Certified Red Team Professional (CRTP) exam & course, my experience
TL;DR I heard about Pentester Academy and CRTP recently and wanted to give it a try, learned a lot, and passed my first 100% hands on exam. Previous self study for other exams, particularly Microsoft ones helped. Prior home labbing helped a ton.
Exam Reviews
Altered Security Certified Red Team Professional (CRTP)
eLearn Junior Pentester (eJPT)
ISC2 Certified in Cybersecurity (CC)
Disclaimer; I am not a pentester. I have worked everything from service desk to change management & procurement to junior admin to auditing. I am an unashamed Windows guy and use a fair amount of PowerShell and AD in audits. I have passed 2 prior exams that included a hands on portion.
Notes that I used during the course and exam are here, along with some stuff I learned afterwards that would have been useful at the time.
Part I: Mimikatz cheatsheet
Part II: Set-Acl cheatsheet
Part III: Get-Acl cheatsheet
Part IV: Enumerating AD cheatsheet
Part VII: The Credential Theft Shuffle
Forging Tickets & Abusing Trust Relationships
Annex C: Dangerous Rights Cheatsheet
Background
First off, the CRTP is an incredible deal at $500 for the course, 3 months of lab access, and an exam voucher. The exam is 100% hands on and includes writing a report. You are given Domain User access to a VM in a Windows domain and have 24 hours to do what you can. Following that you have 48 hours to write a report and submit it.
The course does not cover name poisoning, MITM6, malicious macros, phishing, exploiting unpatched systems, etc. It is called Attacking and Defending AD for a reason. There are no users in the lab and the systems are fully patched.
The Lab
The lab and the exam both offer web browser and RDP over VPN access. I only used the web browser access for about 5 minutes in the lab. RDP is just too convenient. You have to
- use a specific version of OpenVPN (https://openvpn.net/index.php/open-source/downloads.html)
- drop the config files they provide you into C:\Users\<local-user>\OpenVPN\config\
- RDP to the IP they give you
Importantly RDP allows you to easily
- copy/paste commands from your notes into the VM
- take screenshots and save them to your local system
- copy/paste files & tools from your local system to the VM
This is critical during the exam as there are no tools provided on the VM and you will need LOTS of screenshots for the report. The only tools required are those from the lab. You can either copy/paste them from the lab or download them from the course. The trick is to keep the tools and your notes handy for the exam.
The lab and exam systems are all fully patched. This course is not about vulnerability scanning and Metaploit. It is about enumerating users and computers in AD, ACLs, GPOs, etc and then taking advantage of misconfigurations. It is about everyone’s favorite dance move ‘The Credential Theft Shuffle’ (Sean Metcalf’s term). You will PTH, PTT, Kerberoast, ASREProast, and play around with Mimikatz and PowerShell in general. The point is to compromise accounts, move laterally as needed, and escalate to Enterprise Admin.
The lab and the exam environments were quite similar, as Pentester Academy states on their site. Lots of practice and trial & error in their lab was critical when it came to the exam. For example I used PowerShell_ISE for everything in the lab, then found that reverse shells with Invoke-PowerShellTcp.ps1 would connect and freeze. Bind shells with Powercat.ps1 would do the same. I realized that I had to use PowerShell, not PowerShell_ISE, to catch the reverse shell.
The Exam
The exam itself required a little creativity, thinking outside the box, and Google. I started it around 08:30. All you do is login to their portal, hit a button, confirm, and they provide you with the OpenVPN config files, login, and start the 24 hour timer.
I got quite stuck at two points. I had planned on taking the exam on my desktop, but ended up just taking it using my laptop on the living room couch while hanging out with my wife. She had some sitcom up on Hulu, which actually turned out to be a good thing. Had I been shut up in a room alone I might have been more frustrated.
I was about 8 hours in before I managed to break the whole thing open. The rest of the exam went pretty quick after that, once I got the Cory Hart song Never Surrender to stop repeating in my head. I made some notes on the path I took through the environment, made sure I had plenty of screenshots, found a report template on Google, and went to bed just after midnight.
Admittedly I pretty much did nothing except get up and get some light exercise the next morning. I started on the report around early afternoon and finished it up around midnight while taking plenty of breaks. I treated it like a college paper since Pentester Academy didn’t give much guidance besides “make sure you explain why a tool worked and what it did”. I made up a fictional security testing company and described what we did to compromise the “client’s” domain. My report included
- Cover sheet with fictional company name & logo
- Table of Contents
- Executive Summary
- Overview
- Scope
- Methodology
- Findings
- Recommendations to Mitigate
- Closing
- References
The findings included lots of screenshots. I put a table of tools used and what they are for in an appendix. There was a table of systems and their details in the section on scope. I didn’t bother with any diagrams. My report ended up being around 3,600 words. I got the email I had passed a week after report submission.
Tips
- Take two days off work for this exam. The course was all online and self paced, so I didn’t take a week off work like most bootcamp style courses. Do take the two days for the exam and the report.
- Put your OpenVPN config files, notes, scripts, tools, etc on Google Drive, One Drive, whatever solution you use. This came in really handy so I could do the lab or exam from any of my systems.
- It sounds obvious, but I recommend keeping a small whiteboard handy during the exam. I used one of those cheap Walmart magnetic fridge whiteboards to jot down target systems and relationships
- You have access to a VM via RDP. It’s a real OS, not some dinky web based thing like EC Council’s CEH lab, and it does not change during the lab or the exam unless you change it. You can enable RSAT, update the .NET framework, add any tools you want like nmap, really anything that does not require Internet access.
- I am preferential to PowerShell_ISE. 99% of the lab worked fine in PowerShell_ISE, reverse & bind shells were the only exception.
- There’s no IDS, SIEM, etc in the course. Being sneaky does not get you extra credit. The focus is on enumeration, gaining access, and knowing how to mitigate with preventative measures.
- Previous experience with Windows domains helps. However I felt like taking good notes, lots of practice in their lab, thinking outside the box, and Google Fu were the keys to CRTP.
Summary
My work paid, but regardless the course Attacking and Defending AD, 3 months of lab access, and CRTP exam voucher are an incredible deal for $500. If your organization uses a Windows domain then I highly recommend this course. A good audit is practically indistinguishable from enumeration, hence this course is not just for pentesters.
References:
