My ‘Certified Red Team Professional’ Journey — 2020 CRTP Review
From Zero to Professional
In this blog, I will share my experience with those pursuing or want to pursue Certified Red Team Professional (CRTP) in the future. Let me start with my background. I don’t engage in vulnerability research or pentest on day to day basis. I have good exposure in Pentests, Cloud Security, and DevSecOps but I don’t have any previous certifications related to security. I was not familiar with Active Directory security whatsoever before I began the course. I had no experience with PowerShell as well. A little bit of PowerShell experience would have helped, but I picked it up on the way. I pursued this course because I wanted to study Active Directory from a security perspective in a well-structured way. I wanted to pursue a route that will make my fundamentals strong and help me pursue more advanced Red Teaming courses in the future. Honestly, I am not very self-driven, and I find it easier to follow a course than juggling between multiple resources. This course was a perfect match.
If you don’t have any background on Active Directory and want to start from absolute zero, this is the course. Another great thing about this course is that it is not outrageously expensive. I made the purchase on sale for $249 for 30 days of lab access. The reason why I opted for 30 days is that the course material is available to you before the lab starts. You can begin the lab within 90 days from the day of registration and once you get comfortable with all the concepts covered in the videos theoretically, you can request lab access.
The 21st of June
I registered for the course on the 21st of June 2020 and decided to go through the videos over the next month. There are 26 videos in the course, including the course introduction video. Each video is 30 mins long on average. I started going through the videos and realized that I could not quite get the concepts right the first time. I could not understand Constrained and Unconstrained Delegation fully. I was mistaken that I understood the concept, but when I tried to reiterate those steps in my mind, I could not. Nothing made complete sense. The same thing happened while I was studying Enterprise and Cross-Forest Attacks. The course briefly revisits the previous videos’ steps, which made it even harder to get the complete picture at times.
I decided to go through all the videos a couple of times to get more familiar with the concepts and why a particular attack path is followed. It started making a bit more sense after revisiting those concepts.
I started taking notes this time. I picked one or two topics every day, depending on the difficulty, and understood the steps involved, and wrote those steps without referring to the video. For instance, I would pick the Lateral Movement and Domain Persistence and write the steps in the notebook. It took almost two months to finish the whole exercise, way longer than I expected.
The 13th of August
I requested lab access on the 13th of August. I started doing the steps while following the videos at the same time. It wasn’t easy at the beginning to recollect all the commands. Gradually, I started getting the hang of the commands while running through the objectives during the lab. Every concept is covered in the lab through an objective. It all started making sense in the end. I completed all the objectives a few times and referred to the lectures if something did not make sense. I also looked at the BloodHound results and tried to derive the same attack path. The lab team was incredibly supportive. I approached them for any clarification or why something did not work. They responded promptly every time without fail. I booked my exam slot for the 19th of September, feeling confident about what I learned. One thing I did not pay a lot of attention to was detection and defense, but I made sure I covered the rest multiple times.
The 19th of September
As usual, I can’t say too much about the exam. I booked an evening slot for the exam as I am more focused and comfortable working at night. I was pretty confident about preparation hoping to compromise all the targets before midnight. Exam details were sent 30 minutes before the exam began. I made a list of tools I wanted to use and transferred them to the exam machine.
The exam did not start well. Some tools I used in the lab did not give consistent results or worked as expected.
I felt demotivated and felt like giving up at times. It was NOT as easy as I expected it to be. After 8 hours of enumeration, I finally saw it and performed the first pivot. A break was much needed. I took a few hours nap and woke up feeling fresh and started where I left off. I compromised the second target which took me almost 3 hours. The attack path became straight forward after compromising the second target. BloodHound came in handy throughout the exam. I compromised the forest root domain controller 3 hrs before the exam ended. Everything in the exam is covered extensively in the lab. The exam is just a twisted version of the lab which requires a little bit of extra enumeration. I did very little research outside the course and thoroughly understood each and every step in the lab. I made sure I got all the POCs by revisiting a few steps. I submitted the report on the same day after including all the necessary steps explaining the methodology I followed in detail. In my opinion, the exam is the best part of the course.
The 21st of September
I woke up to this beautiful mail and felt happy about my decision to pursue this course.
I would recommend this course to anyone starting with Red Teaming and wants to get familiar with misconfiguration and different attack paths in Active Directory. Also, refer to adsecurity if you’re going to do additional research. In my opinion, the course is complete in itself and provides a comprehensive explanation of concepts.
