CRTP Certification Review

Ibad Altaf
4 min readFeb 6, 2023

Before I go into the details of my experience with the CRTP certification, I’ll give some background of myself.

Background

My name is Ibad Altaf and I have been in the Cyber Security field for about 4 years now. I started my Bachelor’s in cyber security back in 2019 and graduated by 2021. By the end of the degree, I took interest in Penetration Testing and got very keen on pursuing it as my career. I spent months learning various topics on the TryHackMe platform, and from there I started competing in various CTFs.

In morning, I work as a Penetration Tester, the sub-domains that I usually perform PT on are Web, Infrastructure, and Active Directory. However, with AD taking up my interest, it soon became my specialty and got me into learning about red teaming. I have been going at it in my personal time for amount 6 months now and wanted to finally get my skills validated. Hence why I chose CRTP to start with.

CRTP Certification

The CRTP certification is built for people who have some experience in Pentesting and know about the underlying structure of how an Active Directory environment functions.

The CRTP lab environment consists of multiple forests, parent-child domains, firewalls, and antivirus set in place. The machines are fully patched Windows Servers 2016.

The cool thing about the lab is that there are no patchable vulnerabilities, the “exploit” happens by abusing the features of Windows and this is what you’re tested upon. You can only abuse these features if you know the underlying functions of an Active Directory environment. It’s not just about learning how to use the tools.

The lab consists of the following attacks that can be abused:

  1. Privilege Escalation
  • Service Abuse, Insecure Write Permissions, etc.

2. Domain Privilege Escalation

  • Local Admin Hunting, Domain Sessions Takeover, Kerberoasting, AS-Rep, Unconstrained Delegation, Constrained Delegation, RBCD, DCSync and more.

3. Domain Persistence

  • Golden Ticket, Silver Ticket, Diamond Ticket, DSRM, AdminSDHolder, ACL Abuse, Skeleton Key, Custom SSP, ACL — Security Descriptors Abuse, and more.

4. Cross Trust Attacks

  • Database Link Abuse (MSSQL), Trust Key, and more.

CRTP Experience

I have been planning on doing CRTP this year, and after I found out that there is a boot camp happening with live classes at the start of the year (299$), I quickly hopped onto the train and got my journey started. The live classes were exceptional and interactive, props to the lecturer, Nikhil Mittal. Apart from that, we got 1 month of access to the labs, which were really fun to do. I went through the labs about 3 times. The lab was almost always stable, there were some hiccups, but, nothing that couldn’t be solved by a quick reset by the lab team or sometimes by just signing out and back in.

CRTP Exam

Finally, after completing the labs a good amount of time, and learning the concept of how each feature is abused, I felt ready and decided to give it a go. I woke up early at 7, got all my tools ready, and started my exam at 9:30. Bypassing the anti-virus and then escalating the privileges took me round about 20 minutes. In the exam, apart from your machine, there are 5 fully patched Windows Server 2019 servers that you need to get command execution on. Getting command execution on the first machine took me about an hour, however, initial domain enumeration and some troubleshooting with the first machine took most of that time. After gaining access, I was quickly able to gain access to the next one as well. The third one took about 3h, and then the last two took 30m. All in all, the technical aspect of the exam took me about 5h to finish.

After that, I took a well-deserved break, and then compiled a report in 90m. The total time it took for me to complete the exam was about 6h30m, excluding the break.

Conclusion

The entire one-month experience of boot camp, labs, and the exam was very fun. Learning new techniques and brushing up on some attacks was refreshing. I would recommend others on taking the CRTP certification if they want to get started on Active Directory PT with OPSEC in mind.

Now, I would have normally gone for OSCP, but it’s a bit over my pay grade for now. Another certification that I’m also very excited about getting is RastaMouse’s Certified Red Team Operator (CRTO) certification where I’ll get to play around with Cobalt Strike. So CRTO for now, then OSCP hopefully. :D

--

--

Ibad Altaf

Penetration tester and a red teamer. Love to learn techniques to bypass various security solutions. Find me at linkedin.com/in/ibad-altaf