CRTP Certification : My Experience

Last Saturday i.e. 26th Feb, I attempted the CRTP certification exam by Pentester Academy. Writing this to share my experience with you all. Read till the end for some tips :)

COURSE:

The course name for this certification is ‘Attacking and Defending Active Directory’. It covers the following concepts -

1. Local Privilege Escalation — Using PowerUp, beRoot, Invoke-PrivEsc
2. Domain Enumeration — Using PowerView and Active Directory module
3. Lateral Movement — Using PowerShell Remoting, Mimikatz
4. Domain Privilege Escalation — Kerberoast, AS-REP Roast, Constrained and Unconstrained Delegation, etc.
5. Persistence — Golden Ticket, Silver Ticket, Skeleton Key, AdminSDHolder to name a few.
6. Cross Trust Attacks — Privilege Escalation from Child Domain to Parent Domain and across Forest using Trust Tickets and krbtgt hash, Abusing MSSQL Servers
7. Detections and Defenses — for each attack, Architectural Changes, Deception, etc.

The course material includes 26 videos of 14 hours which are absolutely amazing. Nikhil Mittal has done an amazing job explaining the concepts! Try to make notes of what you learn because there are so many techniques, chances are that you might forget things after some time.

Although the course starts with the basics of Active Directory, it is recommended to have a basic understanding of Active Directory, which you can easily get from YouTube.

Once you purchase the course, you can start your lab any time within 90 days. And to attempt the CRTP exam, another 90 days are given after your lab time expires.

LABS:

From the 30, 60, and 90 days lab options, I opted for 30-day lab as I felt it was enough, And I was able to complete the lab exercises multiple times. However, if you can only spare time to study on weekends and you are completely new to AD, then I would suggest the 60-day lab.

The lab experience was astonishing! Kudos to Pentester Academy for keeping the lab stable, easily accessible, and making all the tools run right off the bat. Their AD lab support team is super responsive. Activated my lab time within 3 hours of informing them and always replied to the queries within an hour :)

You can access your lab machine via browser or VPN (using RDP). All the tools used in the course are provided in the student machine already. However, you are free to transfer and use any tool of your choice.

The course and the lab environment focus on exploiting misconfigurations in AD and not the public exploits, CVEs, etc. which I found to be great.

There are 23 learning objectives for the labs. Don’t hesitate to refer the lab manual when you are doing it for the first time, as I noticed few things which were updated in the lab manual but not present in the course.

EXAM DETAILS:

For the CRTP exam, you start with a similar student machine as in the labs (with limited privileges) and you have 24-hours of time to compromise the whole forest (5 machines excluding your student machine). By compromise, I mean you need to get OS command execution on all 5 machines (not necessarily as with administrative privileges). Unlike the labs, you will be provided with no tools present on the machine. You need to transfer them from your local machine.

After the 24-hour exam time expiry, you get additional 48-hours to submit the exam report. As per Pentester Academy,

“The report must contain detailed walk-through of your approach to compromise a box with screenshots, tools used and their outputs. You are free to use any tool you want but you need to explain what a particular command does and no auto-generated reports will be accepted. A report suggesting practical mitigation and citing open source tools, talks and blog posts will score higher.”

You don’t have to schedule your exam. You can take the exam whenever you feel like you are ready. Just press the ‘Start Exam’ button and there you go…

EXAM EXPERIENCE:

I started my exam on 26th Feb at 9 a.m. Transferred the required tools to the exam machine and started with the enumeration.

Although I found one or two potential vectors to start with the lateral movement, rather than directly jumping to exploiting it, I kept note of it and continued with my enumeration. Why? To compare the avenues and avoid rabbit holes :)

Enumerated using PowerShell tools, BloodHound and kept note of everything that looked fishy. So, I spent initial 1.5 hours only enumerating things.

Now, with all the information ready with me, I chose the attack vector and started exploiting it 😎 . Guess what?? Ended up in a rabbit hole with an hour wasted.

But then, found the correct technique and compromised Machine #1. From there Machine #2 took just took 15 minutes. Machine #3 was also not too difficult, just needed a bit deeper enumeration. Machine #4 took some time, but the time I had spent earlier on enumeration helped here and compromised that too within an hour. Finally, Machine #5 was also straightforward.

All in all, it took me about 7 hours to compromise the whole forest (of course with taking breaks :-P). Then I already felt exhausted to get started with my report. So, verified that I have all the screenshots required and ended the exam. Created 28-page report the next day and submitted it to the AD lab team.

I would say all you need for the exam is there in the course. Just understand the concepts, commands well, develop a strong enumeration methodology and you are good to go.

SOME TIPS:

1. If you are new to Active Directory and find a few terms difficult to understand in the course, it is normal. Simply Google it. I am sure you will find some article/blog/video explaining it easier than the course.
2. While going through the labs and lab manual, make a cheat sheet of all the commands you used. When doing the lab exercises second time, don’t look at the manual. Just follow your cheat sheet and do it. Trust me, it won’t take much time and will help you a lot at the time of the exam.
3. If you are done with all the lab objectives well and still have some lab time left, then I would suggest trying AD pentesting tools. E.g. Linux command line tools such as Impacket. With your VPN connected, to access lab from your Kali, set Network Adapter to NAT on your VM. You may need to add IP of the Domain Controller and Domain Name to your /etc/hosts file for Impacket tools to work properly. You may not require these tools for the exam, but they will definitely help you learn something new! Also, the lab resets every 24 hours, so don’t worry about you breaking anything.
4. In the exam, enumerate everything well, even if it takes time. Develop a checklist if possible. It will certainly help .
5. Keep taking notes of everything you find in the exam. Domain, Forest, DC, Machines, their IP addresses, open ports, usernames, passwords and hashes, anything that looks fishy to you.
6. Take screenshots after compromising each machine. Don’t wait till the end to take all screenshots. Just verify them at the end.
7. If you are done with the exam early and have some hours left before exam time expiry, then prepare a draft report with one-line explanation and screenshots. This way you will get to know whether or not you have missed any screenshots. Also, prepare a report template in advance if possible to save some time.
8. Don’t forget to take breaks. It helped me a lot in the exam :)

SUMMARY:

In summary, I would say CRTP is totally worth for anyone looking to start their Active Directory pentesting journey and also it is quite cheap as compared to other certification providers. It definitely made me a bit confident now on my AD skills.

For OSCP aspirants, although I have not attempted the OSCP exam yet, I guess this knowledge would certainly help to tackle the AD part of it.

That’s it from my side. If you have questions/suggestions, feel free to reach out to me on LinkedIn.

Thank you for reading :)