Certified Red Team Professional (CRTP) - How to Pass
I won’t go into detail about what CRTP is or who it’s suitable for. If you’re aiming for this certification, you already know the basics. If you want to get to the most critical information quickly, the TL;DR section below is for you!
TL;DR
- Who is it suitable for: A great introductory certification for those looking to step into the Red Team area.
- LAB: Quite educational and enjoyable.
- Exam Format: You have 24+1 hours without a proctor. Access to the lab environment is provided via VPN or Guacamole.
- Exam environment: 5 target servers need to be compromised.
- Report: It must be submitted within 48 hours after the exam.
Course Overview
The course content includes a training series consisting of approximately 47 videos. It starts with the basic concepts of topics such as Active Directory, PowerShell, Offensive .NET, and then explains the lab environment in detail. The course explains the AMSI bypass and AV Signature bypass methods at the entry level. Then, starting with domain enumeration, it shows how to first detect and then exploit the entry and mid-level vulnerabilities that can be exploited in the Active Directory environment.
There is a lab environment where you can practice for each topic. You can check whether the flags you obtain in the Flag verification field by entering them. In addition, walkthrough videos and guides have been prepared. The trainings are clear, understandable and directly focused on the subject.
Exam Structure & What to Expect
The CRTP exam provides a practical environment that allows you to experience a real Red Team scenario. After accessing via VPN or Guacamole, it drops you directly into the assumed breach scenario. At the beginning, you have access to a specific server and from there you are expected to explore other systems in the network, identify and exploit vulnerabilities. There are five target servers in front of you and taking them all is critical to successfully completing the exam!
One of the biggest advantages of the exam is that it is based entirely on the techniques explained in the course content. You do not have to deal with unknown, overly complex or out-of-course vulnerabilities. This means that if you have understood the techniques explained in the lab environment, there will be no big surprises waiting for you in the exam. However, this does not mean that the exam is easy! The right strategy, careful analysis and solid time management are essential.
Before starting the exam, it takes about 10-15 minutes of setup time to prepare the environment. Therefore, the total exam duration is determined as 25 hours. After completing each stage meticulously, the final stage begins: reporting! Once the exam is complete, you have 48 hours to document your findings in detail. Remember, as much as technical skills, reporting your findings clearly and concisely is key to your success!
Preparation Guide: How to Get Ready for CRTP?
The most critical point when preparing for the CRTP exam is to fully digest the course materials and practice a lot. First of all, watch the training videos carefully and make sure you complete all the tasks in the lab environment. Practice is as important as theory, because the exam is based on a completely practical scenario.
For me, the practical part was a bit more advantageous because I had previously performed penetration tests in Active Directory environments. Having tested many of the vulnerabilities I encountered while receiving the training in the past accelerated the process. However, this should not be intimidating for those who will be working with AD for the first time! The course content systematically covers all basic and intermediate attack techniques.
I purchased 30-day course and lab access during my own preparation process. After completing the videos and establishing the theoretical basis in the first few days, I solved all the tasks in the lab environment and put what I learned into practice. If you have not had the opportunity to sufficiently apply the techniques explained in the course content, I strongly recommend that you set up your own AD lab environment and practice enumeration and exploitation.
You won’t need any of the techniques from outside the course on the exam, but skimming through the course content would be a big mistake. Make sure you practice and reinforce each technique for success!
Exam Day: Strategies for Success
My exam day was anything but ordinary. I had had a nose job and spent two days in the hospital. When I got home, I was still recovering, but I also took advantage of being on sick leave—I could focus entirely on the exam! After a relaxed breakfast and a chat with my colleagues, I started the exam around 6:00 PM. Some strategies I followed during this process made my job much easier:
- Taking notes: I kept all my notes on Notion. Saving information regularly provides a great advantage in the later stages.
- Command outputs: I saved the output of every command I ran, both in plain text and as screenshots. It was incredibly useful for going back and checking.
- Taking a break: I took a break when I got stuck. When you get stuck, it can be good to go outside, get some air, or have a snack.
- BloodHound usage: Definitely use BloodHound! It allowed me to solve two target servers directly. When I was writing the report, I realized that it actually shows three targets directly, but I missed one. If you use it correctly, it can completely change the course of the exam!
Reporting
The 48-hour period is really enough to prepare the report. A big advantage for me was the notes I kept in Notion throughout the exam. Thanks to these notes, I completed the report completely and in an organized manner. The report should not only describe the techniques you exploited, but also include mitigation suggestions on how to fix each vulnerability. Here are some important points to consider when preparing the report:
- Mitigation recommendations: It is very important to include recommendations on how to take action for each vulnerability.
- Console outputs and screenshots: Screenshots and command outputs showing each step in detail enrich your report.
- Explanations: You should explain each step clearly. When you go step by step, it is easier for the reader to follow.
- Tools and resources: Referencing the tools, technical documentation, and resources you used makes your report more professional. After the exam, I submitted my report according to the email instructions sent by Altered Security. I prepared a comprehensive report of approximately 60 pages and documented the process in every detail, making sure the report was accurate.
After the Exam: What’s Next?
My next goal after the exam is HTB CAPE. I want to move forward with the Offsec mentality to focus on Active Directory structures. I will deepen the knowledge I gained with this certificate by targeting Active Directory vulnerabilities with an exam like CAPE. My goal is to further develop my knowledge and skills in this area and discover more complex vulnerabilities!
Thanks for reading. I hope it will be useful for those who will take the exam. If you have any questions or want to ask anything, you can reach me through the links on the contact page.
Comments powered by Disqus.