Certified Red Team Expert (CRTE) Review
Introduction
Certified Red Team Expert (CRTE) is a penetration testing/red teaming certification and course provided by Altered Security, which is known in the industry for providing great courses and bootcamps.
In this review, I take the time to talk about my experience with this certification, the pros, and cons of enrolling in the course, my thoughts after taking and passing the exam, and a few tips and tricks.
Pros
- At about $300 USD, it is definitely the best bang for your buck in terms of value.
- In terms of intermediate/advanced-level Active Directory courses, it is definitely one of the best and most comprehensive out there.
- The support team and Discord channel was always very quick to reply and super helpful with any technical issue I had during the course. Keep in mind their support team is based in India so try to get in touch with them between 8am-10pm GMT+5:30, although they often did reply to my queries outside of those hours.
- The course provides two ways of connecting to the student machine, either through OpenVPN or through their Guacamole web interface.
- The course is from Altered Security (ex Pentester Academy), who is very well known in the industry and its exceptional red teaming courses.
- For almost every technique and attack used throughout the course, a mitigation/remediation strategy is mentioned in the last chapter of the course which is something that is often overlooked in penetration testing courses.
Cons
- This certification probably won’t look as shiny as something from Offsec on your resume, despite the great material.
- Some of the techniques taught throughout the course won’t always work in the lab environment, and in general I have encountered a few inconsistencies during testing.
- The flag system it uses follows the course material, meaning it can be completed by using all of the commands prior to the exercise, I personally would have preferred if there were flags to capture that simulated an entire environment (in order to give students an idea of what the exam is like) rather than one-off tasks.
Background
I decided to take on this course after having completed the Certified Red Team Professional (CRTP) and Offensive Security Experienced Penetration Tester certifications and I needed an extra Active Directory challenge. I had a great experience with CRTP and I had already heard a lot of great feedback from friends or colleagues who had taken this course before, and I had no doubt this would have been an awesome choice.
I was never a huge fan of Windows or Active Directory hacking so I didn’t think I would find the material particularly interesting, although, I was still pleasantly surprised with how much I enjoyed going through the course material and completing all of the learning objectives.
While the course does not have any real pre-requisites in order to enroll, good knowledge of Active Directory/Windows attacks and tools as well as PowerShell is strongly recommended, in order to be able to understand all of the concepts taught throughout the course. In case you haven’t done it yet, I would recommend tackling CRTP first, as basic details regarding AD may be taken for granted.
The Course
The course provides both videos and PDF slides to follow along, the content walks through various enumeration, exploitation, lateral movement, privilege escalation, persistence and evasion techniques that can be used in an Active Directory environment. The material is very easy to follow, all of the commands and techniques are very well explained by the instructor, not only explaining the command itself but how it actually works under the hood.
The following are some of the techniques taught throughout the course:
- Leverage built-in binaries, tools and scripts such as Bloodhound for enumerating Active Directory.
- Understand enumeration OPSEC to bypass detections from tools like Microsoft Defender for Identity (MDI) and other Identity defense tools.
- Understand about Domain and Forest trust and ways to enumerate the trust.
- Enumerate and understand ACLs
- Understand the approach of escalating privileges locally on the Windows system.
- Understand Kerberos authentication.
- Learn about Kerberoasting attack and OPSEC considerations for performing Kerberoasting attack.
- Understand and abuse gMSA.
- Learn, understand and abuse delegation based configurations in Active Directory environment.
- Explore options to abuse misconfigured ACLs for escalating privileges.
- Understand how to leverage privileges in the domain environment to deploy persistence in the domain environment through various techniques.
- Computer and User account takeover – Shadow Credentials.
- Understand how to leverage KRBTGT account hash or Trust key to move across the domain.
- Learn and understand about Active Directory Certificate Services (AD CS) environment and ways to abuse the AD CS misconfigurations to escalate privileges.
- Understand how delegation based attacks can be leverages to escalate privileges across the domain environment.
- Understand about Azure Hybrid Identities and ways to abuse it.
- Understand about various ways to enumerate ways to gain access across the forest trust.
- Learn how to enumerate SQL Servers and leverage the DBLinks to move laterally across the forest.
- Understand about PAM trust.
- Learn and understand about Time Bound Administrations (JIT & JEA), Tier Model & ESAE environment.
- Learn about various security features such as Credential Guard, WDAC, MDI, LAPS, Protected Users Group etc.
- Learn about ways to detect attacks such as Kerberoasting, Skeleton Keys, Golden Ticket, Custom SSP etc. and various Deception techniques that can be deployed to deceive the attacker.
Throughout the course, at the end of certain chapters, there will be learning objectives that students can complete to practice the techniques taught in the course in a lab environment provided by the course, which is made of multiple domains and forests, in order to be able to replicate all of the necessary attacks. From my experience, pretty much all of the attacks could be run in the lab without any major issues, and the support was always available for any questions.
Towards the end of the material, the course also teaches what information is logged by Microsoft’s Advanced Threat Analytics and other similar tools when certain types of attacks are performed, how to avoid raising too many alarm bells, and also how to prevent most of the attacks demonstrated to secure an Active Directory environment.
I really enjoyed going through the course material and completing all of the learning objectives, and most of these attacks are applicable to real-world penetration testing and are definitely things I have experienced in actual engagements.
The course lightly touches on BloodHound and uses more manual tools like PowerView instead, although I personally used this tool a lot during the exam and it is widely used in real engagements, to automate manual enumeration and quickly identify compromise paths to certain hosts (not necessarily Domain Admin), in a very visual fashion thanks to its graphical interface. I would say a very good understanding of the tool is ideal for the exam as well as for real-life engagements.
The only negative note I have regarding the course content is that it didn’t feel like a true step-up from CRTP as a lot of it felt a little repetitive for someone with prior AD experience. The course also doesn’t appropriately cover AV/EDR evasion for enterprise environments, though that’s a whole other topic. After speaking with Nikhil, he informed me a revamp of CRTE as well as an EDR evasion course are in the works, so stay tuned!
The Exam
The exam consists of a 48-hour hands-on assessment (an extra hour is also provided to make up for the setup time which should take approximately 15 minutes), the environment is made of 5 fully-patched Windows servers, spread across several domains, that have to be compromised. After the exam has ended, an additional 48 hours are provided in order to write up a detailed report, which should contain a complete walkthrough with all of the steps performed, as well as practical recommendations. Individual machines can be restarted but cannot be reverted, the entire lab can be reverted, which will bring it back to the initial state.
Altered Security indicates The goal of the exam lab is to get OS command execution on at least 4 target servers, not necessarily with administrative privileges. Although keep in mind the quality of the report has a major impact on your result.
The initial machine does not come with any tools so you will need to transfer those either using the Guacamole web interface or the VPN access. Unlike Offensive Security exams, it is not proctored and you do not need to let anyone know if you are taking a break, also you are not required to provide any flag as evidence.
I started my exam on the 23rd of March 2024 at about 11 am Sydney time, and in roughly two and a half hour, I had compromised the first host. I wasted a lot of time going down the wrong path at the very beginning but once I found the intended direction the rest was very straightforward. I recommend you run BloodHuond on your local Windows/Linux system.
After completing the first machine and a short break, the second one was quite convoluted and unrealistic in my opinion, though within a couple of hours I got there. I recommend familiarising yourself with PowerUpSQL.
While the next machine had to be compromised using an Active Directory textbook attack, there was a twist to it which tripped me up for quite some, however at around 5pm I had compromised it, along with the first domain.
At this point I decided to take a break and come back at around 7pm. I honestly did not anticipate what happened next, as I spent hours attempting to exploit what I thought was the required technique to move to the other domain with no success. I even emailed the support team as I started to think something was wrong with the exam environment, though they assured me everything was working as expected.
I decided to go to sleep at around 3am and to come back to it with a fresh mind. I woke up around 10am and sure enough, after more enumeration, within a couple of hours I had compromised the remaining two hosts and domain. Needless to say, I felt incredibly stupid for having wasted almost 8 hours on a rabbit hole.
I then started working on the report after a quick bite to eat, which took me roughly 3 and a half hours to complete and it ended up being 29 pages. I simply added an executive summary at the beginning which included overall background, results, and recommendations, as well as detailed information about each step and remediation strategies for each vulnerability that was identified.
After finishing the report I sent it to the email address specified in the portal, received a response almost immediately letting me know it was being reviewed and after about a week later I received the following email:
I later also received the actual certificate in PDF format and a digital badge for it on Accredible.
Conclusion
Overall this was an extremely great course, while it doesn’t necessarily teach anything ground-breaking, I definitely learned a few new techniques and I now feel a lot more confident doing AD enumeratin on Windows. I am sure that even seasoned pentesters would find a lot of useful information out of this course.
If you would like to learn or expand your knowledge on advanced Active Directory hacking, this course is definitely for you.