My Journey toward eCPTX

Written by on
Hello Everyone,

m0nkeyshell is back again, I hope you all are doing well !! in this crisis situation.

Stay Home Stay Safe Wear Mask.

Before going into the details I would like to mention that I failed my 1st attempt and after a week I gave my 2nd attempt and cleared the exam.

Lesson learned from my 1st attempt.

So I have taken the elite version of PTX v1 course back in November 2017. Yes you read it correct back in 2017. After my initial glance through course material  I was scared as the concept of the attack and the methodology was totally new for me. Fast forward in 2019 I did 3 certification OSCP, CRTP & CRTE. Even so I was not enough confident to do PTX but in 2020 I completed GCB labs (exam is still pending) that gave me enough confident.

When I compare PTX vs Other Course it quit different like it more of real world attack especially it includes c2, evasion and external attack and also various way of executing the payloads which I seriously loved. 

I gave my First Exam attempt on 18th July 2020 and I was able to only get  4 machines during the exam out of 7.
During my 1st attempt I did not focused on understanding the lab instead I just attack the lab here and there which made the lab very unstable and all my shell were dying this made me so frustrated.
I just over complicated the exam but exam was pretty simple and I understood that after I failed my 1st attempt.  

Lesson learned from my 2nd attempt.

So I gave my 2nd attempt on 25th July 2020 and I was able to compromise all the machines. Interestingly my exam lab did not even crash for even once in 2nd attempt as I understood how to executed code without crashing the labs. Simple Example don't run your payload directly from your previous shell instead try to execute it as a completely in a new process. So it wont kill your current / new shell if you either of your shell die's.

Exam Labs are stable, go through the course material and you will understand what I mean because their main focus is to understand how to actually attack with carefulness means when you are in the corporate environment you won't like to impact the existing services during your assessment.

Note:- Course Material are enough to pass the exam.

Below is small comparison about different courses which I have done.
All the below three course are awesome and I would recommend that if you love to do certification like me go for all

PTX v1
CRTP
CRTE
Labs are stable
Labs are stable
Labs are stable
Dimitri gave awesome support
Support is awesome
Support is awesome
External Black box attack
Assumed Breach
Assumed Breach
Focused on Linux to AD
No Linux
No Linux
Metasploit & Power empire
Mostly Powershell
Mostly Powershell
Network Segmentation
No Network Segmentation
Network Segmentation
Various evasion Techniques
No evasion apart from AMSI
No evasion apart from AMSI
Layer 2 tunneling
No layer 2 tunneling
No layer 2 tunneling
MITM
No MITM
No MITM

I would like to thanks everyone who are always there for me 🙏🙏🙏🙏

Comments

Post a Comment

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Written by on
Image
Hello All, ​INTRODUCTION T​he  purpose  of this post is to let you know how I managed to get one more CVE​. Throughout this post, I will give you relevant examples/screenshots that demonstrates how I ended up finding the vulnerability. ​Alright, lets plunge into the Proof-Of-Concept ! ​ PATH OF EXPLORATION ​ After submitting the first vulnerability (Stored Cross Site Scripting) to the developer for phpwcms application I continued to test further for finding more vulnerability. While testing I saw that CSRF Token was submitted in all the request. I tried to tamper with the parameter which contained the CSRF Token and found that the application throws an error which discloses the Internal Path of the application where it has been hosted. THE MOST AWAITED DEEP DIVE POC​ 1) While submitting the profile page request I saw that the application passes one parameter (csrf_token_value) which as per the name suggest contains the csrf token as you can refer the ...
Read more

Introduction to Callidus

Written by on
Image
Hello All, Performing Red Team assessments are becoming challenging day by day. In mature environments we see a lot of custom tool development and new techniques are getting discovered by the community to overcome various challenges. While thinking about such challenges, I came up with the idea of creating a tool that can leverage legitimate services for establishing command & control communication channel which is likely to be whitelisted or are less monitored due to the nature of services used by the corporate environments. This is not a new technique, we have already seen similar projects that were developed to leverage legitimate services for command & control. Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or  Domain Fronting techniques etc. In this post I will introduce you to a tool called "Callidus" which I created to learn & to improve my knowledge about developing custom toolset in C# and learning how to leverage ...
Read more

Process Injection - Part I

Written by on
Image
Hello All, After publishing the post about Dumping Process Memory with Custom C# Code my friend Himanshu suggested me to write a tool & a blog post about Process Injection for learning and he referenced his post about Code Injection which covers the concept about the vanilla process injection technique. It was quite interesting to learn and understand the core concepts about Process Injection techniques and as a learning path to code in c# leveraging Windows API I started writing the tool for Process Injection. What is Process Injection ? Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Why Process Injection ? ...
Read more