutions are at the end of this article. I promise.
After three attempts over a five month period, I passed eCPTXv2 and got the shiny cert!
What the exam asks of you, in my opinion, is brutal. You have 48 hours to take down multiple Active Directory environments. It’s a siege. It’s an exercise in performing exploitation, managing C2 supply lines, getting the right input into the right place at exactly the right time, constant enumeration, constant evaluation. Into the breach, boiz!
I experienced something on this exam that I’d never seen before: rabbit holes that actually end up being the solution. What on earth could I mean by this?
When you fall down a rabbit hole on Other Similar Credential Paths, you might end up burning hours on some part of the exam that ends up having no relevance at all. Frustrated and tired, you press onto another area and find the way forward.
In eCPTX, that rabbit hole actually ends up being the solution. It just happens to be tough as hell to figure out. No, you’re in the right area. You just haven’t figured out the leverage point yet.
It’s frustrating for sure. But here, strategically failing is actually a great option. The exam environment did not change between my exam attempts, so every time I got back in the ring, I had the chance to start with the progress I had made that far and keep going. You get the eLS free retake and I highly recommend cashing in on it.
Doing everything the exam asks of you in one try, in 48 hours, would be superhuman. So for the rest of us mortals, try failing forward by getting as far as you can the first try, then come back for the retake.
Unfortunately for me, even the retake couldn’t get me there. I got hard blocked at the end of my second attempt and ran out of steam. Months would go by before I attempted the exam again. I studied more AD abuse vectors, did Pentester Academy’s Certified Red Team Professional course to solidify some areas where I was having trouble, and recreated the part of the exam where I got stuck in my home lab. After I figured out my sticking point, I got another voucher and sat down for the exam one final time. And even at that point, it was still an uphill battle to finish out.
But rest assured, by the end of the night, I had all of the things needed to satisfy the win condition. I rolled up the report, submitted, and received the notification I had passed.
A cert about a year and three exam attempts in the making; it was a wild ride, and I’ve made serious revolutions in my skills as a red teamer since I started tracking this beast. With diligence in the labs, a few tries and failures, and some supplemental learning along the way, I can say I’ve learned more than I ever thought was possible about how many ways internal environments can be destroyed with the targeted application of red team tradecraft.
Was it worth it? Probably. AD exploitation is not going away any time soon. If anything, as more attention is paid to the significant flaws in AD, there will only ever be more ways that it can be leveraged to take down networks.
In closing, do not take this course lightly. It is full of diamonds, but you will have to roll up your sleeves if you want them. Stay safe, stay healthy, be good to yourself and each other, and keep hackin.
Oh, what’s that? You wanted the exam solutions? Well, here you go:
You are the exam solution. It’s been inside you the whole time. Just jump in and fail forward. 😉