The Ultimate CRTO Preparation Guide
Understanding this Guide
The CRTO (Certified Red Team Operator) course is offered through Zero Point Security. Originally, I had purchased the course when the exam was on version 1, and the entire course was organized in a different way. I stopped working on the course because I kept having issues with the initial access part of the lab environment because of the way it was setup. If you’re reading this guide and on the fence because of that, realize that the new version of the course utilizes Cobalt Strike, Snaplabs, and the course guide is MUCH more organized compared to its predecessor.
CRTO is an incredible course, packed to the brim with a lot of useful Red Teaming techniques, all the way from gaining that initial bit of access to obtaining Domain Administrator and maintaining persistence within an active directory environment. The goal of this guide is to talk about a few skills that will help you succeed on the CRTO.
You don’t need to have the OSCP certification to take this course, in fact, if you’ve already acquired a lot of AD pentesting skills, you can attempt the exam. With that being said, you should probably have a working knowledge or understanding of:
- Metasploit, CrackMapExec
- Active Directory Networking
- Post-Compromise Enumeration
- Basic Exploitation/Compromise Knowledge
Note that you don’t have to know all of these things beforehand to succeed. As an example, You don’t have to be a master of PowerShell, but you should probably understand how to load PowerShell scripts and understand what you’re using. A lot of people set out requirements, but in all actuality, knowing yourself is the important part. If you can hack and want to go for it, then do so.
You will learn a lot, and the CRTO focuses on the utilization of Cobalt Strike. The techniques in general can be applied across multiple C2 frameworks, or standalone by using CrackMapExec in conjunction with manual methodology or with Metasploit.
The Lab & Course
I’m a strong believer of practicing the methodology that you study. You can’t learn much by reading the coursework without getting your hands on the keyboard. I highly recommend utilizing the lab coursework with the lab, real time. While this is the obvious approach, a “I know it already” methodology is not the best way forward. If you’ve been hacking for awhile, or already know how to use Cobalt Strike, go through the motions again. Follow along with the coursework to ensure that you’re prepared for the exam. It doesn’t hurt to perform attacks that you already have experience with.
The Lab is stellar, it has everything you need to succeed. You purchase “hours” in a pay-as-you-go type method, and it’s fairly inexpensive. Being able to spin up the lab from snapshots saves you the headache of configuring an Active Directory environment, so utilize this resource. Don’t rely too much on tools outside of the lab environment, because the best way forward is making sure you know how to use what you’re given. However, with that being said, scripts that you can easily copy and paste are encouraged - this goes for standalone aggressor and PowerShell scripts that help maximize the effectiveness of your Cobalt Strike instance.
Getting ready for the exam isn’t a matter of hundreds of hours of lab time. The best recommendation that I have would be to understand all of the different types of attacks given to you in the course. Practice all of the techniques in the lab a few times over and you should be fine. There are several things that you can do to ensure that you are successful, but I would focus on:
- Understanding the different ways that you can move laterally in the AD environment
- Utilizing privilege escalation methodologies such as Weak Service Permissions, Unquoted Service Paths, Weak Service Binaries, etc.
- Executing PowerShell enumeration methodologies via scripts that are provided, and scripts that you can easily copy/paste -> import
- Using Cobalt Strike’s mimikatz ability to your advantage
- Practicing the proxy methodologies (SOCKS, Reverse Port Forwards, etc)
- Understand powerpick, antivirus bypass methodologies, modifications to aggressors for additional bypasses, etc
One thing that you can easily get caught up on is the TTPs that you’re supposed to emulate during the exam. This isn’t a secret, when you go to book your exam, it discusses that you’ll have to do this. In order to prepare, you need to understand how to build C2 profiles. Don’t have a meltdown though, realize that TTPs while necessary, are not quite the end all be all on the exam. That’s about as much as I’m willing to comfortably say, but you will figure it out.
I can honestly admit that I wasn’t prepared to build my own custom C2 profile, even though I knew that I would have to, but c2lint is your friend. I would recommend studying this in-depth and getting a good grip on building your own profiles. The course guide covers this well, but it’s not the number one way to learn how to do it. Here are some resources that I found that will help you:
It shouldn’t come as a surprise that the exam uses a lab environment that restricts the easy import of external tools. Don’t be afraid to use other tools that are simple to copy into your environment though. As an example:
During the exam, everything you have to pass is in your face. All of the methodology that you learn during the course is relevant. However, that’s not to say you can’t utilize other methodology to perform similar exploitation. When in doubt, stick to what you know. You have 48 hours, over a maximum of 4 days (you can pause the exam labs). That’s plenty of time to take a break, eat, rest, and come back to it. It’s easy to trip up on the little things. Limit yourself to 2 or 3 hours per pivot or escalation. If you’re jamming at the keyboard for six hours straight trying to get somewhere new, you’ll likely have some issues. Maximize your efficiency by taking breaks to come up with new ideas.
Checkout this guide, which in my opinion is the Mother of All Active Directory Enumeration/Exploitation methodology:
Active Directory Attack
Thoroughly document all of your enumeration methodologies and attacks. If you manage to escalate or pivot, carefully document this. If you lose beacons, you’ll be in for a world of hurt if you don’t remember what you did to get there - especially as you gain control over more users or systems. Another good tip would be to give yourself a beacon or two as multiple users on the same system, or setup persistence through nabbing credentials or tickets - if one beacon dies, it’s painful to have to redo all of the privilege escalation methodology or lateral movement techniques. Work smarter, not harder. The first thing you should be doing when you gain access to a system is pulling all of the relevant information that will help you maintain persistence. Treat this exam like a real-life Red Team exercise and take note of everything that ends up working for you.
There’s no way to run through all of the attacks, because to be completely honest, there are hundreds of ways to exploit the systems in ways that will get you to the end goal. You need 6 out of 8 flags to pass, and you can undoubtedly accomplish this. Creating a diagram of all connected systems could easily help you visualize where you need to be and what you’ve accomplished as each user or on each system. Think about what level of control will give you the most access to the overall environment, and aim for that.
Other than that, you have plenty of time, give it a shot. While this guide might be shorter than something like my OSCP guide, I can tell you for certain that resources like the “Active Directory Attack” methodology that I provided above will keep your brain spinning for days. Rather than reinvent the wheel, utilize the existing community enumeration and exploitation resources to quickly garner the access that you need in order to pass. Personally, less is more in terms of exploitation. Sometimes the techniques that are simple are the ones that work the best.