My CRTP Experience

Introduction

Hello everyone, I hope everyone is doing well and is safe and is utilizing this time in a meaningful way 🙂

So, back with a new blog after a long time. Today I’ll be sharing my experience on the Certified Red Team Professional (CRTP) Certification by Pentester Academy which I cleared very recently. This was one of the certs which I was planning to give for a long time and I’m happy that I was able to clear the exam after compromising 5 boxes and submitting a well-formatted report.

Should you go for it?

So a little bit background about me, I work as a cybersecurity professional in one of the Big4s, and my core strength or expertise is more into Application Security, a little bit of knowledge on cloud security, and since I’ve done a few CTFs in different platforms so I also have a decent experience in system/network pentesting. And you can clearly tell that Active Directory was a topic on which I had absolutely no experience or knowledge and that is the reason why I opted for this certification.

As per a few professionals, this cert should be considered after you complete your OSCP since OSCP teaches you to compromise the machines and gain the initial shell and then escalate it to a higher privileged user however CRTP is a post compromised approach cert and it teaches you various techniques and methods to perform lateral movement and escalate your privileges gradually from local admin to domain admin then to the enterprise admin and finally abusing and compromising the external trusts.

That being said I took the course without thinking much since I had planned to do it for a long time and also because it is affordable if you compare the prices with other certification vendors.

What are the pre-requisites?

Coming to my scenario I had very limited knowledge on Active Directory and its exploitation techniques. I had a basic understanding of how it works and had also solved a few Hack the Box machines based on the AD environment however I wasn’t sure if I knew what I was doing or what a particular tool like Impacket or Empire did in the background when I ran it. So all this confusion pushed me to take up this course.

Now for the pre-requisites from this cert point of view, all you need to know is what is an active directory and what are the various components involved in an AD environment, and how it works. There are various fundamental videos on Youtube that you can go and watch before opting for this course and also you can set up your own environment in order to have a much better understanding.

Here is one of the videos that I liked a lot and there are also a lot of  other videos on the same channel related to different AD attacks which are very nicely explained:

 

What about the course contents?

I would say Nikhil Mittal has done an amazing job by creating this well-structured course. The course content consists of videos, PDFs, lab guides, and walkthroughs. The videos and pdfs are very easy to understand and implement. The complete set of videos would be around 14 hours long however if you’re a beginner like I was, I would suggest you to take your time and not hurry yourself to complete the videos.

That being said there would be a few topics like Delegation, DCshadow, ACL abuse etc where you might feel confused or stuck or probably you would like to know more about those particular topics. So I would suggest you to watch the videos of those topics 2-3 times and do a little bit of research using various other blogs and videos that are publicly available as well. This would solve your problem if you’re stuck and also you’ll also have a much better understanding if you refer to other blogs along with your course content.

Once you opt for the course you can simply ask the support team for the materials first and go through it thoroughly and then ask them to start the labs as you can start the labs anytime within 90 days of your purchase. You can also start the labs yourself using the portal itself which they would be providing once you opt for the cert.

I’ve listed out a few blog sites/videos which I had followed along with the course contents:

https://www.ired.team/

http://www.harmj0y.net/

https://wald0.com/

https://adsecurity.org/

https://blog.fox-it.com/

 

Lab Experience

So the lab accompanied with this course is named as “Attacking and Defending Active Directory” and the above picture shows the overall architecture of the lab. It might seem scary at first but trust me, it’s not. The lab consists of 23 challenges that you need to solve. You can access your lab environment both with your browser and also using VPN. I preferred the browser way since I felt the connection was a bit better. The lab machine would also consist of all the tools that would be required to solve the challenges. There are lab walkthroughs present in the course content as well and I would highly recommend watching the walkthroughs also even if you have already solved the challenges as you might miss out on a few things.

There are various plans that you can opt for like 30, 60, and 90 days. I had opted for the 30 days lab and it is more than enough to complete the challenges. You can easily solve the challenges twice or thrice in the 30 days time period. However, if you want to do more research and explore a bit more then you can surely take the 60 or the 90 days lab. The course contents are accompanied with your lab’s price itself.

Exam Experience

Now coming to the exam you’ll get access to one of the initial machines and your objective would be to compromise the rest 5 machines along with the current one. So all together you need to compromise 6 machines to complete the exam. The exam is not flag based so simply take screenshots of everything that you do. The time period to complete the exam is 24 hours and you’ll have to submit the report in the next 48 hours (PDF format). Just like labs you can start the exam from the portal itself. Few things to note about the exam are that some popular PowerShell tools may not behave properly without .Net v3.5 and may result in inconsistent outputs. It is recommended to verify results with other tools too (alternative tools would be covered in the course as well). Also, make sure you have Bloodhound setup ready in your local machine as you won’t be allowed to run bloodhound in the exam machines. Sometimes few things might not work as expected so you can always reboot a particular machine from the portal itself and start with it again.

Coming to my exam, I started my exam on October 18th, 2020 at morning 10 AM. I still had around 1 week of lab time however I thought of giving the exam beforehand so that even if I fail I could practice again in that 1 week of time period. I was able to compromise all the boxes by night 1-2 AM and prepared my report in the next 48 hours. I took a lot of time to prepare my report and did around 3-4 rounds of review from my end since I didn’t want to take any chances. Also, I’m not sure whether it is mandatory to mention the mitigation steps in the report or not but for the safe side, I had included the mitigation points in my report. And within the next 12 hours after I had submitted the report, I got this in my mail.

 

And after a few hours, I also received my certificate in my mail. 🙂

 

What is the level of the examination?

So, first of all, I want to stay that this is not considered to be a very difficult certification to crack and also it’s not that easy as few people suggest it to be. I’ve seen many good people not being able to complete the boxes in time as well. I personally found it to be quite tricky and not at all easy to crack the boxes however it was a great experience for me and I surely learned a lot from this certification.

Few Important Tips

  • Do not completely rely on the materials, try doing some research other than materials as well.
  • Make sure you know how to use bloodhound and what to look for as it would be very easy to create the attack path then.
  • Along with Bloodhound make sure to use other enumeration tools covered in the course such as Powerview and the active directory module.
  • Make a well-structured note consisting of all the commands as it would be very easy to copy and paste commands and it would also save you a lot of time.

Conclusion

So that was all about my CRTP experience which I thoroughly enjoyed. I would highly recommend this certification to anyone who is looking to learn about the techniques and methods used in active directory exploitation. A huge thanks to Nikhil Mittal, Vivek Ramachandran, and their Support Team.

For any queries you can send a Hi to my Linkedin Handle: Here

So that’s for now. See you next time.

Till then Stay Safe.

Happy Hacking !!!

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *