After three weeks in the lab, I decided to take the CRTP exam over the weekend and successfully passed it by compromising all the machines in the AD. I had very, very limited AD experience before the lab, but I do have OSCP which I found it extremely useful for how to approach and prepare for the exam.
The practical exam took me around 6-7 hours, and the reporting another 8 hours. In this article I’ll talk about the lab, taking notes, exam, reporting and resources. If you want to talk about it, you can write me on twitter @msd0s7. If you are interested in Azure and AzureAD, you can read more about my experience with CARTP (Certified Azure Red Team Professional) also from Pentester Academy.
Lab
The lab access was granted really fast after signing up (<24 hours), I found it easy to connect to the student VM using the browser, all the tools needed for the attacks were already there and working. I think this is an underrated aspect of this course that everything is working very well and I didn’t have to spent time installing tools, dependencies, debugging errors and all the shit. The lab was very well aligned with the PDF and videos such that it was possible to follow them step by step without issues.
Support was very responsive – I once crashed the DNS service during the DNSadmin attack and I asked for a reset instead of waiting until next day, which they did (thanks!).
There were around 40 flags to be collected out of which I found ~35. Some flag descriptions were confusing and couldn’t figure it out what exactly are they asking for.
Notes
For each video, I would follow along what was done regardless how easy it seemed. I took notes for each attack type: what can be achieve, what’s the vulnerability, how to perform it, what tools can be used etc. Also, for each attack, I would skim though 2-3 articles about it to make sure I didn’t miss anything. I’m using gitbook for that, so I ended up with a quite large tree structure, but it was really useful as I always knew where to look for help:
- Defense
- Persistance
- Local admin
- DSRM
- DCSync
- DCShadow
- Skeleton Key
- Silver ticket
- Custom SSP
- SDDL
- ACLs
- AdminSDHolder
- Golden Ticket
- Bypasses
- Restricted mode
- PowerShell Obfuscation
- CLM bypass
- AMSI bypass
- Windows Defender
- Lateral Movement
- Transfer files
- Mimikatz
- PSSession
- Invoke-Command
- Enumeration
- User Hunting
- Honeypots
- Bloodhound
- Trusts
- ACL
- GPO
- Services
- DC enum
- PrivEsc
- MSSQL links
- Kerberoasting (notes)
- Kerberoast – classic
- Kerberoast – AS-REP
- Kerberoast – Set SPN
- DNSAdmin
- Enterprise Admin
- Cross Forest Trust
- mitm6
- Unconstraint delegation
- Constrained delegation
- Local Privesc
Exam
Before the exam I prepared everything I knew I will need: report template, all the tools, BloodHound, PowerShell obfuscator, hashcat, password lists, etc.
After the exam lab was set up, and I connected to the VM, I started to perform all the enumeration I’ve seen in the videos and that I’ve taken notes of. Since I wasn’t sure what I am looking for, I felt a bit lost in the beginning as there are so many possibilities and so much information (analysis paralysis anyone?). It helped that I knew that some of the tools will not work or perform as expected since they mention this on the exam description page – so I went in without any expectation 🙂 Literally I expected I’ll have to google alternative tools during the exam.
After around 2 hours of enumeration I moved into another box. Then I saw a very interesting attack scenario and my focus moved into getting there, which was the most challenging part of the exam. I got domain admin privileges around 6 hours into the exam and enterprise admin was just a formality.
Some advises that I have for any kind of exams like this:
- enumerate and review – make sure to have a list of enumeration steps that you want to perform, if nothing interesting shows up, enumerate again: different tools, parameters, strategies. You have 24 hours, don’t rush and don’t get freaked out when you can’t find anything. Finding it is the hardest part, once you have it, the exploitation should be a walk in the park
- take breaks to celebrate – I take a break after every small step that I make, it helped me relax knowing that I’m one step closer to the objective and to think about it in perspective. “What can I do now with the user/box/hash/etc. that I got?”
- don’t overlook, but don’t go into rabbit holes either – when you find something, try it out – don’t assume it doesn’t work until you try. But don’t give up too easy either. I think it’s a fine line on how hard you should try before moving further, and that comes with experience. Fortunately I didn’t get into any rabbit holes even if it felt there were some red herrings laying around (but could have been as well alternative paths!)
Reporting
I did the reporting during the 24 hours time slot, while I still had access to the lab. I was tired, but I wanted to finish everything before going to bed. I took screenshots and saved all the commands I’ve executed during the exam and I didn’t need to go back and reproduce any attacks due to missing proves. My final report had 27 pages, with lots of screenshots. After I submitted the report, I got a confirmation email a few our later, and the statement that I passed the following day.
Resources
I know there are lots of resources out there, but I felt that everything that I needed could be found here:
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse
- https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#active-directory-attacks
TRIPLA CONSULT 
One thought on “Certified Red Team Professional (CRTP) by Pentester Academy – exam review”