Review of the k>fivefour - Red Team Journeyman™ Course (RTJC)

These are my personal opinions based on my background and training experience.

Course Reviewed

Course Format:

This course is live training (and normally on-site / in person.) However, due to COVID-19, my class was live / online.

Course Materials:

This course materials, and swag, included a class slides in a spiral bound notebook, a lab workbook (in the neat k>fivefour large leather ARC binder), a small leather book for notes (with k>fivefour logo), a k>fivefour pen, a k>fivefour lanyard, and the awesome k>fivefour backpack with velcro strip to put your certification patches.

Check this swag out...

What You Get

With RTAC Badge

Class Slides

Class size:

The class can be varied in size. We had more than ten students in the class I attended.

Lab Environment

The lab environment is NOT shared with other students.

Estimated cost:

At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)

$9,995.00 USD

Course overview:

This course now has information listed at https://www.eventbrite.com/e/red-team-journeymantm-course-tickets-89579140621.

It is listed as a two week course, which is Monday through Friday of each week, and the final exam is a two day test. (From some of the things I heard, the two day test is done in a classroom only and not offline, so you start one day and get as far as you can and then come back the next day to try and reach the end.)

To quote from the eventbrite site:

Students will customize, create, and execute:

* Microsoft Windows COM object hijacks
* Remote code execution exploits
* Webshells
* C++ hijack DLL’s
* C# assembly payloads

Students will build, configure, and secure covert infrastructure to hide Red Team communications from suspecting network defenders.

This class will guide students through:

* Windows active directory enumeration
* Privilege escalation
* Domain fortification
* Advanced remote execution
* Advanced user and administrative persistence
* Domain pivoting

Students will learn to set up customized tunnels to route web and C2 traffic through the environment, encountering various challenges which must be overcome to compromise secured remote systems.

Students will work in Battlegrounds, k>fivefour’s online virtual environment. Battlegrounds is accessible throughout the duration of the class, including nights and weekends, using any modern web browser. Using Battlegrounds, students will work to compromise their individual environment composed of over 30 virtual machine systems arranged into 5 separate networked domains.

End quote!

There are pre-requisites listed at the bottom of the eventbrite page. I highly recommend that if you are interested in taking this course that you read the pre-requisites and ensure that you meet them before signing up. I hear that the class is intense for those that meet the requirements, so not meeting the requirements will possibly make for a really bad experience.

I will stress again, these classes are taught by people with a lot of Red Team experience, and this course is designed to be challenging. When I overheard someone talking about the course (very high level discussion) they mentioned taking advantage of the "Battlegrounds" environment from home. So clear your calendar and limit outside distractions, sign up for the class and spend every second of free time you can practicing what you have learned.

This course will teach you how to set up customized tunnels to route web and C2 traffic through a simulated outside environment to your simulated internal network, it will teach you how to gain a foothold, and move within an Active Directory environment (with both Linux and Windows machines), and it will teach you how to overcome various challenges to compromise secured remote systems.

My motivation:

I really wanted to take this course, and the wonderful people that I work with were able to get me enrolled in the class.

My review:

I only got a few days notice that I had been approved for, and was getting to attend, this course.  I was both excited and nervous, and then the weekend was over and I was in class.

I had one of the instructors that I had from RTAC and the other instructor was different than I had when I went through RTAC. Both had years of experience and were very knowledgeable. They took turns teaching the materials and answering questions and helping with the lab.

A lot of things were pretty similar to RTAC, but the whole remote thing was a little interesting to start with but I got used to it. We connected through BlueJeans for audio/video and chat, but we also had a private Slack channel where we posted questions for those in our class. And we were added to an RTAC certified group to chat with other RTAC certified operators. There were still real world stories shared, but I did miss the talking in the break room and halls during breaks.

We got another one of those really nice ARC notebooks with a k>fivefour logo on it.  This had our lab materials in it.  This design allows the instructors to hand out each lab right before you start it (and you then insert it into the notebook.  You can also remove them, and insert them back into the notebook as needed.)  This method works really well for both classes, and you can buy ARC (or similar style) paper to make your own notes on and then insert in the notebook in whatever order you would like. Since this was online, all the labs were already in the notebook for my class.

We got a spiral bound notebook with the class slides.  There is some room around each slide for you to make notes in, but you would probably be better off making notes in a notebook or on the blank pages in your ARC binder (I went to Levenger and bought a bunch of Circa paper that was on sale and now I have plenty of spare pages that fit my ARC binders from RTAC and RTJC.)

We also got a pen with the k>fivefour logo on it, a lanyard and a backpack.  The backpack has a velcro patch on the fron that allows you to add the 'soft' badges that they give you once you pass the RTAC exam (the green patch...which can be seen in one of the photos above).  I saw a photo online where they give you similar items when you pass the RTJC exam (a red patch).

Before we get into the actual review of the class, let me mention the lab setup and get that out of the way.  Each student gets their own lab environment, so anything that is done in the student's environment doesn't affect the environments of the other students.  (And this is spot on for this type of training/learning!)  I don't recall how many VMs were running in the lab, but there are different operating systems, applications, and configurations.

The first day of class started with a welcome/introduction session where things like the bathroom location, the breakroom, and other important things to know were discussed (this really didn't apply to us as we were all remote).  From there, the class launched into a very quick review of information learned in RTAC.  Next up was real world red team mission setups, and the labs to begin attempting these real world setups.  They covered information I have not seen in other red team classes, and the setup provides a very good learning experience of how to set up infrastructure both internal and external. Things like iptable rules on internal boxes, Windows firewall rules, offline file shares and general mission preparation. Before we launched into the labs, they gave us a quick overview of Battlegrounds (which is how you connect to your lab.)

You get to fully set up your infrastructure to simulate being on an external network and connecting to your customer's network over the internet. There are different courses out there that take a different approach to getting setup (some drop you in on an internal box and let you work from there, some make you find ways inside the customer network, and you should really learn every method you can.)

From there, we moved into enumeration, and finding ways into a customer's environment.  With RTAC we got a little taste of phishing and with RTJC we got a taste of exploiting and writing some shell code to gain access. And once inside the customer's environment, that is when things started were both old and new at the same time.  For example, anyone doing Offensive Security's Penetration Testing with Kali Linux class has probably dropped a webshell on a box and accessed it remotely, but they probably haven't gone in and custom made the webshell. This is where you have to really think outside the box as compared to most other courses because you can't just drop a webshell on a web server in the real world and have it where everyone can just connect and use your webshell, but you can't make it so complex that a defender going through network traffic can look at the traffic and say, "well this is odd!"

Enumerate the box (some old techniques and some new techniques), persist the box (some old techniques and some really really really cool new techniques for me that I had heard about but never used) and more tradecraft from the red team perspective. Again, they teach a lot more 'thinking' things through than just popping shells and moving on.

Privilege escalation and advanced privilege escalation. Data mining. Data exfiltration. Finding data can be like finding a needle in a haystack, but that needle you find could turn out to be the key to gaining domain administrator rights or being stuck as a regular user.

The Post Exploitation section was by far my all time favorite section of this course, but looking back it seems to be the biggest part of the course.

I don't want to spoil stuff for the people who get to attend this class, but I do want to tell you that there is a HUGE plot twist during your lab time. If you do this kind of work for a living, take this class, and get to the point I am talking about, you will just smile, laugh a little, and think, this is so real world it hurts!

And then there is my love/hate relationship with tunneling. At times I love it and can keep things straight in my head, and at other times I get so flustered. Practice makes perfect, and for this course it isn't too bad. I took one course where I was so far deep with tunnels that I almost had to make a full network diagram to keep track of it. I love the chance to practice with tunnels!

The programming part: I had fun. The C++ part was easy to understand and follow. It isn't writing zero day exploits with C++ level programming, but modifying existing code... techniques that you will probably learn before you get here, you will learn it while you are here, or you will learn it later down your path of red teaming. And then the coolest part of the class. The C# stuff. Don't know how to program in C#, well neither did I (although I did watch a short YouTube video once that gave me exposure to what the syntax looked like.) This section is a little bit of holding your hand, and a little bit of forcing you to learn on your own. The instructors are there if you need them, but hopefully you won't have any trouble in this section. And what you are taught is pretty awesome ;) I just wish I would have learned this before I took an exam that I failed (not that I would have passed but it would have made one of my tasks take 30 minutes instead of 3 hours!)

When the second week started, we had learned a lot, but we weren't done learning. Monday, Tuesday and the first part of Wednesday was spent finishing up the slides and labs.

The second half of Wednesday was a review day.  There was some review of what is expected from the exam, and then it is more or less free time.  You can reset your lab and start all over, or you can just continue to learn with what you have.

Not sure what to say exactly about the test other than:  Two days.  9 hours of test time per day.  18 hours total.  10+ hour days getting set up and preparing and then shutting down for the night.  Long days.

At the end of the course, I got a Certificate of Completion.



There were times when I had small connectivity issues with the lab, but for the most part, my connection was pretty good.

The Exam:

The exam is taken over two days. It isn't a "48 hour exam" where you get to make your own schedule, the start and end time, as well as lunch time, are on a set schedule. You are monitored during the test, and you have access to the instructors if you have questions/problems, but if you need a quick break you are allowed. For the people who took it live and onsite, they sat in a classroom and took the exam. For those at home, we found the best place to take the exam and took it. My good chair broke a few weeks before class, so I sat in a chair from our dining room and that all wood straight backed chair was very hard on my back!

I failed! I lost focus no less than three times, and probably more, and I went way off course toward the end of the exam. Typos, time management, and lack of focus were in the end what defeated me. I am eagerly awaiting word of when/if they will offer exam retakes.

Had I passed, I might have gotten a certificate that looked similar to this:

RTJC Certification

My two cents:

This course is different from every other course I have taken. I've not had another course that goes over infrastructure setup, or a course that has taught me to customize Cobalt Strike C2 profiles, or even program in C#, not to mention the section about the C++ DLLs. This class isn't about getting Domain Admin at all costs, but it is about gaining access to a network, persisting that access, and methodically working through the network being as stealthy as possible, and, all along the way, keeping track at every step that has been taken.

Copyright © 2024