My Review on HackTheBox Certified Active Directory Pentesting Expert (CAPE)
I recently passed the Certified Active Directory Pentesting Expert (CAPE) certification from HackTheBox.
In this blog post, I will share more details about the CAPE certification, my learning journey, and a few tips for anyone preparing to take it.
I will also discuss the C2 framework I built and used during the course labs and the exam: Orsted C2.
What is CAPE ?
Certified Active Directory Pentesting Expert (CAPE) is HackTheBox’s most advanced certification focused on attacking Active Directory Environments. It covers a range of subject, from NTLM to Kerberos and ADCS as well as other complex subjects like attacking AD trusts.
The full course description can be found here https://academy.hackthebox.com/preview/certifications/htb-certified-active-directory-pentesting-expert. You can see the full course content by going to the RELATED JOB-ROLE-PATH tab.
As the name suggests, CAPE is not an entry-level certification. By the time I applied, I had already:
- Completed the Certified Redteam Operator Course (CRTO)
- Had 3 years of experience in the offensive security industry including Windows / Active Directory Pentests with advanced security solutions enabled
- Completed over 100 Boxes on Hackthebox with many Seasons
- Deep dived into the code of existing opensource C2 (sliver, havoc, merlin, Exploration C2)
- Made a C2 Framework from scratch
Choosing a C2
While not mandatory, using a C2 during the course labs and exam is highly recommended. It is important to fully understand how your C2 behaves, so I suggest using an open-source framework.
Approximately one year before attempting CAPE, I decided to build my own C2 from scratch called Orsted C2, which is now open source.
Code source: https://github.com/almounah/orsted
Full documentation: https://almounah.github.io/orsted-doc/
To be as comfortable as possible while going through the course material, your C2 should ideally:
- Allow you to run
powershellin memory in a stealthy way -Orstedachieves this withpowercliff - Allow you to execute
dotnetassemblies andexefiles in memory -Orstedprovidesinline-clrandexecute-assembly - Allow easy pivoting (via
socksorligolo-ng) -Orstedsupports this withautoroute - Provide a quick, non-stealthy shell when needed -
Orstedoffers this withshell
You should also have your offensive tooling precompiled. Inspired by sliver-armory, Orsted includes batcave, which compiles .NET tooling via GitHub Actions: https://github.com/orgs/exploration-batcave/repositories
That said, I am not suggesting that you use Orsted or build your own C2 as I did. There are many solid options already available, such as sliver, Havoc, AdaptixC2, merlin, meterpreter, and Exploration C2, among many others.
Choose a C2 you are comfortable with, that is what matters most.
The Course Content
The course content assumes you already have some foundational Windows knowledge. HTB does a great job of clearly explaining complex subjects such as SCCM, Active Directory trusts, and more.
You can roughly categorize the content into three main groups:
- Tool-Specific Chapters
These include Active Directory PowerView, Active Directory BloodHound, Using CrackMapExec, and Intro to C2 Operations with Sliver. These chapters are particularly valuable because they provide dedicated environments to practice using the respective tools.
For these sections, don’t hesitate to git clone the tools and explore their source code. I highly recommend doing this for any new tool you encounter in general.
- General Knowledge Chapters
These include Active Directory Enumeration & Attacks, Active Directory LDAP, Windows Lateral Movement, and Introduction to Windows Evasion Techniques.
These chapters introduce the fundamental knowledge required to better understand Active Directory attacks. The Windows evasion chapter is fairly basic, which actually makes it more valuable - it demonstrates how to bypass Windows Defender, but you will need to dig much deeper if you want to bypass modern EDR solutions later in your career.
- Pure Active Directory Chapters
These include Kerberos Attacks, DACL Attacks I, DACL Attacks II, NTLM Relay Attacks, ADCS Attacks, Active Directory Trust Attacks, and MSSQL, Exchange, and SCCM Attacks.
These chapters form the core of the course and provide a deep dive into Active Directory attack techniques.
The Exam
The exam is brutally hard. There’s even a great song about it:
https://youtu.be/S4XI1BY2p_c?si=W-TGRoKnmuIN8P7N
It requires a deep understanding of the course material. If your plan is to rely on cheat sheets and use a spray and pray approach, you won’t get very far.
To prepare for the exam, I worked through the following boxes and prolabs:
| Chapter | Boxes / Prolabs |
|---|---|
| Kerberos Attacks | Vintage, Phantom, Delegate, Rebound, Scrambled, Push Prolab |
| DACL Attacks I | Vintage, Administrator, Rebound, Certified, Push Prolab |
| DACL Attacks II | BabyTwo |
| ADCS Attacks | Shibuya, VulnCicada, Certified, Push Prolab |
| MSSQL, Exchange, and SCCM Attacks | Reflection Prolab, Push Prolab |
I had also completed multiple HTB seasonal machines in the past: https://app.hackthebox.com/public/users/440818
I was able to pass the exam in 4 days, working from 7 AM to 1 AM each day, with a few breaks here and there. Since HTB gives you 10 days to complete the CAPE exam (similar to CWEE), I recommend starting on a Friday so you can take advantage of two weekends.
Although the exam is challenging, it is also very enjoyable to work through.
Consider the exam as part of the learning process. You will significantly level up while going through it.
Conclusion
I highly recommend CAPE. The content is top-notch, highly technical, and will help you significantly improve your Active Directory skills.
I hope this post has given you a clearer view of what CAPE offers and what to expect from the journey.