Introduction
🔎 It aims to learn Azure and Entra ID across 2 tenants by comprising: managed identities, keyvaults, webapps, service principals, blobs and so on.
Start training
💰 When you purchase CARTP ($450), you’ll be asked to enter an email address. It’s best to use a Gmail address (for the learner) to avoid having to contact support later, as authentication on the learning platform is done exclusively via a Google account.
You’ll then have access to the various CARTP related resources in the “Access Lab Material” section, which will redirect you to an onedrive link, you’ll find diagrams, explanatory videos (CourseVideos correspond to bootcamp videos and WalktroughVideos to lab compromise paths) and an archive containing all the tools needed to learn the certification (Tools.zip).
I strongly recommend reading the section “Frequently Asked Questions”.
In the course, there are 26 “Learning Objectives” (23 “Hands-On”), each of which indicates a goal to be reached (one or more pieces of information to get) by enumerating/exploiting the lab environment on a particular subject. This covers everything from O365 phishing with MFA bypass, endpoint fuzzing to Microsoft Graph/ARM API interactions (retrieve tokens and enumerate) across 2 tenants.
📍 The learning environment and the certification one are similar. Note that it may have some minor differences, so read tools documentation carefully and practice. Azure concepts can be overwhelming at first sight, note key concepts, do schemas and take your time! Don’t forget that endpoints are widely exposed and the environment is linked to internet, be careful on your operations to be legit!
ℹ️ The feedback, the anecdotes, the detailed explanations of concepts; all of which can be heard in the bootcamp videos hosted by Nikhil Mittal (Founder of Altered Security) like always.
Exam advices
- Take time to import properly your PowerShell modules and tooling.
- Don’t waste time to collect data with AzureHound (or similar tools), there’s no need.
- Try different utilities/way to connect to MS Graph API if you aren’t successful with one.
- Take screenshots and minimal notes while doing the exam.
- Save your commands history file at
$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt(no stdout).- Endpoints fuzzing is useless.
Exam moment
👉 I must remain somewhat vague to avoid spoiling the exam setup. During the exam, the candidate’s mission is to successfully compromise 5 Azure resources, 2 users and retrieve the final flag within the lab scope.The candidate will have 24 hours, including an additional hour for installing necessary tools, to compromise the entire Azure lab and take screenshots that demonstrate the method used, thus enhancing the final report, which should be as flawless as possible (48 hours are granted to submit the report).
After starting the exam, the endpoint appeared on the interface within about ten minutes. Also an examvm is provided for operations with a public IP, you can connect directly trough an RDP client on it.
The foothold is a formality, follow the bootcamp notes if needed. Then there is a trickier part that may not be in the course :). As i heard, lot of peoples failed exam on it, be patient, read Microsoft documentation and hope you will find a way (don’t give up!).
Then the lab is pretty much easy, some steps may be redundant and it’s straightforward! Don’t forget that your exam lab is across two tenants. Enumeration is key (original sentence i guess
Report
🗒️ The report must be written entirely in English. It should suggest corrective measures for the identified weaknesses and include references to blog articles to enhance the credibility of the document. It is also essential to explain the functionality of the tools used and the reasons for their selection. My individual report was created using sysreptor and the Altered-Security-Azure-Reporting template.
📋 The project’s goal is to save time on formatting, automate elements such as the structure of the Executive Summary and Table of Contents, and most importantly, focus on completing only the functional parts of the document, such as the scope and attack vectors.
Conclusion
✅ The CARTP is a good introduction to Azure and Entra ID concepts and exploitation.
It’s possible to pass the CARTP in some weeks :). All resources are accessible for life, including future updates. Note, however, that passing the certification may be less complex than the training lab (due to the latter’s 24 hours of activity). You will then be asked to submit a compromise report in English, detailing all observations, weaknesses, tools used, sources of POC and remediation recommendations for each element in the environment (recommendations earn more points, but are not mandatory). This report is written and sent within 48 hours maximum after the end of the exam lab activity. You can also specify that English is not your native language, if this is a hindrance to your expression. The Altered Security team will take this into account when reviewing your report.
