Open in app

Sign in

Write

Sign in

CRTP Experience | What and How much I got to learn.

Captain Pool
6 min read4 days ago

--

Introduction

As a working Information Security Analyst, my work consists of finding Web Vulnerabilities. I rarely worked on any Active Directory Environment in my life and had very less knowledge of the whole thing. I consider myself quite knowledgeable in BASH but very weak in PowerShell. One can see how taking on the Certified Red Team Professional certification from Altered Security was a big challenge as they clearly mention that you need to have some knowledge in AD and PowerShell. Looking back now, it is true what they say. Following is the story of how I cleared the CRTP exam on my first attempt, the things I learned, and how this certification is different from other courses that teach AD pentesting. Please know that I’m not going to explain how Golden Ticket attack works and what the difference is between this and a Diamond Ticket; how Kereberoasting works or any of the other technical things, which you can learn online. This article completely shares the experience. Please read on if interested.

Preparing for the fight.

Going through the Course

Before beginning the course I read some basic articles on Active Directory, saw videos and walkthroughs and finally set up my own virtual AD environment. After buying the course, you get the portal access and a chance to chose your own lab start date. I took the 2 months lab subscription and chose to start the lab after 3 weeks of going through the study material. I did this because I wanted to learn as much as possible before doing hands on.

Things I learned during this phase:
— — — — — — — — — — — — — — — — — —
1. They started with the basics of Active Directory (which I very much liked). By this time I had complete understanding of the fundamentals of AD, like what is a Forest, Trust, Domain, ACLs, etc.
2. Next they start with Domain Enumeration, which is the most important section of the entire course because if you skip this part, even if you learn all the attacks by heart, you won’t be able to pass this exam. Even in real life I find that enumeration and gathering as much information as possible about the target environment is the most crucial phase before actually doing any hacking.
3. They will also teach you about PowerShell and .NET. Nikhil Mittal sir is an exceptional person with extensive knowledge in Windows. This section teaches you what and how PowerShell works, what are its defense mechanisms and how we can bypass them. Here is a slidenote on purple PowerShell.
4. Now comes the attacking phase. They teach you how to find misconfigurations and abuse that to gain some more privileges than you previously had. Be a local admin of the first machine you get your hands on, pivot to other machines and repeat the same process. Getting local admin comes with benefits as now you have unlimited and unrestricted access to data on the machine. You can dump passwords from the LSASS process, Credential Vault, etc, using tools like Mimikatz.
5. Understanding Kerberos and the entire authentication and authorization process that goes in the environment is crucial as soon you would learn tips and tricks to escalate your privileges, not only in the foothold, but in the Domain using functionalities of Kerberos. They teach this part very thoroughly.

You can find the entire syllabus here, so I’m not going into details. Be sure, that you will definitely learn all of it and more.

Accessing the Lab

Having some information before hand really helped me move through the lab objectives easier. I was now able to quickly put in practice what I was learning till now. The labs can be accessed both using VPN+RDP and the Web Browser. I personally used the browser throughout my journey as I found it’s connection worked faster than when I RDP into it. However, to transfer local files you would need to setup the RDP. This part will be important when they teach BloodHound, an essential tool to map out various attack paths in the domain, even the one vector which the naked eye could’ve missed.

At the time of writing, i.e. Year 2024; The Lab comes with a total of 23 unique Learning Objectives spanned across 40 flags which can be completed by answering the questions in the “Flag Verification” section of the portal. Once you finish all of these, you will receive quite a cool badge from Altered Security saying that you pwned the CRTP Lab which I considered to be an achievement on its own.

Finally, The Certification Exam

I immediately scheduled the exam after my 2 month lab time. Didn’t waste much time waiting and feeling nervous and thought giving the exam right away would help, as all the topics were still fresh on my mind. Throughout the entire course, I made so much notes, written about everything (even the ones I found too obvious). Making notes is a force of habit and also I wanted to be completely prepared for the exam. Keep in mind that you will only get the machine IP of the foothold, username and password. There won’t be any tools prepared for you, like it did in the lab so you would need to transfer them yourself. You can just simply drag’n’drop the tools you need in the Web interface, or share a drive if using RDP. The exam is of 24 hours (+1 hour) to setup and get the tools you need. Keep in mind that you won’t need all of them, around 6 or 7 tools for the exam is enough. I dropped the tool I needed as I went through the exam.

Machine 1 and 2 were pretty straight forward and got pwned within some time. Machine 3 was tricky because in my mind I thought I did everything. But I missed one essential part in the post exploitation phase. My mistake was that I thought enumeration can only be done before exploitation, which is not the case. After gaining access to a machine, don’t miss out on any data from any nook and corner of it.

Not gonna lie, it took me around 10hrs to gain code execution on all the machines. Immediately went to sleep, woke up early and started going through the exam again as I still had few hours left. I was taking notes before but this time I worked on beautifying the screenshots and arranging all the notes machine wise. Finished the report in around 3hrs and submitted. Got the mail within a week stating that I passed the exam and the certificate after 1–2 working days.

Drawbacks and Comparison with other courses

Honestly, the only drawback I found in this course is that they start teaching assuming that you already have a foothold in the target domain. In real life assessments though, we only get the target’s network access and then we have to do Recon and compromise some domain user, use their credentials to gain the first foothold, start enumerating the domain from there. I have already let Altered Security know about my thoughts on this and Nikhil sir said it could be added in the future. Apart from this, I absolutely loved the course and his teachings will always be with me.

When it comes to other courses in the field (not gonna name any), what I’ve discovered is that they are too much tool dependent or not many topics are covered in details like this one. In CRTP, they don’t rely on any patchable exploits, rather work on finding misconfigurations which are very much common in a real environment.

Conclusion

Please note that I am not a promoter or ambassador for Altered Security (even though I might have sounded like one :0). I just loved getting to learn so much about Active Directory and how to Attack and Defend it for enterprises.

Let me know your thoughts.

Cybersecurity
Active Directory
Red Team
Crtp Exam
Enterprise Technology

--

--

Captain Pool
Captain Pool

Written by Captain Pool

13 Followers
66 Following

Information Security Analyst, Cyber Security Enthusiast, Computer Science Graduate.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams