CRTP: My Two Cents

ThatOneSecGuy
9 min readJul 2, 2021

--

BACKGROUND

So, I recently cleared the Certified Red Team Professional (CRTP) examination. I have been part of multiple Red Teaming engagements prior to taking this certification exam, and my role in the Red Team was generally limited to getting the initial foothold into the corporate network from the Internet (or other arenas 😋) since I did not have adequate knowledge about Active Directory (AD) security. Therefore, I decided to learn about security in AD environments and dug through resources for the same. This is when I stumbled upon Pentester Academy’s Red Team Labs (Attacking and Defending Active Directory Lab) which comes along with access to their flagship course — Attacking & Defending Active Directory, a practice AD lab, and one attempt for the CRTP certification examination. I went through the course syllabus and was extremely intrigued to notice that all the concepts & attacks that were taught in this course were not some patchable exploits, but rather leveraged the native flaws & misconfigurations in the Kerberos protocol itself. This is very interesting due to the reason that the concepts taught in this course would have a very high shelf life. Impressed by this, I enrolled myself to pursue the CRTP certification. Hence, began the journey…

PRACTICE METHODOLOGY

At the time of enrollment, I chose the 30-days lab subscription, and I highly recommend the same as it provides adequate time to prepare for the certification. If the time is not adequate, the subscription time can always be extended as required. The methodology that I followed was to first complete the video lectures and take notes of the concepts as I watched the video lectures. Although I will be sharing my CRTP notes at the end of this blog post, I highly recommend that one make their own notes as it helps in better understanding.

Try to finish the video lectures and note-taking in the first 10 days of your enrollment, so that you can dedicate all the rest of the time to getting your hands dirty in the practice lab. Post completion of video lectures, start by attempting to capture all the flags and completing the learning objectives (all the way from Domain Enumeration learning objectives to pulling off the DCShadow attack as part of the final learning objective). Use the notes that you have made, in order to complete these learning objectives. This should take about 8–10 days depending on your understanding of the concepts learned.

After having completed the video lectures, making notes, captured all the flags, and performing all the learning objectives, you will still have about 10–12 days of access to the practice lab environment. Now, you may choose to spend this time in various ways — revisiting concepts that are not fully clear, practice the same attacks with different tools, etc… I will write about how I spent the last few days. You may choose to do the same or use that time in other ways, your call!

STUFF I DID IN THE LAST FEW DAYS OF LAB ACCESS

  • Initially, I tried to replay some of the attacks using a Command & Control (C2) framework. Personally, I used a customized C2 framework that I had written for some of the Red Teaming engagements I had done in the past. Although not fully capable, I could replay some of the attacks using my C2 framework. You can use Covenant (or) Metasploit (or) any of the various C2 frameworks of your choice for the same.
  • Designed various attack vectors that can be used to escalate privileges from a normal domain user towards fetching that Domain Admin (or even Enterprise Admin) privileges. This is the time to think of some out-of-the-box ideas that you can leverage during the exam.
  • Pentester Academy also lets you try some of the exploits in the lab environment. It is always a good idea to write a mail to their support team regarding your willingness to try some exploits in the practice lab and get their confirmation. I tried some of the exploits in the lab (such as the infamous ZeroLogon exploit, etc…)
  • Made extensive use of BloodHound. If you are someone who is new to using BloodHound or your knowledge of BloodHound’s capabilities is only limited to its usage in the course videos, I highly suggest you allocate a specific amount of time to explore BloodHound’s capabilities and try to perform rigorous enumeration of the domain using just BloodHound. In the “Tips & Tricks” section of this blog post, I will also include some very effective pointers to use BloodHound the right way.
  • Practiced some PowerShell foo. It is very handy to know some basic PowerShell foo techniques, like formatting outputs of a particular command, piping multiple commands, filtering specific items from the command output, etc.
  • Made a list of things to do every time a new user account is compromised or a new machine has been pawned in the domain. This can help you in multiple ways. First, it helps you to think of all the information you would probably like to obtain for a new user (ACLs, group memberships, local admin access, etc...) or from a new computer (hashes, sessions, etc...). Secondly, it may be helpful during the exam as it will lay out a mini-checklist of the action items you may want to cover.
  • Created a ready-to-use report template as shown below that I used in my partial fulfillment of the CRTP exam clearance.

With an adequate amount of practice, the day after my access to the practice lab ended, I scheduled the exam. Godspeed!

EXAM INFORMATION

The exam lab has 5 target servers that are spread across domains and have different configurations and applications running on them. The goal of the exam is to get OS command execution on all the target servers (not necessarily with administrative privileges). You must submit a detailed report within 48 hours of your exam lab time expiry. The report must contain a detailed walk-through of your approach to pawn a machine with screenshots, tools used, and their outputs. You are free to use any tool you want but you need to explain what a particular command does. A report suggesting practical mitigation and citing open-source tools, talks, and blog posts is generally scored higher.

You get the VPN credentials to connect to the exam lab environment, soon after you click on “start exam”. The initial foothold machine is accessible via the network and the credentials to log in to the foothold machine are provided. I highly recommend using the RDP environment for the entire duration of the examination rather than using the browser-based interface.

Reconnaissance

As the first step of any Red Teaming engagement, I performed intensive reconnaissance in the domain, discovering IPs of the machines, open ports, checking for services (like Jenkins, etc.). The majority of reconnaissance involved scanning for open ports and checking for exploitable services running. One tool in particular that aided me to do this was Invoke-PortScan.

Domain Enumeration

The importance of domain enumeration in order to clear this exam cannot be stressed enough. It is arguably the most important skillset to clear this exam. In this phase, I was able to enumerate information such as Domain name, Forest name, Domain SID, Domain & Group Policies, Domain Controllers & Properties, Users, Computers, Groups & its memberships, Sessions, Shares, High-Value Targets, Access Control Lists (ACLs), Trusts & Relationships Mapping, Intensive User Hunting, SQL Servers hunting, etc… During this phase, I used multiple tools without which it would have been very difficult to gather the obtained information. Some of the tools that I used rigorously to enumerate the domain are PowerView, Active Directory Module (without RSAT), BloodHound, and occasionally, Native PowerShell commands and .NET Classes.

Local Privilege Escalation

Although the exam does not intensively focus on Local Privilege escalation techniques, there were a few instances where I had to escalate my privileges locally in order to perform the necessary operations. The vulnerability, which was exploited mostly in the exam lab to escalate privileges locally, was prevalent in services that allowed the current user to modify its configuration settings (like making the service temporarily point to another binary, etc.). Though this can be done with the help of multiple tools, my go-to tool for discovering and exploiting local privilege escalation vulnerabilities was PowerUp.

Lateral Movement

Post rigorous enumeration of the domain and escalating the privileges locally, it was possible to discover attack paths to other machines and users in the domain. I made use of some lateral movement techniques like PowerShell Remoting (PSSession and Invoke-Command) to leverage the local admin rights and the information obtained from the enumeration phase to escalate the privileges to a domain level. The tools used intensively to aid in the lateral movement operations were PowerShell and Mimikatz.

Persist & Exfiltrate

Domain persistence techniques help an attacker to maintain access to critical systems and user accounts for an indefinite amount of time. Performing techniques such as the Golden ticket attack is a way to restore access to higher privileges at a later point in time. Although there are multiple ways to persist in the domain, by leveraging the flaws in the working of Kerberos authentication protocol, exploiting ACLs, etc., my go-to mechanism during the examination was to leverage Golden Ticket and Silver ticket attacks. Tools used during the domain persistence phase include, but are not restricted to Mimikatz and PowerView.

TIPS & TRICKS

  1. Enumerate, Enumerate & Enumerate! Remember that, if during the exam, you are stuck at some point and things feel like a dead-end, the solution to it is probably performing more intensive enumeration of the domain.
  2. Leverage BloodHound. Do not forget to mark users/computers/groups as owned when you escalate the privileges to a domain/forest level. Keep checking for misconfigured ACL permissions. Check for attack paths from the owned accounts/machines to your targets. Check for sessions on different computers. And just, exhaust BloodHound’s capabilities overall.
  3. Enumerate ACLs for all the GPOs. Enumerate those GPOs where RDP Users’ group has interesting permissions, in specific. For ease of lateral movement, add the compromised user accounts as a local admin on the pawned machines and if possible, add the owned accounts to the RDP Users’ Group as well. This saves you a lot of time and provides convenience in login mechanisms and lets you avoid the issues that arise while using PSSession to perform lateral movement techniques.
  4. Among dumping hashes from the SAM hive and LSASS process, do not miss out on extracting credentials of scheduled tasks by looking for hashes in the account owner’s credential vaults as well.
  5. Turn off the defender and AV protection and disable AMSI on Remote machines at every chance.
  6. Please remember to eat, light exercise, and sleep to keep your mind fresh. Take sufficient breaks during the exam. It helps a lot to disconnect yourself for a short period of time and then resuming the exam.
  7. Take Screenshots. Remember that even if you have compromised all the target machines, a poor quality report may result in not clearing the exam. Create proper folder structures to store your screenshots in an organized way, so that it becomes easy to prepare your report and use them with ease.
  8. Enjoy & have fun!

MATERIALS FOR PREPARATION (References)

  1. As promised, here’s a link to download my personal notes for the CRTP exam.

2. https://adsecurity.org/

3. https://github.com/infosecn1nja/AD-Attack-Defense

4. https://bit.ly/36bF5mi

5. https://github.com/gentilkiwi/mimikatz/wiki

FINAL THOUGHTS

This lab examination is highly challenging. Kudos to Pentester Academy for maintaining and deploying such secure challenge labs for budding security researchers to learn real-world adversary and attack simulation! A big shout-out to one of the best instructors, Nikhil Mittal for his way of teaching and delivering extremely high-quality lectures. I learned a ton about PowerShell exploitation, Kerberos authentication flaws, got a deep dive into Mimikatz, and finally, truly and deeply understood the importance of Domain enumeration 😂

I hope that this blog post helps all the people who are pursuing the CRTP certification examination. All the best. May the force be with you!

--

--

ThatOneSecGuy

Red Teamer | Constantly attacking infrastructure, systems, applications (and humans) to make the Internet a safe and secure place for everyone (and everything).