Review: Hack the Box Pro Lab-Zephyr

A couple of months ago I undertook the Zephyr Pro Lab offered by Hack the Box. The truth is that the platform had not released a new Pro Lab for about a year or more, so this new addition was a welcome surprise! This one was marked as a “Red Team Operator” Level 1 lab, which honestly was a bit scary, because RastaLabs had the same rank of difficulty but was notoriously difficult to complete, especially in certain parts. Nevertheless, after some convincing from fellow pentest enthusiasts, I decided to subscribe and start playing the lab.

The new pricing model

One thing that deterred me from attempting the Pro Labs was the old pricing system. You had to pay a hefty setup fee (around 90$) + 27$/month to keep your access. However, if you canceled your lab subscription and wanted to continue access, you had to pay the setup fee AGAIN.

Fortunately, the new pricing system that was introduced at the same time as Zephyr changed that. Now you can pay 45$/month and you can have access to ALL the Pro Labs. No more setup fees. The new plan, except being more reasonably priced (after all 45$/month for 6 Pro Labs of such quality is more than fair game) also allows players to change Pro Labs. Say for example you want to attempt Cybernetics but eventually you are stuck. Instead of banging your head on the wall, you can play another lab and get back to Cybernetics later. That way, your money does not feel wasted, which may be the case for harder Pro Labs that require advanced knowledge and people are bound to get stuck, especially after the middle of the lab.

My guess for the new pricing model is that Hack the Box decided to make the change because more and more training companies offer such environments at competitive prices with no compromises in terms of quality. Hopefully, we will see more Pro Labs in the future (I read somewhere that this year’s Red Team Village challenge will be offered as a Pro Lab later on for the public). I also hope that more business-exclusive Pro Labs will be available to the public as well since much of the platform’s good stuff is offered only for businesses (Cloud Labs, I am looking at you).

The story

Zephyr Server Management has been hired by Painters organization to actively maintain their infrastructure as they continue to grow as a business. The organizations are mandated to have quarterly penetration tests and have employed you to actively seek any potential vulnerabilities that could lead to both the Painters and Zephyr Server Management networks being fully compromised. You have been assigned to test the internal network and have been given access to a VPN to communicate with the network. You are tasked to explore the corporate environment, pivot across trust boundaries, and ultimately attempt to compromise all Painters and Zephyr Server Management entities.

Okay, now in terms of realism in an actual enterprise network, do not expect anything fancy. Users, computers, and services are there to practice your AD skills. Of course, this is common for all the Pro Labs since they are based on a flag system. Overall the story is not immersive and you will not pay much attention to it, nor does the lab demand any critical thinking on the next step based on business operations and the overall organization departments structure.

Technical Skills Required

Zephyr is pure Active Directory. No web apps, no advanced stuff. Expect it to be easier than Offshore and MUCH easier than the rest of the Red Team Pro Labs. The platform claims it is “A great introductory lab for Active Directory!” which is a good way to describe it. You will have to enumerate the network and exploit its various misconfigurations. Do not expect anything super-fancy, mostly the stuff you would see in any introductory AD-oriented training course like CRTP and CRTO. The CPTS path covers around 85% of the stuff you need for the lab, the rest is up to you to research.

Of course, you will have to use your brains and exploit some misconfigurations in slightly different/unconventional ways, which makes the lab interesting in some parts. Of course, this comes at the cost of some parts of the lab being a bit unrealistic compared to other similar environments.

Pivoting is also there, as well as MSSQL Servers. Overall, this Pro Lab is great for getting accustomed to some of the most fundamental AD attacks, however, it requires you to have a good base of the topic since no training material is provided. If you are a CRTP/CRTO you will have no problems hacking through this Pro Lab in a few days at most. Personally, it took me a week, and after that, I did a replay to improve my notes and try some new attacks.

As future improvements, I would see some internally running services on the lab (something like the stuff I saw in Offshore) to more realistically simulate an enterprise environment and add some more challenges to players. So far there are 17 flags that are pretty easy to find in the intended exploitation path, so no hidden flags or side-quests here.

Lab Support

The lab reverts daily. Persistence is not a big problem, however pivoting is since you have to set up everything from the beginning, but that’s a problem in all similar environments anyway. If you need help to progress in the lab, the Discord server is quite active and most people there are more than willing to help you. Technical support regarding the lab is pretty nonexistent, however, the daily reverts come to the rescue if something goes wrong. The performance is quite good and I remember experiencing 1 or 2 times where the lab was broken in a specific server.

Final Words

I can definitely recommend this lab. It was a nice break to play a new Pro Lab which was neither too daunting nor too big. At this price range, it is definitely a good deal, especially since you can play more Pro Labs if you finish it in a matter of days. I would put it under the “Penetration tester Level 2” category, rather than Red Teaming (no, not everything AD-related is considered Red Teaming). The fact that it has no web apps is a double-edged knife. Some people might be disappointed, however, I think that the platform needed another pure AD lab which would be more beginner-friendly since RastaLabs is advanced stuff.

Great job to Hack the Box for offering new content on the platform. We hope to see even more similar material in the near future!

If you are interested in the lab, check out the subscription options HERE.