CRTP Review

Here is my review of the CRTP course and exam.

Introduction:

Hello, this is Obaida AKA Caesar3, and I will share my review of the CRTP course and exam.

I have completed several boxes on platforms like TryHackMe and HackTheBox and have a solid understanding of Active Directory penetration testing attacks. If you already have some knowledge of AD pentesting, I recommend purchasing the 1-month lab access; otherwise, you may want to consider the other options.

Course Content:

The course discusses different phases of attacking an Active Directory environment. Here is a list of some of the skills it teaches:

• Active Directory Enumeration

• Local Privilege Escalation

• Domain Privilege Escalation using Kerberoasting, Kerberos delegations, Abusing protected groups, abusing enterprise applications and more

• Domain Persistence and Dominance using Golden and Silver ticket, Skeleton key, DSRM abuse, AdminSDHolder, DCSync, ACLs abuse, host security descriptors and more

• Database linked server attacks (on MSSQL)

• Forest privilege escalation using cross trust attacks

• Inter-forest trust attacks

• How to be more Operational Security (OPSEC) safe

• Recommendations, defenses, and mitigations for AD attacks

Exam:

The exam encompasses 6 machines: 2 DCs and 4 joined machines. One of the 4 joined machines is the student machine, for which you will be provided credentials since the scenario is assumed breach, and you should achieve at least remote command execution on all machines within 25 hours, and then write a detailed report describing the entire process over the next 24 hours after the exam finishes.

It took me about 12 hours to complete the exam, including writing the report simultaneously.

Tips:

• Enumeration is the key

• Always try to dump every type of credential once you gain admin access on a machine

• Have your cheat sheet and notes ready

• If you managed to complete the labs, you are mostly ready for the exam

• If you faced responsiveness issues, restart the unresponsive target machine

• Always run executables outside of InviShell, using a new PowerShell or CMD session

Some Useful Tools & Scripts:

• PowerUp.ps1, you can use other scripts or tools such as PrivEscCheck.ps1 or winPEAS.exe

• PowerHuntShares.psm1

• PowerView.ps1

• BloodHound & SharpHound

• Rubeus.exe

• Loader

• SafetyKatz or other variations of Mimikatz

• Find-PSRemotingLocalAdminAccess.ps1

• hfs.exe or other web file servers can be used to host files

• InviShell

• PowerUpSQL

• Netcat

• Certify.exe

• etc...

Note: Do not upload all the provided tools to the exam environment at once, as you won’t need all of them.

Recommended Resources Before Purchasing the CRTP Course:

As stated on the official CRTP website, it is recommended to have a basic understanding of Active Directory and the Kerberos protocol, as the course does not start from the very beginning with AD fundamentals.

Some good resources to prepare include:

• TryHackMe (THM):

  • Active directory basics room

  • Windows Command Line room

• Or on HackTheBox (HTB):

  • Introduction to Active Directory module

  • Introduction to Windows Command Line module

Conclusion:

I highly recommend this certification to anyone looking to start their journey in Active Directory Penetration Testing. The instructor, Nikhil, keeps the course engaging, the lab environment is seamless, and the exam is well-designed to assess the skills taught in the course.

Here is some useful resources that could help you through the exam:

• https://www.thehacker.recipes/

• https://hacktricks.boitatech.com.br/windows/active-directory-methodology