Close
Menu

CRTP Review – Certified Red Team Professional

, , , , , , , 0

CRTP

Introduction

Certified Red Team Professional (CRTP) is an Active Directory-based red teaming certification. The course, titled “Attacking and Defending Active Directory: Beginner’s Edition,” serves as an introductory guide to understanding and executing Active Directory attacks and defenses. The course is taught by Nikhil Mittal. In this blog post, I will review the course and share my experience with the course materials, lab environment, and exam.

Pre-Requisites

While the website lists only two prerequisites:

  • A basic understanding of Active Directory
  • The ability to use command line tools on Windows

it is essential to have a fundamental understanding of penetration testing and PowerShell scripting. I already had substantial HackTheBox experience and the eCPPTv2 certification. For anyone considering this course, I highly recommend completing HackTheBox’s Active Directory path or solving a few machines related to Active Directory.

Who should take CRTP?

  • Professional penetration testers who need to compromise Active Directory environments.
  • Those curious about red teaming in Windows environments and wanting to learn evasion, privilege escalation, lateral movement, persistence, and other techniques.
  • Experts in Active Directory exploitation and red teaming might find the course too basic but can benefit from reinforcing their knowledge.

Course Material

The course material includes:

  • Comprehensive video content totaling over 14 hours.
  • Course slides and a lab manual.

The video content features both pre-recorded sessions and live Bootcamp recordings. I chose the Bootcamp material because I found Nikhil’s humor and industry insights helpful. The Bootcamp videos also include answers to student questions, which is beneficial for online learners. The course is divided into four modules:

  1. Enumeration and Local Privilege Escalation
  2. Lateral Movement, Domain Privilege Escalation, and Persistence
  3. Domain Persistence, Dominance, and Escalation to Enterprise Admins
  4. Monitoring, Architecture Changes, Bypassing Advanced Threat Analytics, and Deception

Understanding Active Directory concepts is crucial, as solving the labs or exam with off-the-shelf exploits from the internet won’t suffice.

Lab Environment

The lab is an Active Directory environment featuring Windows Server 2022 machines with SQL 2017 and 2019 setups. It includes two forests and follows an “assumed breach” scenario, providing access to a dedicated student VM as a low-privileged user. This setup requires you to escalate privileges, move laterally, and eventually compromise the domain controller and enterprise admin. You can access the lab through Guacamole via a browser (the easiest method), VPN, or RDP. Although file transfer is straightforward, the lab is equipped with all necessary tools, so there’s no need to transfer anything.

The slides and lab manual provide commands for performing attacks using various tools such as PowerView, Mimikatz, BetterSafetyKatz, Rubeus, and Kekeo. There’s a dashboard to submit 40 flags, but the lab isn’t designed like a CTF. The flags represent information obtained through enumeration, privilege escalation, and lateral movement.

You can start your lab time within the given timeline. I opted for the 30-day lab subscription, which was sufficient to solve it twice and experiment further. AlteredSecurity support is quick to respond via email and Discord if any issues arise.

Course and Lab Tips

  • Watch the Bootcamp videos first to thoroughly understand the concepts, then move on to solve the lab. The videos help clarify concepts and provide a walkthrough of the lab.
  • If you prefer solving the lab independently, pause before the walkthrough. The lab manual PDF offers step-by-step instructions with commands.
  • Take notes! Use a note-taking tool to record concepts and commands. These will be helpful during the exam.
  • Don’t proceed with the lab unless you understand what’s happening behind the scenes. Understanding the concept is crucial to avoid getting stranded in the lab and exam.
  • Re-watch the videos after completing a lab to ensure the methodology is clear.
  • Create a concept and lab summary in your notes to have a clear mindmap of the attack.
  • Keep checking the Attack Path diagram provided in the course material to understand your progress from point A to point Z during lateral movement.
  • Install and test your BloodHound locally using the lab’s collector data before using it on the exam.
  • Reboot the student VM if something doesn’t work.
  • Note down error messages and their solutions for quick reference during the exam.
  • Solve the lab at least twice using simple tools and once with a C2.
  • Don’t waste time if you’re stuck. Check the lab manual or seek help from the Discord channel.
  • If you have extra time after completing the lab, experiment with malware development or test custom tools in the lab environment.
  • Make friends on the Discord server to discuss topics and questions with your peers.

Exam

The exam mirrors the lab environment, providing a Student VM in an “assumed breach” scenario with fully patched Windows machines. It is a 24-hour exam with an additional hour to transfer tools onto the exam machine. Any tool can be used, provided it’s explained properly in the report. There are five target servers across domains with different configurations and applications. The goal is to achieve OS command execution on all target servers, not necessarily with administrative privileges. However, compromising all machines and preparing a detailed, professional report is recommended. The report must be submitted within 48 hours.

If you’ve done the lab and understood the methodology, the exam should be manageable. Enumeration is the most challenging part. I started my exam at 10 AM on a Sunday and finished in about four hours. Local privilege escalation was easy, but moving to the next machine took time. I initially tried command-line enumeration but found it overwhelming, so I ran BloodHound and quickly compromised the first machine. The rest of the machines were straightforward if you’ve done the lab. However, my payloads were detected at the final stages, so I used a different AMSI bypass. Keep an eye on Twitter and GitHub repositories before the exam for the latest AMSI bypasses. I took screenshots while solving the machines and double-checked them for clarity and completeness. I then took a break and attempted other ways to compromise the machines. Afterward, I spent about four hours writing my report, which included a walkthrough with PoCs and remediation. I submitted the report the same day and received the result and certificate within a week.

Exam Tips

  • Study your prepared notes.
  • Plan your exam well in advance.
  • Get a good night’s sleep before the exam.
  • Prepare only the necessary tools in a zip file for easy transfer. Do not upload the entire “tools.zip” provided by AlteredSecurity for the lab.
  • Reboot your VM or any problematic machine.
  • Always dump hashes when compromising a user or machine.
  • Take a screenshot of “whoami; hostname; ipconfig” as evidence of compromising the machine.
  • Use BloodHound when stuck. Check every node, relationship, ACL, and trust.
  • If stuck, create a quick diagram/overview of your attack path and lateral movement, then check if further enumeration is needed. Avoid potential rabbit holes and think realistically.
  • Take short breaks, stay hydrated, stretch, and talk to people to refresh your mind.

Pros and Cons

Pros

  • It is beginner friendly with no “try-harder” concept. It has a clear and guided approach to each concept and lab.
  • Affordable, especially at $250, with engaging course material and active support. I bought it during a Black Friday deal for an even lower price.
  • The engaging course material includes prerecorded videos, Bootcamp videos, lab walkthroughs, slides, a lab manual, lab infrastructure, and an attack path diagram.
  • Insights on EDR-MDE and access to the MDE dashboard to observe logged activities and malicious tool triggers.
  • Well-explained detection and defense techniques.

Cons

  • Beginner-friendly approach might feel too guided for some.
  • Some lab flag verification questions could be clearer.
  • Insufficient emphasis on BloodHound, despite its potential.
  • The lab manual could use more context before each lab to explain why specific commands are run and to clarify attack paths.
  • No Linux-based machines in the environment.
  • Evasion and AMSI bypass techniques could benefit from more practical examples, although they are in the “beta” phase due to their evolving nature.

Conclusion

I found the course to be an excellent introduction to Active Directory attacks and defenses. It helped me better understand the attacks I performed on HackTheBox and other platforms. I feel much more confident in using these skills in real engagements.

Resources

None. The course material is sufficient for the course, labs, and exam. Make notes of the concepts and create a cheat sheet while going through the course.

You can refer to my rough notes prepared during the course: CRTP Notes and Cheetsheet

Thoviti Siddharth

I'm passionate about cybersecurity, machine learning, machine vision, web development. ​Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.

→ Thoviti Siddharth

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *