Course
Review written: February 2025
Course Format:
The course reviewed is the Hack The Box Academy - Active Directory Penetration Tester path.
Course Materials:
This course material is online content, but some of the modules do have "cheat sheets" that you can download in PDF form. Only written format, no videos**.
Class size:
The online content is just for the student.
Lab Environment
The lab environment is NOT shared with other students as far as I am aware since you have to manually start each section's virtual machine.
Estimated cost:
At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)
Required: 7100 Cubes
Reward: +1420 Cubes
Enterprise [contact them for more information]
There are several ways to get the cubes needed for this path: One way is to buy the cubes outright, another way is to get a subscription, and a third way is through "Enterprise" where it appears that you get unlimited cubes, but that may also be just our subscription level. Almost forgot, you can also refer people and get cubes (I had a link on the homepage of the site, but I commented it out because as a current Enterprise user I was not needing cubes).
My motivation:
I love active directory, and I really love learning new tips and tricks for exploiting it. Active Directory is so "deep" that I feel it is my weakest subject, and I always want to learn more (and if I am not learning a new technique, getting time practicing an old technique is just icing on the cake.)
Review:
The course:
I didn't go into a lot of detail on the topics that each module covers. Most of the "sections" have multiple subsections, and some of the skill assessments have multiple parts. When you skim through the data below it may seem that there isn't much content, but there is a huge amount of content.
As I have never taken a HTB certification test, I am more interested in writing my thoughts on the exam (without spoilers of course).
As for the course itself, the entire path is listed as Hard (but a few sections are listed as Medium). It has 15 modules and 253 sections so there is a lot of content, but there seems to be a fair amount of redundancy throughout the course with certain topics being covered in sections in multiple different modules.
I accessed the course through my corporate Hack The Box account, and was able to take all the modules over a period of time but I didn't keep track to figure out how long it took me.
The course page lists: "The Active Directory Penetration Tester Job Role Path is designed for individuals who aim to develop skills in pentesting large Active Directory (AD) networks and the components commonly found in such environments. This path equips students with the skills needed to evaluate the security of AD environments, navigate complex Windows networks, and identify elusive attack paths."
Active Directory Enumeration & Attacks
Listed as Tier II and Medium, this path was estimated to take 7 days to go through.
This section was listed like it was the building blocks for the entire course, but to me this section was kind of like an introduction to the other sections. I am not sure how to explain it other than that. There are password spraying sections, there are kerberoasting sections, ACL sections and a domain trust section. I always look to learn new things, and there were a few new tricks I picked up from here. The kerberos double hop section taught me a couple of new ways to accomplish solutions to it.
There are twelve sections and a skill assessment.
Active Directory LDAP
Listed as Tier III and Medium, this path was estimated to take 2 days to go through.
This was a good introduction to Active Directory and the LDAP searching. It covered topics such as "Rights and Privileges in AD" and "Microsoft Remote Server Administration Tools (RSAT)" as well as LDAP search filters and anonymous bind vs credentialed enumeration.
There are three sections and a skill assessment.
Active Directory PowerView
Listed as Tier III and Medium, this path was estimated to take 8 hours to go through.
This section covered enumerating Active Directory with PowerView and SharpView. Of all the ways I have learned to enumerate Active Directory, PowerView and SharpView are my favorite, although using dsquery.exe and ADModule are important to learn in my option too. This module covers: user, group, computer, ACL. GPO and trust enumeration.
There are two sections and a skill assessment.
Active Directory BloodHound
Listed as Tier III and Medium, this path was estimated to take 5 hours to go through.
This module is an introduction to BloodHound. I learned about BloodHound long after I had learned Active Directory enumeration through dsquery, PowerView, ADModule and SharpView so at first I wasn't a big fan, but I've grown to really like BloodHound over the years.
There are five sections and a skill assessment.
Windows Lateral Movement
Listed as Tier III and Medium, this path was estimated to take 2 days to go through.
The module lists: "The focus will be on various tools and protocols used for lateral movement, including RDP, SMB, WMI, WinRM, DCOM, SSH, and others." There is a lot of good information packed into this module.
There are six sections and a skill assessment.
Using CrackMapExec
Listed as Tier III and Medium, this path was estimated to take 2 days to go through.
The module lists: "This module will teach you how to get the best out of CrackMapExec (CME) through various interactive lessons and a final lab." When I first saw this module listed, I was thinking there would be a single section and just a few things listed. I was not prepared for the capabilities of CrackMapExec, because my previous exposure had been very limited. This tool is a whole lot more powerful than I imagined. There is also talk about NetExec in this module as well. And while this module concentrates on a specific tool and not necessarily the techniques behind the tool, getting hands-on with a new tool can be fun and rewarding. And I know people that use CrackMapExec/NetExec a LOT.
There are eight sections and a skill assessment.
Kerberos Attacks
Listed as Tier III and Medium, this path was estimated to take 2 days to go through.
This module teaches you various kerberos attacks against Active Directory. Roasting attacks, delegation attacks (constrained, unconstrained, and resource-based constrained delegation (RBCD), and ticket abuse. There is a lot of critical information to learn from this module. And some of the techniques are broken out into areas that teach you how to run the exploit from Windows and how to do the same exploit from Linux.
There are eight sections and a skill assessment.
DACL Attacks I
Listed as Tier III and Hard, this path was estimated to take 8 hours to go through.
The module introduction has the following: "Both attackers and defenders often overlook misconfigured discretionary access control lists (DACLs) within an Active Directory environment. For attackers, abusing misconfigured DACLs can allow not only horizontal and vertical privilege escalation and lateral movement within an AD environment, but can also lead to a complete compromise of the domain." That is so true. I always love to check for "interesting" ACLs because you never know where they will lead you.
There are two sections and a skill assessment.
DACL Attacks II
Listed as Tier III and Hard, this path was estimated to take 8 hours to go through.
This is part two of the Discretionary Access Control Lists (DACLs) overview covering more advanced topics.
There are six sections and a skill assessment.
NTLM Relay Attacks
Listed as Tier III and Hard, this path was estimated to take 2 days to go through.
This is a very fun module where you get to relay NTLM traffic to perform your attacks. Some advanced NTLM relay attacks are covered to include Kerberos and AD CS.
There are four sections and a skill assessment.
ADCS Attacks
Listed as Tier III and Hard, this path was estimated to take 4 days to go through.
This module focuses on privilege escalation attacks by abusing misconfigurations in Active Directory Certificate Services.This module covers a lot of the current ESC# attacks against Active Directory Certificate Services (ADCS). I have seen newer ones that aren't covered in this module, so this entire topic is constantly changing and will require additional research if you really want to stay current on ADCS attacks. I really like the layout of the module as it doesn't go in the numbered order of ESC#, rather it breaks it into sections like Abusing Certificate Templates, Abusing CA Configurations, Abusing Access control, NTLM Relay Attacks and finally it covers Miscellaneous ADCS Attacks.
There are six sections and a skill assessment.
Active Directory Trust Attacks
Listed as Tier III and Hard, this path was estimated to take 3 days to go through.
The two areas of focus are Intra Forest Attacks and Cross Forest Attacks and covers topics such as GoldenGMSA, ADCS, DNS Trust Attacks, Foreign Groups, ExtraSids, SID History Injection, SID Filter Bypass, and many more. Active Directory Trust Attacks is one of my favorite topics in the world of Active Directory. I have used various techniques, like the ones from this module, a number of times to jump ahead on CTFs and bypass intended methods, but these were always an ACE up my sleeve in the real world. I think this module was the only one where the skill assessment caused me a bit of trouble, but I was able to figure it out after doing more enumeration.
There are three sections and a skill assessment.
Intro to C2 Operations with Sliver
Listed as Tier III and Hard, this path was estimated to take 3 days to go through.
An introduction to Sliver covering setup, initial access, and lateral movement. I have used Cobalt Strike in the real world, and in training classes, but I haven't used other C2s that often, although I do try and test various ones from time to time just so I am not locked into only Cobalt Strike. This module helped me to get familiar with Sliver and I actually enjoyed it by the end. Shortly after this module, I was able to use Sliver in another course and I had so much fun with it there that I have a new respect for Sliver as a C2.
There are four sections and a skill assessment.
Introduction to Windows Evasion Techniques
Listed as Tier III and Hard, this path was estimated to take 2 days to go through.
From the introduction page: "This module is for students who want to understand how attackers evade antivirus, specifically Microsoft Defender Antivirus. It is highly recommended that you have at least basic knowledge of C# before attempting this course, as we will be developing a few custom tools." I enjoyed this module, even though it isn't as deep as some of the other "evasion" courses I have taken. It teaches some good concepts and has really solid hands-on requirements. However, I had a huge issue with this module but not from the content, but rather the module setup. They provide a development VM at the start, but you have to keep going back to it to work on your code, which made it very frustrating for me. I would have loved a link to that initial VM in each assessment area so I could spin it up if needed there instead of going all the way back to the start to spin up the development VM. To get around this, a lot of times I would write the code and just compile it on the target with csc.exe, but then I would run into a few issues if I didn't get the exploit right the first time. I was able to troubleshoot and get around all the issues I had, but I ended up firing up a development VM that I have to do some of my dev work on because it was a pain to keep switching modules because I had to terminate the assessment VM, then start the development VM, then copy my exploit out and terminate the development VM and start the assessment VM once again. But those were "me" problems and you might prefer it the way they have it setup. Either way, the material covered was very good and the skill assessments were challenging.
There are three sections and a skill assessment.
MSSQL, Exchange, and SCCM Attacks
Listed as Tier III and Hard, this path was estimated to take 3 days to go through.
I don't know why, but I have a lot of love for all the SQL stuff that I have learned and done over the years, so there should be no surprise when I say that I really had fun in this module even though SQL was only about a third of the content. Having Exchange and SCCM added in to the module seemed to make it even more fun. I did use the techniques I learned from the module to do the skill assessment, but I am not sure that I did it via the intended path. But a win was a win and I learned some really cool things along the way.
There are three sections and a skill assessment.
Misc:
**I have mentioned in other reviews that I do like to have videos to watch. Live training is just as good. As I was typing this review, HTB posted a link to an Instructor-led version of the path: https://cyberhelmets.com/product/cape/
I finished the Active Directory Penetration Tester path, and I was awarded a badge. I realized that that path was rather new, but I was still pretty shocked to have only been the 93rd person to complete the whole path.
An image of my Active Directory Penetration Tester badge looks like.
The Exam:
I am currently attempting the exam... will update when I am done!