CRTP Exam Review
Yup! It has been quite the wait for another post from yours truly. But you know, life happens. I appreciate the few of you reaching out on when the next blog post would have been. I’ll try to be more consistent, no promises though.
Now with that said let’s get into it. Well, you already saw the title so you know what this is focused on.
I am a guy who was very weak when it came on to Internal Penetration Tests and the abuse of Active Directory. Over the years I have gotten a better grasp of it and as such I am always looking for the next challenge. In my head, I would think I am a “boss” at this but despite my confidence, I’m always humbled by my peers in the field who remind me of the vast scope of Cyber Security. The beauty of this industry lies in its ability to keep you on your toes and prevent any complacency or arrogance. Typically, my focus during Internal Penetration Tests is on scripting in Python, utilizing GitHub repositories and Kali Linux tools on an engagement. Imagine my shocker when I saw that this course + exam was focused on PowerShell exploitation. That blew my mind and I was intrigued! 🤓
What it is
Altered Security’s CRTP program equips students with the knowledge and skills necessary to succeed in the Certified Red Team Professional examination. This rigorous exam encompasses a broad range of domains and involves exploiting numerous machines within a forest trust. In addition to demonstrating their ability to exploit these machines, exam takers are also expected to submit a comprehensive report detailing the steps taken and offering practical recommendations for “clients” to improve network security.
The Course
Altered Security offers exceptional coursework taught by Nikhil Mittal, an expert instructor who has developed various tools, including Nishang. The course content is delivered through a combination of video and PowerPoint presentations, as well as a lab guide and solution videos. After purchasing the course, students receive a confirmation email and a notification that the lab environment will be available within 24 hours. You can get more information here.
Initially, when I got access I was a bit confused but once you are patient and take your time, you will understand how to navigate the material successfully.
The course is heavily focused on PowerShell and provides tools for local download via OneDrive. Students are also provided with a student user VM that can be accessed through VPN or in-browser, containing all necessary tools for the lab. I used the browser while going through the material, it was a smooth experience so I had no issues. Upon accessing the student VM, students are initially low-privileged domain users and must follow instructions to escalate privileges to a local administrator. Over 20 lessons, students are taught various concepts such as local and domain enumeration, privilege escalation, MS-SQL exploitation, machine-to-machine lateral movement via PowerShell, ticket creation, and domain and cross-domain trust exploitation. They utilize tools like PowerView, PowerUp, Mimikatz, and Rubeus, among others.
The lab guide is straightforward, offering step-by-step instructions for completing each task. Students are encouraged to submit 40 flags containing enumeration information such as user hashes, SIDs, and usernames. I did not go through submitting all the flags for each course material, I got a bit frustrated because the wording was sometimes confusing. What they asked and what I interpreted were oftentimes not aligned with each other so I just focused on reading the material and looking at the walk-through videos then attempted tests my own way. Think of it this way: they asked where is the apple in the tree, I answered but it seems they were not referring to that particular apple. 😩
The Exam Experience
First and foremost, do you remember when I said I used the browser for the course and it was smooth? Please do not even attempt to use the browser on the exam. It was awful, just go straight to VPN. I was five minutes in and switched to the VPN.
The exam lasts for a total of 24 hours, with an additional hour given to set up tools, and you can start whenever you feel “ready.” You’ll also have 48 extra hours to finalize and submit your report. To make reporting easier, I suggest taking screenshots and either compiling them in a Word document or saving them in a separate folder. I’ve read other reviews that criticize the Altered Security Team for providing a vague scope, but I personally did not have that issue. Perhaps it’s because I read many reviews before attempting the exam. There are six machines in total, with five of them requiring command execution. You’ll begin on a Student VM, and from there, you’ll attempt to exploit the other five machines. Keep in mind that achieving Administrator privileges on all machines is not necessary, as OS command execution is sufficient.
How I started the exam was a bit odd. I was just sitting and thinking life was passing me by and I am running out of time to learn more in my field, so I just took the leap in the wee hours of the night and started the exam. I may have been a little bit arrogant as I was determined I could finish this before the sun came up the following day before the start of my day job. Man, I was so wrong. 😂 I should have taken the advice from many people about doing the exam over the weekend, I will not make that mistake again. Ultimately, the sun did come up while doing the exam, and juggling my day job while doing it was no easy feat, I was panicking a bit when I saw the hours counting down 🤪. After about 15 minutes I achieved what I needed to on the Student VM to pivot to the other machines. I was a bit stuck on the fourth VM but noticed that often when things are not working in the exam, you have to restart the respective VM in question. It took me about 19 hours in total if I am honest and the remaining hours I used it to focus on the report. This was important as doing a second review, it turned out I did not get all my screenshots so I had to run through the same steps for screenshots. There were times when tools I thought should work, did not work so I had to switch to another tool to achieve the same or similar result. You’ll hopefully not have that issue. I’ll also add that the course material really helped, I had to go back once or twice to revisit a step in the exam where I was messing up on.
I should also commend the support team. They were always quick to respond. Whether it be when you were just playing around in the lab environment or doing the exam itself. You needn't worry about being abandoned by the support team during your exam. After submitting your report, the support team will respond telling you it will take 7 business days for review(excluding Saturday and Sunday). After about 3 business days I got the email I had passed and was told that my certificate will be provided in a week. I actually got it about 5 hours later:
Conclusion
If you are excited about this certification. Here are some tips that can assist in you passing on your first attempt:
- Brush up on your Active Directory, do not take this for granted. Eat, breathe, sleep Active Directory.
- Bloodhound, this cuts a lot of your work in half. This is a God-sent. In addition to that, have it already set up on your host machine. You may or may not have issues trying to get it over in the exam environment.
- HFS (HTTP File Server) will help you a lot during the exam. Do not sleep on this tool.
- AMSI Bypass, and disabling antivirus, know this.
- Take breaks. I know the feeling of wanting to get done right away will be on your mind but just taking a break can reset your brain in a good way. Don’t take too long of a break though, the time does not stop counting down.
- Do not do a sloppy job of reporting. Reporting on any Security engagement is what adds value to the completion of the project. You may have achieved the goal but you can still fail with a sloppy report. Be as detailed as possible with your screenshots, commands used, and the remediations.
- Last but not least, restart the VM! Many times when things seem to not be working, a restart of the respective VM resolves the issue.
With the exception of reporting, all of what I mentioned is in the course and lab environment. All you need to pass the exam is literally in the course.
I 100% recommend this certification! I had a fun experience and found myself laughing and smiling while doing it. I am excited to deploy what I have learned on future projects and cannot wait to get started. I recommend this to everyone interested in abusing Active Directory. You will not be disappointed.