The Course
Overview
The Certified Red Team Operator course offered by Zero-Point Security is an offensive security certification aimed at junior-mid level penetration testers with a focus on red team methodology and tooling rather than standard penetration testing. This means most of the content is centered around techniques that form the basis of an advanced threat actor's methods for compromising a target, and usage of a C2. In the course the students get access to a fully licensed Cobalt Strike which is an excellent selling point, as I am not aware of any other options for getting hands on experience with this tool without paying for an eye-wateringly expensive license.
Course Materials
The course materials are presented online through a mixture of text and videos (mostly text). The course is split into distinct sections and the student's progress is tracked so you won't forget where you were in case you take a break. I found that the content was generally well laid out and flowed nicely, although I did need to go back and forth between sections on occasion to revise what I already seen. I think this is unavoidable though in our industry where topics are so interlinked that lines become blurred and techniques crossover or build upon one another.
The pace at which information is presented to the student was ok overall. Some sections are definitely more info-dense than others and in these instances I definitely recommend taking more time to get a decent understanding, I'd even go so far to advise going over sections multiple times on different days to really let it sink in. Also take notes! I know, writing notes of the stuff that you already have available to you at any time can feel pointless but this small action really can help with understanding. It does for me at least.
The actual content is high quality too. No you won't find any zero days in there, and yes everything could be found for free somewhere else if you really wanted but when you pay for a course you're paying for someone to collate all the information and present it in a uniform style that hopefully is beneficial to you, which I think Rasta has done quite well. In addition of course, you can get access to the lab.
The Lab
Importantly, this is not a challenge lab like e.g. Offensive Security's proving grounds. This is an accompaniment to the course materials, to be worked through as you go. This is for the people who learn by doing rather than just reading, which I suspect is most of us in this industry.
The student is provided with a private environment, attacking machines (Ubuntu and Windows) with a fully licensed Cobalt Strike and plenty of third party tooling to complement it. In scope are a handful of Windows servers and workstations forming an Active Directory forest. By following along with the course notes the student will compromise hosts and domains through a variety of techniques.
The one big downside to this setup is that you don't get a VPN connection to the network, it is all done through remote access in your browser thanks to SnapLabs. I am not a fan of this, it always feels slightly clunky and laggy. Maybe that is just me though since I get a similar feeling when working in Virtual Machines on my computer too. Still, it is understandable that the access needs to be tightly controlled to prevent theft of the Cobalt Strike files so in the end it is a fair price to pay.
The Exam
Ok so this is probably what most people reading this are here for. So first a disclaimer: I will not be disclosing any details of the exam that are not already public domain.
Overview
As soon as you schedule the exam you get access to a new Event on your SnapLabs dashboard where you will find a short description and info about the scenario. Once you have read through this, and before your exam starts, you should prepare a malleable C2 profile as well as any aggressor scripts you will want during the exam. Also as a word of warning; Defender and AppLocker are enabled throughout the exam environment so be prepared for that.
If you have read carefully through the entire course I don't think you should have much of an issue getting to the six flag pass mark. Everything you need is covered, you might just have to think about how to adapt things to work in the exam lab. Adaptability is key in our line of work anyway so hopefully this doesn't scare anyone off! Getting the last two flags is just a matter of pride I suppose as you have already passed and the progression is linear so you won't get to this point without having the previous six. I've read a few other exam reviews and in almost all of them the author claims to have just stopped at this point and I can't understand why. You are never going to come back to this exam, why leave part of it untouched?? I will say that getting the last two flags was, for me at least, definitely the hardest part of the exam and required some real out of the box thinking. I'm not even sure if I did it the intended way since I grabbed flag eight before seven! Whatever works though right?
So what are my overall thoughts on the exam? It was fun and a good opportunity to show off what I had practiced during the course. I wouldn't say it is a super difficult exam, especially since flags seven and eight are not required to pass, but it is more of a display that you have finished the course and understood the contents well enough to identify and apply the techniques as necessary.
Environmental Issues
One big negative of my experience that I must cover here is the lab stability. I started my exam at 10:30 on a Friday, and after some casual setup made decent initial progress. About midday though things went downhill - stability horror. For the next six or seven hours I made glacial progress, not through any fault of my own. I knew exactly what I needed to be doing but the lab environment was not playing nicely. Beacons were laggy, in some cases taking up to four minutes to return a response regardless of sleep time. Sometimes they would just die completely for no apparent reason. I would also encounter authentication errors or Service Control Manager errors all over the place despite having appropriate permissions. I rebooted the lab multiple times, even did a complete revert and had to go through all the setup again. Nothing helped and I seriously started thinking I would get no further. Then suddenly at around 20:30 everything started working. Lag was almost entirely gone, the mysterious authentication gremlins had disappeared and I was able to proceed.
The reason I highlight these issues is to hopefully reassure anyone who encounters the same instability. Yes it is very frustrating having your time wasted, but remember you have fourty-eight hours spread over four days. That is actually way more than you need for this exam so try not to stress. If you run into problems switch the lab off, take a long break and come back. You might even try just leaving the lab running for a few hours in hope that it unclogs.. you have enough time to do so. I would say if problems persist for more than a day then it is time to contact Rasta through the official email address and see if he can do anything to help.
Final Tips
- Maybe don't start it on a Friday?
- If instability does hit, don't panic. Wait it out (hopefully your schedule is pretty clear for at least a couple of days just in case).
- Make sure you've read the entire course. There are some useful notes that aren't explicitly demonstrated in the examples but can get you thinking on how to adapt some techniques.
- Set up persistence mechanisms. You don't want to be going through the entire attack chain again every time you take a break or accidently lose a beacon!