CRTP Exam Experience And Review
Hello everyone! this blog is all about my CRTP exam experience and review. Also, I have mentioned some resources that you can refer to while studying for the same.
What is CRTP?
The Certified Red Team Professional certification is a fully hands-on program. To achieve this certification, you must tackle practical and realistic challenges within fully patched Windows infrastructure labs, featuring multiple Windows domains and forests.
The certification process tests your abilities to compromise Active Directory by leveraging features and functionalities, without depending on patchable exploits. The hands-on certification exam grants students a 24-hour timeframe to demonstrate their skills.
The objective is to perform OS command injection on all machines, no matter if you execute commands with admin privileges or lower privileges. After the exam, you are required to send a detailed solution report, including necessary screenshots, commands used, and your methodology.
Bootcamp And Lab Experience
I enrolled myself in the May month Bootcamp of the CRTP, which cost $299. Bootcamp includes 4 live lectures ( 1 lecture a week) of 3–4 hours each, instructed by Nikhil Mittal himself. Also, you get 30 days of lab access, which you can connect to via VPN or browser.
The course was very structured over 4 lectures with slides and live demonstrations of exercises covering enumeration, privilege escalation, persistence, lateral movement, bypassing techniques, and defense techniques.
You also get a link to join the Discord server, which is very active both at the time of lectures and after the lectures are over. It is strongly advised not to solve the labs during the lecture as you will need many discussions; instead, watch the lecture, make good notes, and then solve the labs. The Discord community as well as the Lab support team are very good and fast.
In the Lab, there are a total of 40 flags that you can find. Connecting to the Lab is easy since you can either use OpenVPN or your browser. You don't need to worry about installing any tools, as they are all already available in the lab. The lab runs smoothly, and if you need any help, fast support is always available. However, some of the flag descriptions can be confusing, making it hard to understand what they are asking for.
All the lecture slides, lab manual, recordings of the sessions, and tools are also provided via OneDrive.
Exam Experience
Read all the instructions given for the exam carefully. You won’t want to miss anything and get yourself in unwanted trouble.
My bootcamp ended on June 4th, lab access around June 14th, and I took my exam on July 22nd. You do not need to schedule the exam and can directly start it from the portal.
The exam environment takes around 10–15 minutes to get setup, and you are provided with a VPN file, and credentials for a web connection. There are no tools installed on the machine like there were in the labs. Therefore, you are required to install tools from your local machine.
The exam is a 24-hour, completely hands-on experience. Once started, the exam lab runs for 25 hours. You get an additional hour to compensate for the lab setup time of 10–15 minutes. Further, you are required to submit a detailed report within 48 hours of exam completion.
The exam lab has 5 target servers, which are spread across domains and have different configurations and applications running on them. Initially, you get access to the “user” VM and from there, enumeration, escalation, and all other stuff need to be done.
I started my exam around 11:45 a.m., and the very first step I took was to transfer the tools that I felt would be needed for the exam. The Defender is enabled, so you need to find a way to install the tools there from your local machine, or it will get blocked by the Defender.
Getting local admin access on the initial machine is very easy, but I got stuck for around 4–5 hours trying to get a shell on 1st target machine. Due to some minor mistakes, I was unable to get the shell. After a few tries, I got the shell, and from there, I really started enjoying the exam. The process is somewhat like getting shell> enumerate, Mimikatz / Bloodhound > Find possible credentials/hash> Pivot to another machine > Repeat till final target.
My lab and lecture notes were not too good, which is a very bad thing as you will rely on your notes so much, and public exploits won’t work here. At around 4 AM, I was able to get OS command injection on all the machines and hence compromise the server.
I was able to complete my exam in around 16–17 hours, which included breaks totaling 3–4 hours. While solving the machines, I simultaneously took all the screenshots and wrote short notes so that I could remember what I did while writing a complete and fair report. It is strictly written that even if you solve the machine, a poorly written report may cause you to fail. Later that day, I documented a well-written report with all the screenshots and steps and sent it to the given email address.
Timeline
July 22nd: Exam Started (11:30 a.m.–July 23rd, 4:00 a.m.)
July 23rd: Submitted report (Around 9 p.m)
July 26th: Received result
July 26th: Received Certificate (after a few hours of getting the result)
Points To Remember
→ Make proper notes of course and all the labs
→ Setup your BloodHound, and prepare your scripts if you need changes, before the exam
→ Take breaks while giving the exam
→ Take your time to enumerate thoroughly, and then go for the next phase.
→ Don’t skip course content or labs
→ Make sure to take all the screenshots, as you won’t want a poor report.
Resources and Blogs
https://github.com/0xJs/CRTP-cheatsheet
https://www.docdroid.net/mfEnYay/crtp-notes-meshari-almalki-pdf
https://github.com/0xJs/CRTP-cheatsheet
https://www.youtube.com/playlist?list=PL1l78n6W8zypXtkh3uWIXbPssc4IGbfb5
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#readme
https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
Follow me here:
LinkedIn:- https://www.linkedin.com/in/vinayakagrawal95/
Twitter:- https://twitter.com/Uchiha__Vin
Youtube:- http://www.youtube.com/c/AnonymousWorld95
If you like my works, then please support me here:
BuyMeACoffee: https://bmc.link/uchihavin
