TL;DR There are no CPEs, or CEUs as CompTIA calls them, for the CRTP. You renew it by taking a shorter version of the certification exam.
Exam Reviews
Altered Security Certified Red Team Professional (CRTP)
eLearn Junior Pentester (eJPT)
ISC2 Certified in Cybersecurity (CC)
Microsoft Applied Skills Administer AD DS
TCM Practical Junior Penetration Tester (PJPT)
Altered Security CRTP renewal exam
Disclaimer; I am not a pentester. I have worked everything from service desk to change management & procurement to junior admin to auditing. I am an unashamed Windows guy and use a fair amount of PowerShell and AD in audits. I had passed 2 prior exams that included a hands on portion before passing CRTP and took three hands on exams between CRTP and the CRTP renewal exam.
First off, the CRTP was an incredible deal at $500 for the course, 3 months of lab access, and an exam voucher. The exam is 100% hands on and includes writing a report. You are given Domain User access to a VM in a Windows domain and have 24 hours to do what you can. Following that you have 48 hours to write a report and submit it.
The course does not cover name poisoning, MITM6, malicious macros, phishing, exploiting unpatched systems, etc. It is called Attacking and Defending AD for a reason. There are no simulated users in the environment and the systems are fully patched.
Notes that I used during the course and exam are here, along with some stuff I learned afterwards that would have been useful at the time.
Background
About a year ago Altered Security emailed me and let me know that as soon as they had created a renewal process for CRTP they would let me know. Well, they emailed me last month and let me know; I could renew CRTP by taking a free ‘mini exam’. It was described as a shorter version of CRTP with 3 VMs to compromise instead of 5, escalation to Domain Admin rather than Enterprise Admin in a parent domain, and no report required.
The catch; you only get 8 hours. 3 VMs in 8 hours rather than 5 VMs in 24 hours? Is it really a shorter version of CRTP or just CRTP with a stricter time crunch?
I took it and found out.
The Lab
CRTP’s lab was pretty good three years ago. I continue to hear good things, but the free renewal attempt does not include lab access, that costs extra. I have been doing TryHackMe, including of course their AD content, did Administering AD DS from Microsoft, did PJPT, screwed around in the home lab, and automated creation of a few lab environments in Hyper-V; one for PJPT and another one that goes more in depth.
The problem is that I had been doing everything from Kali. I learned a lot, but I was using Responder, enum4linux, smbclient, Impacket, evil-winrm, xfreerdp, etc rather than tools that are run from a compromised Windows domain workstation.
Altered Security gives you free access to the updated course videos, lab PDF, and tools on https://adlab.enterprisesecurity.io/. I unwisely did not go through any of that before the renewal exam and walked into it cold.
On a sidenote it’s really awesome of Altered Security to provide ongoing free access to the course videos, PDFs, and lab tools as they update them. SANS provides updated course books in PDF format when you renew their certifications, but renewing SANS certs isn’t free.
The Exam
The renewal exam gives you 8 hours to get into 3 VMs and escalate from Domain User to Domain Admin. The initial access VM doesn’t count, so there are 4 VMs in total in the exam environment. There is no report required, you simply submit the Domain Admin’s NTLM hash as proof that you owned the domain.
Much like CRTP did three years ago, the renewal exam required creativity, thinking outside the box, and quite a bit of pestering CW6 Google. Unlike the CRTP exam, the renewal exam does not provide an OpenVPN config file. They simply use a public IP on the initial access VM and put multiple NICs on it so it also connects to the private IPs of the other VMs.
I had a moment of panic, thinking that Altered Security had failed to give me an OpenVPN file and I wouldn’t be able to connect. Shortly the realization sunk in that I couldn’t simply use OpenVPN on Kali to directly hit the target VMs.
At that point I began downloading the roughly 1 GB Tools.zip from Altered Security’s shared OneDrive, which took a lot less time than unzipping it once it was downloaded.
I RDPed to the initial access VM using the provided Domain User credentials and realized that unlike the CRTP exam three years ago, Altered Security now leaves Defender turned on and expects you to bypass it and escalate to local admin.
I was very fortunate that Altered Security gives you an extra hour to account for the time it takes for the exam environment to spin up. I only had about 20 minutes left on the clock when I submitted the Administrator’s NTLM.
I can’t say too much about the exam of course. I can give some tips. The first one, obviously, is to download the Tools and peruse the lab PDFs before starting your exam. Don’t do what I did and walk in cold.
I was Googling like a madman, going through my notes from the CRTP exam three years ago, had probably 20 Chrome tabs and 4–6 text files open, I even watched the course video on AD CS enumeration and abuse during the exam. In the end though I made a little magic happen in the CLI. A pass is a pass, even one as ugly as that one was.
Altered Security emails you almost instantly after you input the hash and shows your new expiration date on the site. Next time I’ll be sure to prepare better.
Tips
- Take the day off work for this one, or have a Saturday completely free with no errands that need done. I’m sure plenty of people smarter than myself can knock this thing out in 2 hours or less, but I needed almost the entire 9 hours.
- Have your notes from the CRTP exam handy. They only changed a few things and added some new things, but the core is still the same. Having those notes handy was the one thing I did right.
- I’m preferential to PowerShell_ISE, but if something hangs in that try PowerShell. Some of the tools don’t like the ISE.
- There’s no IDS, SIEM, etc in the exam. Being sneaky does not get your extra credit.
- There is Defender now. Know some common tricks to bypass it before you start your renewal exam, as you do not have local admin on the initial access VM until you gain it. Therefore you must bypass Defender before you can completely disable it.
- Enumerate everything! Do not overlook delegations of rights in DACLs. They got sneakier in the last 3 years. The misconfig might not be as simple as reset password rights on another user or being able to join a group. Know what ‘Dangerous Rights’ in AD are, how to enumerate them, and how to abuse them.
- Dump everything on every system you access! Don’t just dump the LSASS and SAM, but forget about credman.
- Brush up on AD CS enumeration and abuse! This topic was added since I did CRTP three years ago.
- I had to download a few additional tools to get through the exam that weren’t included in Tools.zip from Altered Security. One of their tools also wasn’t working correctly, so I grabbed a fresh copy off GitHub. Don’t limit yourself to what’s in Tools.zip.
- Previous experience with Windows domains helps. However I felt like taking good notes, lots of practice in their lab, thinking outside the box, and Google Fu were the keys to CRTP.
Tools used
- PowerUp.ps1
- PowerView.ps1
- Invoke-Mimikatz (Invoke-Mimi in newer Tools.zip)
- PowerMad.ps1
- Rubeus.exe
- PsExec.exe (part of Sysmon’s PSTools suite)
- HFS.exe (to host Invoke-Mimi, Invoke-Expression to execute it remotely)
- Certify.exe
- openssl.exe
- PowerShell itself, used heavily. One can complete the entire exam using only the CLI.
- dsa.msc, aka ‘Active Directory Users & Computers’, mostly just to enumerate visually
Note; I did not use BloodHound. I’m not sure it would have helped. I was short on time due to my lack of preparation. I ended up just moving laterally to whatever I could without attempting to map an attack path first.
Summary
My work paid, but regardless the course Attacking and Defending AD, 3 months of lab access, and CRTP exam voucher were an incredible deal for $500. The updated course material, tools, and renewal exam are completely free. Should you require a second attempt to pass, and I almost did, then it is $39.
Only Microsoft matches Altered Security here as Microsoft Learn is free, they give away evaluations of almost all their stuff, and renewing their certifications only requires passing a free online quiz.
CompTIA charges $50 a year, EC Council $80, ISC2 $125. They are all flat rate though, regardless of the number of certs you hold. SANS charges an eye popping $439 every four years for the first cert renewal and $239 each for any additional certs. It’s not a flat rate and it adds up really, really fast.
Hence I really appreciate organizations that keep their prices down like Altered Security, Microsoft, eLearnSecurity, The Cyber Mentor, and others.
Just don’t go into the CRTP renewal exam cold. Use the free resources they provide you and prepare. This exam was NOT a ‘check the block’. It was a really good, in depth, challenging, hands on exam.
My thanks to Nikhil Mittal and everyone at Altered Security for providing a free, educational, and hands on renewal exam!
References
Abusing GenericWrite: https://notes.morph3.blog/abusing-active-directory-acls/genericwrite
More abusing GenericWrite: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
PowerMad: https://github.com/Kevin-Robertson/Powermad/tree/master
PsExec: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
Good repo of compiled attacker tools: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
Certify source & how to use the tool: https://github.com/GhostPack/Certify
Enumerating & abusing AD CS templates: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin
Good, in depth attacking AD cheat sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet