CARTP Course Review

Posted on 2023-11-30 by Nathan Jarvie in Industry

So, what does a certification addict do when he’s bored? He starts a new one!

This time I completed the Attacking and Defending Azure Lab and the accompanying Certified Azure Red Team Professional (CARTP) exam by Altered Security. Working my way through the provided labs, watching all the videos, learning all the things.

Was it worth it? (spoiler alert) Absolutely!

Let’s dive into the good, the bad and the ugly of pentesting Azure!

Introduction

At the time of writing, I have been a penetration tester for about 2.5 years, and before that I was a systems administrator for nearly a decade. It has been hard not to notice the trend of businesses becoming more and more reliant on cloud products, particularly those offered by Microsoft. I am alluding, of course, to Azure.

It is a rare thing now to perform a penetration test on a business not using at least some of the Azure suite. Whether it be integration with Entra ID (formally Azure Active Directory) to allow seamless user management between on-premises and cloud infrastructure, or utilisation of Microsoft InTune for device management. Security professionals cannot afford to ignore the power this platform holds over businesses, nor the consequences of its compromise. As such, inclusion of cloud services in infrastructure penetration tests is now almost a given.

While this makes a lot of sense, it left me in a bit of a bind: I don’t know anything about Azure.

And if I don’t know anything about it, how am I supposed to test it?

I got lucky a few times. I would compromise an internal environment, jump on the Domain Controller and rip the Global Admin password for Azure straight off the box. Easy Peasy. But sometimes, it isn’t so easy. Sometimes I get credentials for users that have no access internally. They have some access to Azure resources, but I don’t have any idea on what to do with that. After hours of googling and testing I might get somewhere, but I still don’t know what I’m looking at.

I need to do something about this. So I turn to what I do best…. certifications.

Enter the Certified Azure Red Team Professional by Altered Security.

What is it?

This course is designed to demonstrate different attack vectors for Azure, and how misconfigurations of user roles and object permissions can lead to compromise of the tenancy, and in some cases even allow pivoting to the on-premises network.

Designed and taught by Nikhil Mittal, you are guided through several different attack paths in order to compromise the target tenancy. Working your way through enumerating permissions, targetting particular users, and bypassing protections in order to achieve your goal.

You can read more about the course and it’s syllabus on the website.

  • https://www.alteredsecurity.com/azureadlab

Who is it for?

The course description labels it as “beginner”, but I would argue that you should have a good understanding of penetration testing techniques before you jump into this. It is more like a primer for Azure for intermediately skilled penetration testers or an experienced Azure systems administrator.

It is a beginner course for pentesters who know nothing about Azure, and would not be a great place to start your journey if you are new to the field.

In saying that if you do have a solid understanding of pentesting Active Directory or Azure administration, the course does a great job of covering all the bases to get started in securing Azure. It greatly compliments and builds upon the skills of those who have completed CRTE or CRTO (Both of which I HIGHLY recommend!). On that point let’s talk about…

The Course Itself

The course is available in two formats. Bootcamp and on-demand. The bootcamp version is a series of live sessions with an instructor that take you through the course and the labs, allowing you an opportunity to ask questions and get assistance throughout. The on-demand version is the same course but presented in a series of pre-recorded videos. Support can be found in the Altered Security Discord and is largely community driven, though Nikhil and other staff are often present and will help when they are available.

I personally went for the on-demand version due to time-zone issues. I don’t study well at 2am.

On registering you will gain access to the course materials containing videos, documents, diagrams, and tools. You can download them all for offline use. You will also gain limited time access to the lab environment.

The course is broken into four different attack paths (kill chains) that work from either no access or initial low-privileged access, and gradually work towards the compromise of an Azure tenancy. Each attack path covers different topics and provides additional context to the descriptions in the videos.

The Good

Bearing in mind here that I had, at the beginning of this course, almost no knowledge of Azure and how it works. It was all black magic and voodoo to me. Azure is a huge beast that is not going to be covered comprehensively in a relatively short course.

Nikhil does a great job of trying to cover all the components of Azure at a high level, giving enough information that you can feel like you have enough of an understanding of what the topic to start working on it.

There are a lot of topics covered in the course including:

  • Tooling (PowerShell primarily but other binaries too)
  • Phishing methods
  • Initial access vectors
  • Enumeration
  • Bypasses
  • Exploitation scenarios
  • Persistence techniques
  • Lateral movement
  • Hybrid environments

Actual footage of me working out Azure

There is a lot of content to cover and Nikhil does a good job of keeping on track by walking you, step by step, through each of the attack paths and demonstrating the techniques.

The lab environment is well designed. With “user interactions” to simulate different attack vectors and a mix of “on-prem” and cloud infrastructure that do a good job of emulating common enterprise scenarios. I found this to be very enjoyable experience, and it’s clear that a lot of work went into it.

Additionally, there is a CTF at the end of the course students can choose to participate in if they wish. It is not required learning but can be an interesting exercise.

The Bad (kind of)

My criticism of the course is really in some of the delivery. While there is a lot to cover, and I understand why it is structured the way it is, I found that jumping around between attack paths was a bit disorienting and at times overwhelming. There were numerous times where I was completely lost in how we got from one topic to the next; having to refer back to my notes and the lab manual to work out which path I was supposed to be on and how I got there.

The course structure makes sense, in that you perform enumeration techniques on one path, then move to a different path and perform different enumeration techniques, and so on, before moving to the next phase. But the process was a little jarring. If you follow the lab manual or the videos exactly as they are presented, you will be fine. But having a go on your own can be difficult to navigate in the lab.

The Exam

The exam was a great experience. The structure is as follows:

You have 24 hours to get the flag at the end of an exploitation chain. Then a further 48 hours to submit a report detailing the attack path you took. You must describe why a technique worked and also include any practical mitigations you can think of. If English is not your native language, let them know on submission of the report and they will take that into account.

Given the amount and complexity of the information provided throughout the course, I went into the exam a little more nervous than usual. I read a few blogs similar to this in which the authors had claimed everything from they failed because they got lost in the weeds, to “I completed it in 6 hours, no sweat” which did not help my confidence much.

Let's do this!

Nevertheless, I started the exam and tried to relax. After finding my rhythm I found the exam to be straightforward and fair. I was able to complete the exam and report well within the time limit and was quite pleased with my result.

All the content required to pass the exam is provided in the course, though you may need to stretch a little and do some Google-fu to find exactly what you are after.

My Advice for Students

When purchasing the course and lab package you have 30, 60, and 90 day options. I used 60 and was comfortable, but if you are time poor and have the funds, go for the 90.

While working through the course, make sure you take amazing notes. While the lab manual is invaluable as a resource, it is disjointed and does not flow through each attack path naturally. This can make it extremely difficult to find the relevant information when you need it, if you are trying to use it as a reference. Using a note-taking tool with a good search feature is highly recommended. I use Joplin, but Notion and Obsidian are also good.

Additionally, take the time to build some simple scripts so you are not looking for those code blocks when you need them, such as a one that will connect to Az/AzureAD PowerShell for you. Then you only have to remember to change the username and passwords each time.

Lastly, the exam environment does NOT have the tools your student VM has on it. You are expected to transfer over the tools you need during your exam. There is absolutely no need to transfer all the tools over. It will take forever, eating valuable exam time. Instead, transfer over only one tool at a time, as you need it. I found I only really needed a couple tools to complete the exam comfortably.

My Suggestions for Improvement

I would honestly like to see a little less hand-holding throughout the course. I found it was difficult to try my newly learned skills against the environment as the course spoils it for you in its demonstration. Without turning into a CTF, I would have liked to have an additional document that had all the lab exercise objectives, in order, for each attack path; with some hints available if required before you move straight into the walkthrough.

This might be achieved by re-ordering the flag verification system in the lab portal, and some clickable links to hints. Or alternatively a 5th attack path for which only hints are provided. This way the student can perform some post-course practice on their own before reaching the CTF.

Conclusion

On reflection after completing the course and exam, I can see why it is considered a “beginner” certification in Azure. I still think that those with experience will get the most out of it, while those who are new to the industry might find it overwhelming, frustrating and difficult.

Do I feel like I am now an expert in Azure? Absolutely not. But I certainly feel a lot more comfortable giving it a red-hot go now and seeing where I get. And to me, that is more valuable than any certification.

I highly recommend this course to every pentester, red teamer, or cloud service administrator who may encounter Azure. It was a great experience from start to finish and I am very much looking forward to a more advanced version, if one was to be developed.

Thank you to Nikhil and the Altered Security team for another wonderful experience. You will see me again soon.

As always, if you have any questions, please feel free to reach out to me on my socials.

About the author

Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn