RastaLabs Review
Review
RastaLabs is a virtual Red Team Simulation environment which has one Domain Controller, 7 Servers and 6 Workstations. The lab is focused on operating within a Windows Active Directory environment where students must gain a foothold, elevate their privileges and move laterally to reach the goal of Domain Admin. Even after Pwning the Domain Admin there are some challenges which involves critical thinking. Simply put together:
Windows Server 2016,Windows 10 and Some Linux machines are used in this environment. AV and Windows Defender are patched up to a reasonable level. The coolest part about the lab is its stimulates the behavior of employees and the admins in a corporate who would login into the workstations and servers. This allows the students to equip themselves for performing assessments where systems are patched and exploiting the weakest links (humans). Be Prepared for late-nights and stressful weekends ;)
There users are generally categorized into HR Team, Helpdesk Team, Infrastructure Maintenance Team, Finance Team etc. Each as their own set of privileges on the network through which you can perform privilege escalation and later-movements. Do not consider this lab like any certifications, learning the different ways and understanding them is more important than getting the flags.
Note: The lab gets updated on a quarterly basis and AVs would start detecting your exploits. Sometimes there are scenarios where you create a script which is not caught by AV but after 3 days its getting detected and some modifications are needed. Probably many times during your lab period you would feel like:
I took a about three months to complete this lab, Of course i took breaks in the middle. This lab gave me insights of the Active Directory misconfigurations and attack scenarios, configuring C2 Frameworks, Anti-virus evasion etc. I also prepared a research talk and present it on BSides Delhi 2020 on “Demystifying Common Active Directory Attacks” at which i have covered Basics of Kerberos Authentication, AS-REP Roasting, Kerberoasting, DCSync, DCShadow, Golden and Silver Tickets attacks.
General Tips:
- Communicate with people who are doing Rasta Labs on mattermost. It’s an awesome community where people really help you to understand and exploit the attack scenario but do not except people give you exploit codes/scripts. Coolest part here is i have made friends who belong to overseas, we really talk a lot about different things and learn as a community
- Make sure you take breaks, couple of days break won’t be hurdle for your progress rather it will help you.
- Once you complete the lab, talk with people and get information about what was their approach for Domain Admin or a particular misconfiguration.
- Before taking the lab solve some retried Active Directory boxes on Hackthebox or complete the Active Directory Track.
- Follow certain people blogs that would be helpful during the journey RastaMouse, harmj0y, HackTricks, ired.team etc.
- Take a look at https://zeropointsecurity.co.uk/rastalabs/ prior to starting.
General Referrals :
These are the references and blogs that helped me during pwning the RastaLabs
- Anti Virus Evasion and AMSI Bypass
https://rastamouse.me/tags/amsi/
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://medium.com/@byte_St0rm/adventures-in-the-wonderful-world-of-amsi-25d235eb749c
https://amsi-fail.azurewebsites.net/api/Generate (Cool One) - Active Directory Attacks/Enumeration:
https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/
https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
https://attack.stealthbits.com/how-dcshadow-persistence-attack-works
https://drive.google.com/file/d/1HyOjJVSjxxyAEmMMK6jCIdpb2sn_NtSw/view - C2 Framework:
Covenant - https://bestestredteam.com/2020/02/19/interacting-with-covenant-c2/
https://rastamouse.me/blog/covenant-tasks-101/
Cobalt Strike - https://www.ired.team/offensive-security/red-team-infrastructure/cobalt-strike-101-installation-and-interesting-commands
Empire - https://www.ired.team/offensive-security/red-team-infrastructure/powershell-empire-101
C2 Matrix - A list of Command and Control Frameworks along with their Capabilities and much more. Try some C2 Frameworks - Payload Creation:
HTA - https://www.hackingarticles.in/bypass-application-whitelisting-using-mshta-exe-multiple-methods/
https://github.com/felamos/weirdhta
https://rastamouse.me/blog/asb-bypass-pt2/
Macro - https://www.hackingarticles.in/multiple-ways-to-exploit-windows-systems-using-macros/
ShellCode Launcher - Effective for having creating native meterpreter handler - PowerView/PowerSploit:
http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
https://powersploit.readthedocs.io/en/latest/Recon/
https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview - Mimikatz:
https://book.hacktricks.xyz/windows/stealing-credentials/credentials-mimikatz
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#mimikatz
https://cheatsheet.haax.fr/windows-systems/privilege-escalation/lsass_mimikatz/ - GPO Abuse:
https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
https://labs.f-secure.com/tools/sharpgpoabuse/
https://rastamouse.me/blog/gpo-abuse-pt1/
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/
https://github.com/rasta-mouse/GPO-Abuse - https://medium.com/owasp-chennai/building-word-lists-for-red-teamers-a8ba2d79ee3
- https://attack.stealthbits.com/password-spraying-tutorial-defense
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
- https://pentesttools.net/sharphose-password-spraying-tool-in-c-for-windows-environments/
- https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++
This lab as taught me lot of things and now i started the next lab Cybernetic, Reach out to me on Instagram and twitter if you have any queries !
Happy Hacking !