Hacktricks training logo

Summary

Introduction

ARTE or htARTE is a certification issued by Hacktricks Training, a training organization created by Carlos Polop, who is also the creator of the famous hacktricks cheatsheet. The aim of the certification is to present different exploitation techniques on the most commonly used AWS services in corporate environments, and to provide a methodological basis for white-box audits (configuration audit) and black-box audits (penetration testing and red team engagements). One can purchase a voucher for the certification since December the 4th 2023, and this is the first that Hacktricks Training has offered. When we decided to buy the certification, we had no feedback or information available on the certification and we think we were among the first people in France to buy the certification. We decided to give it a try knowing that there was a discount available for the launch of the certification and we wanted to progress in AWS pentesting being interested in the security of cloud environments.

From there, you may be asking yourself “Who is the certification intended for?”.

Who is ARTE for?

The certification does not necessarily require any prior knowledge of AWS, but basic knowledge of the following areas is necessary:

  • Networking
  • Linux
  • Pentesting

In our opinion, anyone with a solid grounding in these areas should be capable of tackling this certification. On second thought, we wouldn’t recommend it to just anyone, as cloud security is a rather specific field. The certification is quite interesting for people involved in offensive security, such as pentesters or red team operators. Moreover, this certification can also be of great interest to people involved in the defensive security of AWS environments. This would help them to get a better understanding of the configuration mistakes that can be made in order to avoid them, give them a sneak peek of an adversary mindset and help them in responding to a potential security incident in a timely manner.

Now that we know who might be potentially interested in this certification, let’s take a look at how to prepare for it, and at the materials provided with the course.

Certification Preparation

When you activate your certification voucher, you get access to two things. The first is the certification course, made up of videos and slides. In addition to the access granted to the course, you also get access to the lab. After each notion explained in the course, you get the opportunity to put it into practice in the lab exercises. Over 50 labs and more than 20 hours of video lessons are available, following this syllabus:

Intro to AWS

  • AWS Organization
  • AWS Principals

Exploitation of AWS Services

  • IAM
  • STS
  • KMS
  • Secrets Manager
  • S3
  • EC2, EBS, SSM & VPC
  • LightSail
  • Lambda
  • API Gateway
  • EFS
  • RDS
  • DynamoDB
  • ECR
  • ECS
  • Elastic Beanstalk
  • CodeBuild
  • SQS
  • SNS
  • Cognito

Methodologies

  • White box
  • Black box (I)
  • Black box (II)

Common Detection Mechanisms

  • CloudTrail
  • GuardDuty
  • Other Security Services (Cloudwatch, Security Hub, Detective, Inspector, Config, WAF, Shield, Firewall Manager)

As you can see, the syllabus is pretty solid. Keep in mind that when you activate your voucher, you only have access to the lab for 45 days. This means that if you don’t work on your certification every day, you will probably need to do at least 2 labs a day to be able to finish all the labs in the allotted time. However, if you don’t have the time to finish all the labs in the allotted time, you can buy lab extensions (15, 30 and 90 days). If you ever get stuck during a lab, you can ask other students or moderators questions on the certification discord. Another advantage is that most of the techniques you will need to use in the labs are explained and available on Hacktricks cloud. There are also a number of operating demos in the course to help you understand the mindset you need to have. This is notably true in the Black Box methodology section, where you can find a complete Black Box environment operating demo. In fact, we would advise you to prepare for the Black Box part of the course, especially the Black Box II part. This will help you really understand and apply the methodology you will need to pass the exam and be efficient in your real life engagements.

In addition to the course and the labs provided, we also praticed on the Hailstorm AWS cloud pro lab on the Hack The Box platform. (Note from Rayan: I’ll be doing a review of the lab soon). The Hack The Box lab enabled us to put into practice the methodology we learned as a kind of test before the exam. However, the Hack The Box lab is much bigger than the actual certification exam as it includes services that are not covered in the ARTE course. In the end, if you do most of the labs assiduously, take notes and have a proper understanding of the mindset of the Black Box methodology, then you’re more than likely ready to take and pass the exam.

So let’s talk about the exam now.

The Exam

The ARTE exam is quite special, unlike most of the certifications we’ve taken. First because it’s very short, as it’s lasting 12 hours. Another super important thing is that there’s no report to hand in at the end of the exam like most hands-on certifications. The objective of the exam is to recover 3 flags in an AWS environment that you will attack under the black box approach. At the start you’re given a certain entry point and from there your goal is to retrieve credentials, elevate your privileges and compromise various services. Like any exam, it can be stressful, especially when you consider that the exam only lasts 12 hours. But to be honest, it’s totally sufficient. The exam is quite straight forward in its entirety and can be completed in much less than 12 hours, personally we took 4 hours after losing a little time on one stage, mainly due to a lack of experience and methodology but we still managed to complete the exam! If you have any problems during the exam, don’t hesitate to contact the support on Discord as they are very responsive. Take breaks during the exam. It’s really important when you’re stuck to come back with a fresh mind if you want to be able to solve your problem.

Once you’ve managed to recover the 3 flags, you’ve passed the exam, because as we said before, there’s no report to submit. As a bonus, you’ll receive a congratulatory e-mail with a nice certificate:

ARTE Certificate

Pros and Cons

Pros

Considering that we had almost no knowledge of AWS and its workings at the beginning of this course, we found that Hacktricks did an excellent job in trying to cover all the primary components of AWS at a high level, providing enough information to feel comfortable for penetration testing and red team engagements on AWS.

The course covers a wide range of topics, including:

  • Tools (aws-cli primarily but also other tools and scripts)
  • Initial access vectors
  • Enumeration
  • Bypasses
  • Exploitation scenarios
  • Persistence techniques
  • Lateral movement
  • Black/White-Box methodology
  • The environment and architecture on AWS

A major advantage of this experience is the lab (which is truly insane: 50 flags), as well as its gamification in CTF mode. There are no ready-made solutions; there is only a hint regarding the service that is vulnerable, after which it’s up to you to manage to exploit misconfigurations and vulnerabilities. This will force you to search and familiarize yourself with AWS documentation and the Hacktricks website, as well as developing your own methodology.

Cons

In the light of AWS’s constant evolution and updates, it’s inevitable that certain exploitation techniques we initially learn may become obsolete or require adaptation over time. While working on practical exercises, such as those provided in training environments, we encountered situations where previously effective methods no longer yielded the expected results due to one of these updates. When this happened, it unfortunately halted the lab, but the support team was very responsive and present to assist.

Another point to mention is that once a service is exploited and the flag obtained, there is no solution provided by the challenge authors. We found this was a pity as it could have offered an opportunity to understand their way of designing the challenge, their precise methodology, and even to know if the challenge was solved as expected. Such feedback could have enriched the learning experience by offering a deeper insight into the intentions behind each challenge.

Conclusion

The certification is both engaging and enjoyable for those seeking a comprehensive and swift training option, provided the budget allows. With a thorough lab, instructional videos, courses, and a responsive support team, it offers a well-rounded learning experience. However, if you’re a student on a tight budget but still keen to dive into AWS security, you can create your own lab using AWS’s free tier and leverage the wealth of resources available on Hacktricks cloud. This approach allows for a cost-effective yet valuable way to build your skills in cloud security.

By the way, if you are a company using AWS and want to challenge your assets through configuration audits, pentesting, or even red team exercises, do not hesitate to contact us at contact@hackcyom.com! We would be glad to help you with this.