Certified Red Team Professional (CRTP) Review and Preparation Tips
Looking to take up the CRTP challenge? Here’s my review and some preparation tips.
Background
By day, I work on application security and web application penetration testing. I decided to take up the CRTP assessment from Altered Security as a personal challenge and learning opportunity to prepare for the OSCP+.
I have completed the TCM Security’s PNPT assessment prior to the CRTP. The PNPT is brilliant and I took away solid methodologies and concepts regarding network penetration testing across Windows and Linux machines. Inevitably, there were some overlaps in techniques presented in both courses, but I felt that the CRTP offered a unique learning opportunity in these specific areas:
- A methodology of using PowerShell and Windows command line in a more in-depth manner.
- Covers even more AD attack vectors on top of the ones that PNPT teaches, such as abusing ADCS, database links, different types of delegation, domain trust relationships and many more.
- Pure Windows methodology, no Linux machines involved.
- Understanding of Microsoft Defender for Endpoint (MDE) and Microsoft Identity Protection (MDI) and bypass techniques.
Course Review
Over the span of 2 months, I spent approximately 3 hours each day after work as well as during the weekends to routinely tackle the course videos and the respective labs. The course videos essentially consisted of recordings of instructor Nikhil Mittal’s lectures, combined with hands-on demos of a full attack chain, commencing from an assumed breached scenario. The hands-on demos were great as the occasional issues encountered by Nikhil when issuing commands were beneficial when troubleshooting future similar problems in our own labs.
If you wish to skip the videos, there are PDFs and slides that are provided for studying as well. Along the way, I took note of crucial attacks and associated tools and commands within my Notion cheatsheet.
I encountered occasional technical difficulties when tackling the labs on my student virtual machine but the Altered Security staff were prompt and responsive when I sought assistance via the dedicated Discord channel.
Exam Tips
Right before Christmas of 2024, I undertook the CRTP assessment and promptly submitted my report upon the completion of the exam. Within a business week, I received official confirmation of my successful certification.
These are some tips for tackling the CRTP assessment that would hopefully be helpful to you:
Thorough Enumeration
- CRTP is focused on weaponizing misconfigurations within an Active Directory environment, rather than hunting for one-off, easily patched software vulnerabilities.
- Thus, extremely thorough enumeration becomes even more crucial for us as an attacker to plan out a viable attack path: machine configurations, mapping of trusts, listing down group policies, accessible machines, available tickets, delegations, services, user privileges and much more.
- It also explains why taking notes during your studies and having a cheat sheet would be essential to allow us to methodically assess the AD environment.
Tools and Transfers
- Note that no tools are provided out of the box from the provided attacker machine. Hence, prepare your arsenal of (functional) scripts / binaries before starting the exam AND be familiar with multiple ways of transferring them between Windows machines.
- Do NOT let chores like tool transfer and simply trying to get them working properly become your downfall!
- Sometimes one way of transferring may not be always viable and may fail for some scenarios, so do not just rely on one technique of file transfer.
Google it
- Copying and pasting instructions directly from your cheatsheet or from the lab manual will not work in several situations. Do a quick online search and understand the limitations of your tools, thought process behind a command and any posts on blogs or forums for resolving issues of a similar nature.
- Being proficient at on-the-spot research and troubleshooting will most certainly help you successfully complete the CRTP assessment.
Right before your eyes
- Make sure to carefully read the results of commands. Sometimes, the stepping stone to laterally move to the next machine was right in front of my eyes yet I continued pursuing other potential avenues of attack simply due to overlooking those nuggets of information.
When in doubt, restart
- After running commands against certain machines in the exam environment, I encountered responsiveness issues or was not receiving expected results. To tackle this, we are given the option to restart individual machines throughout the exam and it was most certainly a lifesaver in these scenarios.
Diligently screenshot
- Take LOTS of screenshots. With the number of terminals that may be open at once, I sometimes lose track of the steps taken to reach a certain stage of an attack.
- To save you from the pain of having to backtrack several times, it may be helpful to routinely take screenshots of every important command issued, together with the response.
- The screenshots also comes in handy when crafting your detailed report for submission to Altered Security for grading.
Helpful Resources
The course by Altered Security itself was sufficient to tackle the CRTP exam. However, when troubleshooting issues, several external resources were lifesavers for me. I have listed them down below.
That’s all, fellow hackers! Until next time! If you are interested in reviews / tips on other security certifications such as:
- TCM Security — PNPT and PJPT
- INE — eWPT and eJPT
Go check them out on my profile and I hope they help you in your hacker journey!
