Introduction 介绍

ARTE or htARTE is a certification issued by Hacktricks Training, a training organization created by Carlos Polop, who is also the creator of the famous hacktricks cheatsheet. The aim of the certification is to present different exploitation techniques on the most commonly used AWS services in corporate environments, and to provide a methodological basis for white-box audits (configuration audit) and black-box audits (penetration testing and red team engagements). One can purchase a voucher for the certification since December the 4th 2023, and this is the first that Hacktricks Training has offered. When we decided to buy the certification, we had no feedback or information available on the certification and we think we were among the first people in France to buy the certification. We decided to give it a try knowing that there was a discount available for the launch of the certification and we wanted to progress in AWS pentesting being interested in the security of cloud environments.
ARTE 或 htARTE 是由 Hacktricks Training 颁发的认证，该培训机构由 Carlos Polop 创建，他也是著名的 hacktricks cheatsheet 的创建者。该认证的目的是展示企业环境中最常用的AWS服务的不同开发技术，并为白盒审计（配置审计）和黑盒审计（渗透测试和红队参与）提供方法基础。自 2023 年 12 月 4 日起，人们可以购买认证优惠券，这是 Hacktricks Training 提供的第一个优惠券。当我们决定购买该认证时，我们没有有关该认证的反馈或信息，我们认为我们是法国第一批购买该认证的人之一。我们决定尝试一下，因为我们知道启动认证有折扣，并且我们希望在 AWS 渗透测试中取得进展，因为对云环境的安全性感兴趣。

From there, you may be asking yourself “Who is the certification intended for?”.
从那时起，您可能会问自己“该认证是针对谁的？”。

Who is ARTE for?
ARTE 适合谁？

The certification does not necessarily require any prior knowledge of AWS, but basic knowledge of the following areas is necessary:
该认证不一定需要任何 AWS 的先验知识，但需要具备以下领域的基本知识：

• Networking 联网
• Linux
• Pentesting 渗透测试

In our opinion, anyone with a solid grounding in these areas should be capable of tackling this certification. On second thought, we wouldn’t recommend it to just anyone, as cloud security is a rather specific field. The certification is quite interesting for people involved in offensive security, such as pentesters or red team operators. Moreover, this certification can also be of great interest to people involved in the defensive security of AWS environments. This would help them to get a better understanding of the configuration mistakes that can be made in order to avoid them, give them a sneak peek of an adversary mindset and help them in responding to a potential security incident in a timely manner.
我们认为，任何在这些领域具有扎实基础的人都应该能够获得此认证。再想一想，我们不会向任何人推荐它，因为云安全是一个相当具体的领域。对于参与攻击性安全的人员（例如渗透测试人员或红队操作员）来说，该认证非常有趣。此外，参与 AWS 环境防御安全的人员也可能对这项认证非常感兴趣。这将帮助他们更好地了解可能发生的配置错误，从而避免这些错误，让他们一睹对手的心态，并帮助他们及时响应潜在的安全事件。

Now that we know who might be potentially interested in this certification, let’s take a look at how to prepare for it, and at the materials provided with the course.
现在我们知道谁可能对此认证感兴趣，让我们看看如何准备该认证以及课程提供的材料。

Certification Preparation
认证准备

When you activate your certification voucher, you get access to two things. The first is the certification course, made up of videos and slides. In addition to the access granted to the course, you also get access to the lab. After each notion explained in the course, you get the opportunity to put it into practice in the lab exercises. Over 50 labs and more than 20 hours of video lessons are available, following this syllabus:
当您激活您的认证凭证时，您可以访问两件事。第一个是认证课程，由视频和幻灯片组成。除了授予课程的访问权限外，您还可以访问实验室。在课程中解释了每个概念之后，您将有机会在实验室练习中将其付诸实践。提供超过 50 个实验和超过 20 小时的视频课程，遵循以下教学大纲：

Intro to AWS AWS 简介

• AWS Organization AWS组织
• AWS Principals AWS 负责人

Exploitation of AWS Services
AWS 服务的利用

• IAM
• STS
• KMS
• Secrets Manager 保密经理
• S3
• EC2, EBS, SSM & VPC
  EC2、EBS、SSM 和 VPC
• LightSail 光帆
• Lambda 拉姆达
• API Gateway API网关
• EFS
• RDS
• DynamoDB 动态数据库
• ECR
• ECS
• Elastic Beanstalk 弹性豆茎
• CodeBuild 代码构建
• SQS
• SNS
• Cognito 认知

Methodologies 方法论

• White box 白盒
• Black box (I) 黑匣子（一）
• Black box (II) 黑匣子（二）

Common Detection Mechanisms
常见的检测机制

• CloudTrail 云踪
• GuardDuty 警卫职责
• Other Security Services (Cloudwatch, Security Hub, Detective, Inspector, Config, WAF, Shield, Firewall Manager)
  其他安全服务（Cloudwatch、Security Hub、Detective、Inspector、Config、WAF、Shield、Firewall Manager）

As you can see, the syllabus is pretty solid. Keep in mind that when you activate your voucher, you only have access to the lab for 45 days. This means that if you don’t work on your certification every day, you will probably need to do at least 2 labs a day to be able to finish all the labs in the allotted time. However, if you don’t have the time to finish all the labs in the allotted time, you can buy lab extensions (15, 30 and 90 days). If you ever get stuck during a lab, you can ask other students or moderators questions on the certification discord. Another advantage is that most of the techniques you will need to use in the labs are explained and available on Hacktricks cloud. There are also a number of operating demos in the course to help you understand the mindset you need to have. This is notably true in the Black Box methodology section, where you can find a complete Black Box environment operating demo. In fact, we would advise you to prepare for the Black Box part of the course, especially the Black Box II part. This will help you really understand and apply the methodology you will need to pass the exam and be efficient in your real life engagements.
正如你所看到的，课程大纲非常扎实。请记住，激活优惠券后，您只能在 45 天内使用实验室。这意味着，如果您不是每天都进行认证，您可能需要每天至少进行 2 次实验，才能在规定的时间内完成所有实验。但是，如果您没有时间在规定的时间内完成所有实验，您可以购买实验延期（15、30 和 90 天）。如果您在实验室中遇到困难，您可以向其他学生或主持人询问有关认证不一致的问题。另一个优点是，您在实验室中需要使用的大多数技术都在 Hacktricks 云上进行了解释和提供。课程中还有大量的操作演示，帮助您了解所需的心态。在黑盒方法部分尤其如此，您可以在其中找到完整的黑盒环境操作演示。事实上，我们建议您准备课程的黑盒部分，尤其是黑盒 II 部分。这将帮助您真正理解和应用通过考试所需的方法，并在现实生活中高效工作。

In addition to the course and the labs provided, we also praticed on the Hailstorm AWS cloud pro lab on the Hack The Box platform. (Note from Rayan: I’ll be doing a review of the lab soon). The Hack The Box lab enabled us to put into practice the methodology we learned as a kind of test before the exam. However, the Hack The Box lab is much bigger than the actual certification exam as it includes services that are not covered in the ARTE course. In the end, if you do most of the labs assiduously, take notes and have a proper understanding of the mindset of the Black Box methodology, then you’re more than likely ready to take and pass the exam.
除了提供的课程和实验室之外，我们还在 Hack The Box 平台上的 Hailstorm AWS 云专业实验室进行了练习。 （Rayan 的注释：我很快就会对实验室进行审查）。 Hack The Box 实验室使我们能够将学到的方法付诸实践，作为考试前的一种测试。然而，Hack The Box 实验室比实际的认证考试大得多，因为它包含 ARTE 课程中未涵盖的服务。最后，如果您勤奋地完成大部分实验，记笔记并对黑盒方法的思想有正确的理解，那么您很可能已经准备好参加并通过考试。

So let’s talk about the exam now.
那么现在我们来谈谈考试吧。

The Exam 考试

The ARTE exam is quite special, unlike most of the certifications we’ve taken. First because it’s very short, as it’s lasting 12 hours. Another super important thing is that there’s no report to hand in at the end of the exam like most hands-on certifications. The objective of the exam is to recover 3 flags in an AWS environment that you will attack under the black box approach. At the start you’re given a certain entry point and from there your goal is to retrieve credentials, elevate your privileges and compromise various services. Like any exam, it can be stressful, especially when you consider that the exam only lasts 12 hours. But to be honest, it’s totally sufficient. The exam is quite straight forward in its entirety and can be completed in much less than 12 hours, personally we took 4 hours after losing a little time on one stage, mainly due to a lack of experience and methodology but we still managed to complete the exam! If you have any problems during the exam, don’t hesitate to contact the support on Discord as they are very responsive. Take breaks during the exam. It’s really important when you’re stuck to come back with a fresh mind if you want to be able to solve your problem.
ARTE 考试非常特殊，与我们参加的大多数认证不同。首先是因为它很短，因为它持续了12个小时。另一件非常重要的事情是，像大多数实践认证一样，考试结束时不需要提交报告。考试的目标是恢复您将在黑盒方法下攻击的 AWS 环境中的 3 个标志。一开始，您会获得某个入口点，从那里您的目标是检索凭据、提升您的权限并危害各种服务。与任何考试一样，考试可能会带来压力，尤其是当您考虑到考试仅持续 12 小时时。但说实话，这已经完全足够了。整个考试相当简单，可以在不到 12 小时的时间内完成，我们个人在一个阶段损失了一点时间，花了 4 个小时，主要是由于缺乏经验和方法，但我们仍然设法完成了整个考试考试！如果您在考试期间遇到任何问题，请随时联系 Discord 上的支持人员，因为他们的响应非常及时。考试期间要注意休息。如果你想解决问题，那么当你不得不以全新的心态回来时，这一点非常重要。

Once you’ve managed to recover the 3 flags, you’ve passed the exam, because as we said before, there’s no report to submit. As a bonus, you’ll receive a congratulatory e-mail with a nice certificate:
一旦你成功恢复了 3 面旗帜，你就通过了考试，因为正如我们之前所说，无需提交任何报告。作为奖励，您将收到一封带有精美证书的祝贺电子邮件：

Pros and Cons 优点和缺点

Pros 优点

Considering that we had almost no knowledge of AWS and its workings at the beginning of this course, we found that Hacktricks did an excellent job in trying to cover all the primary components of AWS at a high level, providing enough information to feel comfortable for penetration testing and red team engagements on AWS.
考虑到我们在本课程开始时对 AWS 及其工作原理几乎一无所知，我们发现 Hacktricks 做得非常出色，试图在高层次上涵盖 AWS 的所有主要组件，提供足够的信息以方便渗透AWS 上的测试和红队参与。

The course covers a wide range of topics, including:
该课程涵盖广泛的主题，包括：

• Tools (aws-cli primarily but also other tools and scripts)
  工具（主要是 aws-cli，还有其他工具和脚本）
• Initial access vectors 初始访问向量
• Enumeration 枚举
• Bypasses 旁路
• Exploitation scenarios 利用场景
• Persistence techniques 持久化技巧
• Lateral movement 横向运动
• Black/White-Box methodology
  黑/白盒方法
• The environment and architecture on AWS
  AWS上的环境和架构

A major advantage of this experience is the lab (which is truly insane: 50 flags), as well as its gamification in CTF mode. There are no ready-made solutions; there is only a hint regarding the service that is vulnerable, after which it’s up to you to manage to exploit misconfigurations and vulnerabilities. This will force you to search and familiarize yourself with AWS documentation and the Hacktricks website, as well as developing your own methodology.
这种体验的一个主要优势是实验室（这真的很疯狂：50 个标志），以及 CTF 模式下的游戏化。没有现成的解决方案；只有关于易受攻击的服务的提示，之后您就可以设法利用错误配置和漏洞。这将迫使您搜索并熟悉 AWS 文档和 Hacktricks 网站，并开发自己的方法。

Cons 缺点

In the light of AWS’s constant evolution and updates, it’s inevitable that certain exploitation techniques we initially learn may become obsolete or require adaptation over time. While working on practical exercises, such as those provided in training environments, we encountered situations where previously effective methods no longer yielded the expected results due to one of these updates. When this happened, it unfortunately halted the lab, but the support team was very responsive and present to assist.
鉴于AWS的不断发展和更新，我们最初学习的某些利用技术不可避免地可能会随着时间的推移而过时或需要适应。在进行实际练习（例如在培训环境中提供的练习）时，我们遇到了由于这些更新之一而导致以前有效的方法不再产生预期结果的情况。当这种情况发生时，不幸的是，实验室停止了，但支持团队非常积极地提供帮助。

Another point to mention is that once a service is exploited and the flag obtained, there is no solution provided by the challenge authors. We found this was a pity as it could have offered an opportunity to understand their way of designing the challenge, their precise methodology, and even to know if the challenge was solved as expected. Such feedback could have enriched the learning experience by offering a deeper insight into the intentions behind each challenge.
另一点需要提到的是，一旦服务被利用并获得标志，挑战作者就不会提供解决方案。我们发现这很遗憾，因为它可以提供一个机会来了解他们设计挑战的方式、他们的精确方法，甚至知道挑战是否按预期得到解决。此类反馈可以通过更深入地了解每个挑战背后的意图来丰富学习体验。

Conclusion 结论

The certification is both engaging and enjoyable for those seeking a comprehensive and swift training option, provided the budget allows. With a thorough lab, instructional videos, courses, and a responsive support team, it offers a well-rounded learning experience. However, if you’re a student on a tight budget but still keen to dive into AWS security, you can create your own lab using AWS’s free tier and leverage the wealth of resources available on Hacktricks cloud. This approach allows for a cost-effective yet valuable way to build your skills in cloud security.
如果预算允许，对于那些寻求全面而快速的培训选择的人来说，该认证既有吸引力又令人愉快。凭借完善的实验室、教学视频、课程和积极响应的支持团队，它提供了全面的学习体验。但是，如果您是一名预算紧张的学生，但仍热衷于深入研究 AWS 安全性，则可以使用 AWS 的免费套餐创建自己的实验室，并利用 Hacktricks 云上提供的丰富资源。这种方法提供了一种经济高效且有价值的方式来培养您的云安全技能。

By the way, if you are a company using AWS and want to challenge your assets through configuration audits, pentesting, or even red team exercises, do not hesitate to contact us at [email protected]! We would be glad to help you with this.
顺便说一句，如果您是一家使用 AWS 的公司，并且希望通过配置审核、渗透测试甚至红队练习来挑战您的资产，请随时通过 [email protected] 与我们联系！我们很乐意为您提供帮助。

原文始发于Rayan BOUYAICHE & Dimitri CARLIER：AWS Red Team Expert (ARTE) Review