2023 review - Rise of the threats
Nobody is safe, not even when your computer is plugged off the socket.
Burn baby burn!
Welcome to my blog, my fellow humans, after completing the OSCP certification a few years ago, I began searching for a specialization in penetration testing and discovered the PEN-300 course from Offensive Security. Although this wasn’t my first Active Directory certification, it was by far the best one I have taken. The PEN-300 course provides a strong foundation on top of the OSCP and teaches the basics of Active Directory before diving into red teaming. While the OSCP teaches the mindset of how to attack vulnerable systems, the PEN-300 teaches how to attack and compromise hardened systems. The course also covers advanced topics such as antivirus evasion, creation of stealthy shellcodes, post-exploitation techniques for Windows and Linux, and lateral movements. Given my limited understanding of the differences between Rubeus hash types, the PEN-300 course was a no brainer for me.
What was really a step up from OSCP course was, their course materials and their respective exercises. It gave you a good playground to really understand what you have learnt is reinforced. Each of their course modules were paired with dedicated lab environments (you could also just spin up your own Window machines provided you have the required tools) so it was quite easy to practice what you have learn’t from the course module.
Let’s get a fire going!
Like the typical OSCP, this course too comes with a behemoth sized PDF together with approximately 20 hours of video. But eversince they have revamped their platform, with the contents laid out in a more interactive manner, it felt easier to go through the content than obtaining RSI from scrolling through the PDF pages on Adobe Reader, because with todays inflation, we’d go broke paying off medical bills, right?
The first part of the course carries you through basic exploit development concepts and also AV evasion techniques which emphasizes on C# (PInvoke) and PowerShell. Though I barely can code, I felt like this course really enforced the learning here! it covers the basic concepts and also briefs you on how to build your own exploits without gauging your eyes. It was very easy to follow, and provided you put in some effort, you’d be writing novel exploits like for e.g. process hollowing shellcode runners that bypasses AV and encrypters using c#. Few other modules that was really informative was “Advanced Evasion” and “Application Whitelisting”. It discussed these simple concepts but carries you through this path of building your own bypasses by using the vast network that connects computers all over the world or also known simply as the internet. I truly enjoyed the AMSI bypassing module (although I forgot majority of it, I’ll surely remember it when the time comes. Surely). Another one that drove me to sanity was “Applocker bypass” module but more so on the challenge labs. I felt like Isaac Clarke in Dead Space (great game, btw). But jokes aside, Offsec has put alot of heart into this course, as everything was engaging to learn and also provides you a good base to think better.
There were also a few more course modules that were really interesting but I never had enough time to digest it or incorporate it, as I don’t work as a Pentester or a Red teamer, and that was “Domain Fronting” and “Kiosk Breakouts”. It was a nice addition to the course as I’ve never seen these taught else where.
The latter part of the course, discusses more on post-exploitation methods and lateral movements in an Active-Directory (AD) domain. There are alot of techniques covered here and also overlaps with other “Red-Teaming” courses like moving laterally within MSSQL exploitations, and also the understanding what is Kerberos and how to leverage it offensively. Whilst I’ve learnt these things before, from at work and also from other security courses, these things might be new to some people and learning curve varies for everyone and this course keeps the W rizz going with some good teaching.
The MSSQL exploitation module was amazing, no word better describes it. I learnt soo much things out of it, ranging from compromising from an external to internal, performing impersonation attacks and compromising linked servers. Another piece of content that I’ve not seen elsewhere being taught from A-Z.
For me, personally what I really enjoyed learning in this course was how to code offensively using c# - I spent alot of time in these modules. It covers and works heavily on Win32APIs, expoiting client-side attacks via Phishing and obliterating AMSI. All this while executing your shellcodes in memory using PowerShell.
I’m on fire!
So, you might generally ask - “What is it that you learn’t from this course, my guy?” - I’d like to say nothing but then my company might frown at me ¯\_(ツ)_/¯
As mentioned prior, I enjoyed bypassing AV and intentionally dropping shellcodes on disk with defender turnt on, as it made me feel badass. Most importantly it taught me how to compromise things with good attack chains, keeping evasion in mind and also why you are doing such a thing, rather than just doing for the sake of it. I also really enjoyed MSSQL exploitation in this course, the impersonations and exploiting linked servers were fantastic from the beginning to the end.
We don’t practice OPSEC here
Me
To add, I definitely wouldnt recommend this course to a complete novice, but if you have some moderate knowledge of Active Directory and also Windows, it should be good, and provided youre willing to learn with effort.
Wanna play with fire?
Here is where everything gets really cool, provided you have survived the course contents and still love Windows. Once you feel you’re prepared for the exam, Offsec provided six challenge labs together with the course, that mimicks a black box engagement, each consisting multiple target machines within an AD environment. What was cool about it was, every challenge lab focuses on something specific you learnt throughout,so ideally if you have completed all of them or atleast a few of them, you’d have a good knowledge of what might be in the exam. I cannot state how important is it to complete these labs before doing your exams! As I only was able to complete three out of the six challenge labs, reflecting back after completing the exam, I was quite sure if I didnt complete even those, I might have not made it and my manager would have called me a N00B.
Make sure to also be part of their discord, not because you can hint your way to solving these challenge labs, but use them to find alternative paths and also how people compromise things differently! It really provides you a healthy mindset into things when seeing the bigger picture!
Everyone has different ways of doing things, but as a personal advice, Id like to state there are few tools that are must have or must know to make things easier for you before you go broke investing in new keyboards or even monitors…
- Bloodhound - This is a no brainer when it comes to Active Directory recon, without this an alternative may be PowerView (I think?) but why make life difficult
- Impacket - Python tools that allows you to leverage network protocols like SMB
- Chisel/sshuttle - if you are bad like me and forget how to set up SOCKS proxy using metasploit, Chisel is your best friend
- Rubeus - Part of the attacking toolsets, for using against various Kerberos delegation attacks
- Mimikatz - everybody loves dumping creds like how they love to dump their toxic girlfriend/boyfriend
- Powersploit - for Active Directory enumerations
- MSSQL-Attacker - C# tool that can be used on disk without AV moaning at you to carry out common MSSQL database attacks.
The Exam
For some odd reasons, or maybe even even reasons.. I tend to book my exam time early in the morning but anyways, there’s not much to talk about here but that the exam is for 48 hours, and 24 hours to write the report. The objective of the exam was also not your traditional “compromise DC and yolo swag 420 blaze the domain admin” but they incorporated a CTF-style concept where either you obtain a secrets.txt from a specific server or you alternatively meet the required passing points for the exam which is 100 points via obtaining the local.txt and proof.txt.
I successfully obtained 13 flags across the two days time period and eventually called it a day as I was getting really eager about the dead space remake.
After a few days of crying and moaning about why my payloads dont work and why cant I turn off defender using command line, I got my email confirmation that I passed the exam in the early mornings of Saturday, and I went back to bed with a peace of mind.
Outro
I’d like to state that, this course is genuinely made well and far better than OSCP, interms of experience as an user and also in reinforcing concepts being taught and implemented. It had abit of everything and something new. I learnt heaps of new things that I wasnt aware of from other courses. Doing this course, helped me personalize my own offensive tradecraft and how to also drop things onto disk to frustrate people, and most importantly it made me love metasploit all over again. If you seriously looking to find an extensive, but informative course that teaches you things in a way to implement them in an unique way, PEN-300 definitely is worth it.
