Pentester Academy - PACES Certification - The Exam
I just completed my report for the PACES exam, and have submitted it to the support team. I’m not sure how long it will take before I get a response, or before I know if I have passed, but I am relatively optimistic that I have passed this exam.
Update
I received the email to say that I passed the exam and obtained my PACES certification 5 days after I submitted my report. Very happy to have this certificate behind my name.
Disclaimer
If it doesn’t come through while reading this post, I just wanted to make sure I am clear. I enjoyed this course a lot, and will recommend it to anyone wanting to further their Active Directory attacking skillset.
We need more systems
I have gone through several Offensive Security (https://www.offensive-security.com/) certifications over the last year, so I will always use them as a comparison to any other courses or certifications that I do.
One of the things I liked from Offensive Security, that is unfortunately missing from PACES is the systems that have been put in place to give you better control over your lab and the whole course experience. With PACES, pretty much anything you want to do, you need the help from the support team.
For example, if you want to reset a host to a previous state, you have to email them. From my own experience, the response time is anything from a few minutes, to several hours. Don’t get me wrong, the support people are excellent and friendly, and they do a good job. What was worrying me was what the response time would be like during the exam. I’m happy to report though that whenever I emailed them during the exam, I got response back very quickly.
The exam booking process also involves emailing them with a date, and then waiting to see if it’s available. It would be so much nicer if there were a calendar function.
Having said the above, I do realise that with more systems comes more costs. With that said, maybe it’s okay to have a few of these manual systems in place, to keep the costs down. I also think it’s the software developer inside of me that always wants to automate things for better efficiency.
After booking the exam
Once you have booked the exam, you receive a confirmation email with the date and time. The email also includes all the details about the exam, as well as the instructions on what needs to be done during the exam.
These details give you a good indication of what to expect.
Exam details
You have 48 hours to complete the tasks set out in the exam. There is then another 48 hours after that, that you have to submit your detailed report.
You are given low privilege access to a jump host, which you need to make use of to perform lateral movement into the internal network.
The exam has an offensive and a defensive part.
For the offensive part, you are given several hosts that are part of various domain forests. The instructions are to obtain OS command execution on each of the hosts. It states that you might not need to privilege escalate on each target.
Once you are done with the offensive part, you should have enough details to log into all the hosts, and perform administrative actions on them. Then the defensive part begins, with you having to go and fix all the vulnerabilities and/or misconfigurations you found.
It is recommended that the offensive and defensive part should take you equal amount of time. In fact, in the exam instructions it states you should be using equals parts of time on attack, defense and report writing. I didn’t find this to be the case for me though.
Some of the exam details might not be so clear though. An example is that I wasn’t sure where to send my report to once I had completed it. It wasn’t such a big deal though, as I just emailed them a copy of it to the support email address. I did have to stress a bit for a few hours while I waited for someone to confirm they did receive my report.
I also had to get clarity to find out if I’ll be able to reset a host if it’s not performing as expected, as the exam guide states that no automatic resets would take place. The support team indicated that if I request a reset via email, they would then perform it manually.
The most important instruction given in the exam details is that you must remember to eat, take breaks and sleep during the exam.
The day before the exam
I have always tried to stay away from my computer the day before such a long exam will take place. If I can, I try and stay away for two days. Unfortunately, with work, it’s not always possible to do this.
With a new born in the house, it was just not my night for some peaceful sleeping either.
Right before the exam
The morning of the exam, I went for a short run and got showered just in time for my exam pack to arrive through email.
The normal pre-exam jitters were there, but I was excited to sit down for this challenge. The lab had kicked my butt, so I was expecting to have to put up a good fight to get through this exam lab.
The start of the exam
I received my VPN connection pack, with all my credentials, 30 minutes before the exam was about to start.
As with my previous exams, I already had directory structures and file templates in place. I just slotted the VPN connection files into place, and within a few minutes I was connected to the VPN, and able to access my jump host.
The first domain forest
Within the first 6 hours, I was able to fully compromise the first domain forest. It would’ve been done sooner, but for some reason a specific function of Rubeus was just not working properly from my jump host.
I did however setup pivoting using a socks proxy, that allowed me to use the impacket tools from my Kali host. Doing this solved my issue.
Resting
After a solid day of pretty much going at it for 11 hours straight (with smallish breaks in between), I decided to take a proper break. I had dinner, spend some time with my family and had a bit of sleep.
The final compromise
After a few hours, I was back at my desk, ready to take on the last part of the exam. I saw an attack path before I had left my desk for a break, so I thought it was going to be plain sailing to the end. I was wrong.
The first technique I tried, just didn’t work. I couldn’t understand why, because based on the enumeration that I did and the notes I was following from the lab during the course, what I was trying to get to work, should just work. Everything pointed to what I was doing was indeed the right attack path.
I sat for close to 4 hours, researching the topic, and trying various combinations of tools and parameters. I now feel quite well versed on this specific topic though, because I must’ve read every single document about it online.
I was at a point where I thought the lab environment was broken. I decided to just take a step back, look at all the hosts, and make sure I followed my methodology of post exploitation enumeration. Did I miss a step somewhere?
I miticulously went through everything, until I found the missing step. It turned out I didn’t even need to focus on anything advanced to accomplish this final step. It was staring me in the face the whole time, literally.
Report
With all the domains and hosts compromised, and started writing my report. I wanted to get it down while I still had all the steps fresh in my mind, and make sure I have all the screenshots I require.
After about an hour, I was done with the first draft of my report. Having now done a lot of penetration testing for my work, I’ve gotten a lot better at note keeping during engagements. This helps that the report writing process goes a lot quicker lately.
Defensive
I emailed the support team, and asked them to reset my environment for me so that I had a clean one to work with when dealing with the remediation steps.
15 minutes later I received an email back, stating the reset had been done, and I can continue.
Now, before the exam started and people kept asking me how prepared I feel for the exam, I kept saying I need to get the attack part of the exam over as soon as possible, and then hope that my Google skills don’t fail me while I try and stumble my way through the defensive part. I had 26 hours left in the exam, so I felt confident it would be enough time.
I know as a penetration tester that if you have a handle on blue teaming as well, you will just understand the techniques a lot better, but I still find the red teaming part of this a lot more fun. To the point where whenever I read an article about some security research, I seldom read the part of it where they discuss how to mitigate against an attack.
I made a list of all the vulnerabilities and misconfigurations that I found. I then Googled each of them, and looked for ways to mitigate them. I didn’t find this part too difficult, because there are a lot of researchers that have written articles about the migitation of various attacks.
Other instructions also came with the exam details. It included setting up various restrictions for specific users.
Final report
I took a few hours to get all the defensive notes into my report, and spent another hour or so sprucing up my report a bit and making sure I didn’t leave anything out.
The final result is a 39 page PDF.
My feeling on the exam
The lab that you are given access to during the course, to experiment on, is by far the best lab that I’ve ever come across. There are 6 forests, with 46 challenges. The tag line for the lab is “450 hours of torture”, and that is no lie.
Go and look at https://www.pentesteracademy.com/gcb to get an idea of what you need to accomplish to complete this lab.
There isn’t much course notes, and there is a lot of self research that you have to do on the multitude of techniques and skills needed to complete this.
It’s because the course lab is so awesome, that the exam lab felt like a let down to me. I was expecting something similar to that of the course lab. Not “450 hours of torture”, but perhaps “48 hours of torture” at least.
As I have done OSEP, the most “advanced” technique that was used in this lab, was a very “basic” technique in my opinion, just because I am so familiar with it already.
The exam lab does represent a “real life” environment in my opinion, and that is perhaps why the skills needed are quite basic. The misconfigurations that I found and abused are generally what I see in my day to day job as a penetration tester as well.
You’ll need to have a good understanding of Active Directory, and how to enumerate it properly. There isn’t just one attack path to take, but you should easily be able to see what step (or steps) you can take next to get to other hosts.
If you managed to go through the course lab, you will almost definitely be able to pass the exam. I’m willing to bet money on this.
I believe that you don’t have to go through the course lab to be able to pass this exam. There are just not that many skills that are taught in the course that are being used in the exam.
If I do pass, I will always look at my PACES certification for my accomplishment in surviving the course lab, instead of the exam.
Update I did pass! I am very happy to say that I survived the GCB lab!
I do also realise that the amount I paid for this course is not in line with Offensive Security courses, so it’s unfair to expect the same standard of infrastructure and systems. I suspect that a larger exam lab would result in more costs, which would make the course more expensive and possibly out of reach for most people.
As I mentioned, the defensive part was not my favourite. There was however one part that did get excited about, and I was able to implement something new that I learned to limit a user to what commands they are allowed to execute on a host.
Do I recommend this course?
Most definitely. The time you will spend on the course lab, will be challenging, but you will learn a great deal. Especially some of the more advanced Active Directory penetration testing skills.
I don’t think any other course lab can compare to what you are given access to.