Certified Azure Red Team Professional (CARTP) by Pentester Academy – exam review

Posted on by Andrei Agape

After the four weeks bootcamp from Pentester Academy, including lab access and live sessions with Nikhil Mittal I decided to take the CARTP exam and successfully passed it by compromising all resources in the Azure. Previously to the bootcamp I had some experience with Azure RM, but quite limited with AAD. Additionally I’ve done CRTP before, which I found it extremely useful for how to approach and prepare for the exam (read more about my experience with CRTP here).

The CARTP exam took me around 4 hours, and the reporting another 3 hours. In this article I’ll talk about the lab, taking notes, exam, reporting and resources. If you want to talk about it, you can write me on twitter @msd0s7.

Before we get started, make sure you check my other articles about Azure Security that we’ll help you understand some of the vulnerabilities in depth:

1. Lab

The lab access was granted once the bootcamp started (~around the same day of the first live sessions as far as I remember). I found it easy to connect to the student VM using the browser, all the tools needed for the attacks were already there and working just like it was the case with CRTP. I think this is an underrated aspect of this course that everything is working very well and I didn’t have to spent time installing tools, dependencies, debugging errors and all the shit.

The lab was very well aligned with the PDF and videos such that it was possible to follow them step by step without issues. There were some minor typos in the PDF regarding some commands, but overall things went quite smoothly. The bootcamp had a discord server where all the people taking the course could communicate and ask for help. Nikhil was also very responsive in the chat during the four weeks which was very nice if there was any question that needed to be clarified.

Personally, I didn’t have any technical problems with the lab but there was a technical support available if for some reasons some of the attacks did not work.

There were 50 flags to be collected at which point it is possible to get the Certification of Completion the Lab which is different from the certificate we get for passing the exam. On top of the 50 flags, there is also a CTF flag for those interested – I didn’t have time to look into that so I can’t say too much about it. Some flag descriptions were a bit confusing and couldn’t figure it out what exactly are they asking for, but after a few trial and errors + help from discord I’ve got all 50 of them.

While the lab itself is dedicated to Azure and Azure AD, the challenges involve knowledge about web apps, Active Directory, enterprise setup, CI/CD, phishing, etc. I liked that the lab was set up to replicate real world organizations over multiple tenants, with on-prem integration – very cool setup! Also, since I’m more of a “visual” person (I like to see diagrams), there were four difference “kill chain” diagrams which made it easy to follow the attacks and paths that we follow. They helped me a lot during the preparation for the exam.

On a downside, I found it difficult to follow the Lab manual, as the the chapters were alternating between kill chains which can be very confusing to grasp, but I understand why it had to be like that. I liked the Illicit Consent Phishing part, but I was struggling a bit with the other phishing attack and I found it a bit unrelated to the Azure topic. Lastly, the Pass-the-Certificate attack was not covered anymore (Microsoft fixed it), and the Data Mining, Defenses, Monitoring & Auditing part felt a bit short and not that well covered as the offensive part. Attacks that granted us Global Admin were not possible in the lab, otherwise Pentester Academy would risk loosing the control over the lab, but they were explained in the Lab Manual.

2. Notes

Overall I took notes about the following:

  • Where to find creds
  • What to enumerate
  • How to pivot
  • Bypasses
  • How to use creds/tokens

3.1 Finding Creds

  • Tokens from managed identity (all CKs)
  • Powershell history (CK1)
  • Secrets in vault (CK2)
  • Password in userdata (CK2)
  • Pass the PRT (CK2)
  • Powershell transcripts (CK2)
  • Add own pass to enterprise app (CK3)
  • Vault pass (CK3)
  • In public blob (CK4)
  • Deployment template (CK4)
  • Mimikatz (CK4)
  • Create new user (CK1)

3.2 Enumerate & Pivot

  • enumerate all resources
  • enumerate all users
  • check objects owned
  • check roles on automation account
  • check if webapp has managed identity
  • check permissions of managed identity
  • check which users/group has access to resource
  • check OS/IP of vm
  • check permission on specific resource
  • check if custom script extensions are installed
  • list enterprise apps
  • check deployment template
  • check dynamic groups
  • check for application proxy
  • check users that can login to app proxy

3.3 Bypasses

  • login with mobile user agent
  • change secondary email of guest to get in dynamic group
  • login to web portal
  • login to CLI

3.4 Creds/Token usage

  • Az Powershell
  • AzureAD/ AzureAD Preview
  • Az CLI
  • Azure API

AzPowershell

PS> Install-Module -Name Az -Repository PSGallery -Force
PS> $passwd = ConvertTo-SecureString "Password" -AsPlainText -Force
PS> $creds = New-Object System.Management.Automation.PSCredential ("user@tenant.onmicrosoft.com", $passwd)
PS> Connect-AzAccount -Credential $creds

AzureAD

You may not want to install AzureAD module, as it may interfere with AzureAD Preview so you can easily switch between them in different Powershell windows based on which one you prefer to use

PS> Import-Module AzureAD.psd1
PS> $passwd = ConvertTo-SecureString "Password" -AsPlainText -Force
PS> $creds = New-Object System.Management.Automation.PSCredential ("test@tenant.onmicrosoft.com", $passwd)
PS> Connect-AzureAD -Credential $creds

AzCLI

Download .msi installer – setting env variable may be required.

PS> az login -u test@tenant.onmicrosoft.com -p Password

Azure API

$Token = '<token>'
$URI = '<endpoit_url>'
$RequestParams = @{
 Method = 'GET'
 Uri = $URI
 Headers = @{
 'Authorization' = "Bearer $Token"
 }
}
(Invoke-RestMethod @RequestParams).value

3. Exam

I don’t know if the are different versions of the exam, but what I can say about mine was that overall it was straight forward, no rabbit holes, and nothing that was not covered in the Lab/Bootcamp. It took me about 4 hours, and that includes the one hour when I got stuck for no good reasons other than overlooking some information. My advice:

  • Do the lab and take notes. It’s better to find during the lab that some commands may not work, rather than during the exam
  • Pay attention to details, don’t overlook
  • Make sure you know how to exploit a resource, what info you can get, and how to use it further
  • Make sure you have coffee, the kill chain graphs and the Lab Manual ready

Good Luck!

Published by Andrei Agape

7 thoughts on “Certified Azure Red Team Professional (CARTP) by Pentester Academy – exam review

  1. Pingback: Certified Red Team Professional (CRTP) by Pentester Academy – exam review – 0xPwN
  2. Pingback: Create an Azure Vulnerable Lab: Part #2 – Environment Variables – 0xPwN
  3. Pingback: Create an Azure Vulnerable Lab: Part #1 – Anonymous Blob Access – 0xPwN
  4. Pingback: Create an Azure Vulnerable Lab: Part #3 – Soft Deleted Blobs – 0xPwN
  5. Pingback: Create an Azure Vulnerable Lab: Part #4 – Managed Identities – 0xPwN
  6. Pingback: Create an Azure Vulnerable Lab: Part #5 – Cloud Init – 0xPwN
  7. Pingback: Create an Azure Vulnerable Lab: Part #6 – AAD Enumeration and Password Spraying – 0xPwN

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s