Exam Structure

The exam consists of 4 machines, each designed to replicate realistic Windows AD attack surfaces.

1. Exploitation (15 points per machine) 

You will be assessed on your ability to:

1. Conduct reconnaissance with assumed breach credentials
   
2. Perform authenticated enumeration
   
3. Perform vertical privilege escalation
   
4. Harvest credentials (e.g., plaintext passwords, NTLM hashes, DPAPI secrets)
   
5. Exploit Microsoft SQL Servers (MSSQL) via misconfigurations or command execution
   
6. Identify and abuse dangerous ACLs (DCSync, GenericAll, WriteOwner, etc.)
   
7. Conduct Kerberos attacks (e.g., Kerberoasting, AS-REP roasting, etc)
   
8. Attack domain trusts and move laterally between domains when applicable
   
9. Each machine contains a unique set of challenges from the list above. Not all attack types may appear in every machine.
   
10. This portion adds up to a total of 60 points (15 * 4), with the 4 machines listed in the exam
    

 

2. Mitigation Tasks (10 points per Mitigation)

After each exploitation, you will be required to:

1. Identify the root cause of compromise
   
2. Propose actionable mitigations (e.g., hardening steps, GPO adjustments, monitoring techniques)
   
3. Document defensive strategies that apply to the AD misconfigurations exploited
   

This portion adds up to a total of 40 points (10 * 4).

 

Grading Criteria

You are given 24 hours for exploitation in the exam environment, and an additional 24 hours for producing a report detailing the findings of the engagement as well as mitigations (where appropriate). In order to obtain a passing grade, you must obtain a total of at least 80 points.

 

Rules of Engagement (RoE)

You are reminded that the environment is live and actions may have real-world impact. Proceed with caution to avoid disrupting company operations, any actions that cause a disruption may result in a deduction of points. The given user is immune to any point deductions, and is provided to allow the tester to perform actions that may otherwise be disruptive without penalty. You are welcome to add this user to any group, modify its password, or perform any other actions that would otherwise be disruptive.

Potentially Disruptive Actions

The following actions may result in a deduction of points, and should be avoided unless absolutely necessary. These actions are being actively monitored:

1. Modifying the password of any user account
   
2. Adding or removing users from domain & local groups
   
3. Restarting or shutting down systems
   
4. Making changes to Group Policy Objects (GPOs) that affect multiple systems or users
   
5. Modifying authentication mechanisms (e.g., enabling RDP, changing login requirements)
   
6. Changing permissions on critical files, shares, or directories
   
7. Adding, removing, or modifying data stored in MSSQL databases
   

If you must perform a disruptive action, you must revert the change before the exam
ends. If you are unable to revert these changes, the following must be documented: 

1. Detailed reversion steps in your final report
   
2. Reason for the inability to revert the changes

Failure to revert any disruptive changes, or properly documenting the reversal steps will result in a deduction of 5 points per incident.

 

Immediate Termination

The following actions will result in immediate termination of the engagement, and immediate failure of the exam:

1. Attempting to scan, access, or exploit the company's dedicated enterprise router.
   
2. Causing irreversible damage to any system, such as deleting critical resources, or modifying system files that cannot be restored.
   
3. Attempting to use the company's systems to attack or compromise external public-facing systems, including but not limited to launching attacks against other companies or individuals.