Certified Red Team Expert (CRTE) Review
Hello friend,
If Active Directory attacks are a new topic for you, I can relate. I was in the same boat before I earned my CRTP and CRTE certifications. You can do it too!
In below quick guide I will share with you an overview about my journey and also tips & tricks to claim exam 😉
Update on 23rd Jan 2023:
The CRTE is now offered by Altered Security who are creators of the course and its lab. You can get the course from here — https://www.alteredsecurity.com/redteamlab
What is an Active Directory? Is it really important?
Active Directory (AD) is Microsoft’s proprietary directory service. It runs on Windows Server and allows administrators to manage permissions and access to network resources.
First time I read that I was like…
Well, that can be simplified this way:
Think of Active Directory as the “contacts” app on your mobile device. The “contacts” app itself would be your Active Directory. Your individual contacts would be the “objects”, and the address, email and phone information for each contact would be the “values” in your Active Directory. The “objects” aren’t just limited to people and users. It can also contain “group objects” such as computers, printers and so forth.
It is a Microsoft technology used to manage computers and other devices on a network. It enables centralized management of an entire network, which might span a building, a city or multiple locations throughout the world.
That’s how an AD network looks like:
Maybe you are thinking, what should I even care?
Well, from organizations perspective that provides manageability, security and interoperability of these different objects like windows users, servers, etc. As a result, it is adopted by many organizations and that makes it the focal point for adversaries.
CRTP VS CRTE
Both of them discuss active directory attacks, the Certified Red Team Professional (CRTP), is a beginner-friendly certification on the other hand, Certified Red Team Expert (CRTE) is an advanced red team lab.
If you are new to AD attacks, I would recommend starting with CRTP first then move on to CRTE.
In CRTP, topics covered had detailed videos, material and the lab had walkthrough videos unlike CRTE. During CRTE, I depended on CRTP material alongside reading blogs, articles to explore newer topics and techniques.
Methodology
“Don’t blindly go after Domain Admin, instead follow your engagement (RT/PT) goals. DA is rarely a goal!” Nikhil Mittal
This is a very important tip that was highlighted multiple times during Nikhil Mittal talks and that was greatly considered in CRTE labs.
CRTE Labs assume Breach Methodology on an Active Directory Environment and use internal access available with an adversary to perform further attacks.
Both CRTP and CRTE lab environments are fully patched windows and SQL servers like a real world red team operation, forces you to use built in tools as much as possible and focus on functionality abuse, misconfigurations, abuse AD components, forests trust, SQL servers trust, etc. So, we will NOT use any exploits/exploitation framework.
Attacker starts from a foothold machine in domain as a low privilege user who cracks his/her way to another forest.
In CRTE Lab, you are required to submit 60 flags hidden across different domains and forests. From the student’s portal you can know the required flag(s) in every machine and also verify flag value.
Let me share a useful tip to maximize labs benefit:
Well, in the beginning of my CRTE labs, after gaining access to a machine I used to check on the portal what flags are required then I search for that flag and submit it.
Later on, I wanted to adjust my mindset to deeply perform post exploitation enumeration and reach most/all of flags as a result of my post exploitation enumeration before seeing the required flag from portal, got it? :D
That helped me structuring my methodology to automatically perform smart and intensive post exploitation enumeration.
Secret Tip:
*Do it and thank me later after exam/redteaming engagements*
As you go through course material and labs, take notes along the way in an organized way. i.e build it as you go by the time you reach the end of your labs. You should have had a solid methodology and a detailed AD exploitation cheatsheet.
I recommend using cherrytree\keep note or one note.
I am not an organized person at all, but this is how my summarized cherrytree looks like:
I also love taking a look at other cheatsheets, it inspires me, helps me organize my ideas, and builds my mindset and methodology
- Favorite Active Directory Exploitation Cheat Sheet:
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
-Favorite Blogs:
Important notes about CRTE Exam
Before exam:
- Exam support is the same as the normal lab support and it isn’t 24/7 so adjust your lab starting time to be in their working hours. They follow Indian Standard Timing. Search for a local timer converter. “Credit for this useful tip goes to Soumyadeep Basu”
Not sure about their working hours but from my observations they were very responsive between 10:00 am IST — 9 pm IST.
- Lab environment was stable for me, but several students reported environment issues so to be on the safe side, consider starting your lab in their working hours just in case anything happens. The support responses were very fast during their office hours.
- Sleep well, prepare huge amount of food besides you in the exam. I was so hungry during the exam xD
- No need to schedule exam in advance. You can start the exam at anytime using their portal which is awesome! when you press on start exam button, it will take around 10 minutes to create exam VPN configuration file then you will find a countdown “48 hours is going down” but waittt! what about the RDP credentials? They will be created after 5 minutes. For that, you will be compensated another hour after the 48 hours.
Note: The counter will stop after the initial 48 hours and it will say that it is over however, the vpn connection will still be up for an additional hour as a compensation. After these 49 hours, you will have 47 hours to write your report. So exam duration is: 48 hrs + 1 hr + 47 hrs
- The exam lab has 6 target servers which are spread across domains and have different configurations and applications running on them. You get access to a VM named ‘userexam’ in the lab and that doesn’t count as a target server.
- There is no need for any type of brute-force attack which involves using a dictionary.
- Have your notes ready — that should document your methodology-
During exam:
- Take screenshots along your way. Even if they won’t be included in report. They will still be useful in report writing as it will remind you of the exact steps that you did. They love detailed reports!
- Got stuck in exam? Relax and enumerate again. ENUMERATION IS THE KEY in many locations
- Hit a wall? be flexible to explore new topics during exam
Exam is challenging but you will enjoy it and it feeeeels awesome after you smash them
Exam Report Tips:
- Didn’t solve all machines? It is okay. You can still succeed.
- The goal of the exam lab is to get OS command execution on at least 3 target servers, not necessarily with administrative privileges. Note that in this case, the report should be very high quality. See the points below to understand what we consider as a high quality report.
- A report suggesting practical mitigation and citing open source tools, talks and blog posts will score higher.
-In addition to that, the report must contain detailed walk-through of your approach to compromise a box with screenshots, tools used and their outputs. You must also suggest practical mitigations for the misconfigurations you abused. You are free to use any tool you want but you need to explain what a particular command does.
After I submit my exam report by approximately 48 hours, I received my certificate
Journey Summary
I have learnt a lot, it was a new experience for me and honestly challenging because I was new to AD attacks. Moreover, all hosts were fully patched in addition to windows defender, AMSI, constrained language mode, app locker and so on.
I recommend both courses, I have learnt more than I was expecting.
If you have any question, feel free to reach out.
https://twitter.com/hebahamdyfarhat
http://linkedin.com/in/heba-hamdy-farahat-5501595b
References:
https://www.intermedia.com/blog/what-is-active-directory-and-why-is-it-so-important/
https://techterms.com/definition/active_directory
https://technet.microsoft.com/en us/library/cc780036(v=ws.10).aspx