What is CRTP?
CRTP is the Certified Red Team Professional provided by Altered Security which is basically the certification exam for the Active Directory Pentesting. It is one of the most popular Red Team Certification out there and also completely beginner-freindly.
Topic Covered
- AD Enumeration
- Trusts Mapping
- Domain Privilege Escalation
- Domain Persistence
- Kerberos-Based Attacks (Golden ticket, Silver ticket, etc.)
- ACL Issues
- SQL Server Trusts
- Defenses
- Bypasses of Defenses and many more.
Back Story
Before the CRTP attempt I had minor experience on red teaming as I was already familiar with C2 , Malware Development, Obfuscation and power-shell attacks but still I choose Boot camp just to be 100% sure as its only 50$ extra. So I signed up with the Boot Camp edition sep’23 batch with 30 days lab access purchase option.
Boot Camp
The Boot Camp comprises four live sessions, occurring on consecutive Sundays within a single month, with each session lasting 3.5 hours and including a 15-minute break. Nikhil Sir himself teaches all the ppt and also do labs on the live session itself. you will be provided the recording of the live sessions also with password on dedicated bootcamp batch discord server. Yes can ask all the doubts to the dedicated bootcamp Discord server as well as the main altered security discord server crtp section. Both the server are equally active and you will mostly get your doubt cleared with in some minutes.
Is Boot Camp Worth It?
absolutely, paying 50$ extra and getting benefits of live session with nikhil mittal sir is totally worth it.
What you are getting.
- Live 3.5 hours session with nikhil sir
- Ask doubt on real time or ask on next session if you encounter during labs
- Dedicated Discord Serer for bootcamp batch.
- Recording of live session
- Course Completion Certificate ( once you complete all the lab you will also get the course completion Certificate also.)
CRTP Exam
CRTP exam can be started any time and has dedicated instance for the exam user. You can restart individual machine during the exam in case machine broke or some issue occurs. you have 24 hours to pass the exam and next 24 hours to submit the report. Exam taker need to get command execution on all the 5 machine across the forest not necessarily with admin privileges. Exam taker are free to use any tool even C2 but need to explain why you use that tool and its functionality.
Pre-Preparation
I solved the labs many times with different type of attack and made notes on cherry-tree. I even draw whole attack flow map on bubble.us as the brain strumming to understand what attack has to be perform when. I read all the medium and review blog of CRTP and one thing is common on all , that is ENUMERATE, I will say the same. I made up my mind that I won’t start exploiting until I do all the possible enumeration on initial machine so i even prepared a list of enumerate step on cherry tree to be preformed during exam I will suggest the same. I also prepared the report template ready just to make thing easy later after exam. I prepared necessary tools to my local machine and created a zip file of that so that it became easy for me to transfer my tools during exam.
link to my bubble.us note > click here
Exam Day
I woke up in the morning around 8:00 AM and after revising all the notes once more I started my exam around 8:45 AM, Exam environment took 15 mins to startup instance and environment which also gave compensate of that 15 mins to 1 hours extra so you will have around 24 hours and 45 mins exactly to complete exam.
Once Exam Started I preferred using OVPN to do exam because I had to transfer my tools to exam machine also. I struggled a bit during the transferring of the tools because of Anti-Virus Detection and other obvious reasons. After 20–30 mins I finally figured it out and it was silly mistake of mine which cost me around half an hours. After finally setting up my tools I started Enumerating the machines for like 2 hours or more and also was keeping the screen shots of each outcomes on my cheery tree notes.
My enumeration was solid that much I was sure. So I started Priv Escalation which is very straight forward and done it instantly.
Machine 2 is also straight forward but machine 3 was trickiest of all. Lucky I had all the logs of enumeration and due to enumeration I finally figured it out( ENUMERATION is the KEY).
Machine 4 was also straight forward here bloodhound came handy for me. But my exploit was not working so I had to restart the machine instance and it worked for the next time.
Machine 5 was the easiest one and took me around 10-15 mins to compromise that last machine.
so around 7:00 PM I compromised all the 5 machines and took me around 10–12hours.
I started making a report around 9:00 PM to 12:00 AM and report was almost ready but I was already feeling too sleepy so i decided to report on next morning as I had plenty of time left.
woke up early on morning and made some necessary change on report and finally sent the report. And after submitting report I instantly got the response back that its under evaluation and will get result within 7 business days but after 4 days I got my email that I have cleared the exam and got certification on next day.
Tips and Suggestions
- Have presence of mind during exam , know what you are doing
- Enumerate obviously :)
- don’t forget to bypass the script blocking and AMSI as well as AV real time on every new machine.
- Don’t Over-Complicate it just simple and just go for it.