CRTO - Red Team Operator | Detailed Review

If you are into Red Teaming or planning to take a dive into it, then you must have heard about the Certified Red Team Operator (CRTO) Course and Certification by Zero Point Security. The course has been designed by Daniel Duggan who goes by the name of @_RastaMouse on Twitter. 

The content of the course is very concise and to the point, where a beginner won't feel lost while the experienced professional won't be overwhelmed by any redundant information. 

It comprehensively teaches you the skill to conduct real life red team assessment starting with engagement planning,  attack execution with minimal footprint and post engagement activities. 

Just to add icing on the cake, the course comes with full version of licensed Cobalt Strike in the lab, providing industry-ready skills to take up the red team engagements. It is also mentioned as one of official training partner on Cobalt Strike website

I would divide the review in 3 parts

I. Preparation 

• As stated earlier, the course is pretty comprehensive and you can start as a beginner. However, it is good to have some background on Active Directory Attacks. You may have a sneak peak into the course content here

• I would highly recommend you to go through the Cobalt Strike Video Series by Raphael Mudge (creator) and its user guide manual (currently CS 4.7) 

• You may set up your own Home Lab by following below tutorials

• TCM Security's AD Lab Setup 
• More complex MayFly's GOAD lab setup 

• There is public Discord Server which is managed by RatsaMouse, for getting quick response to your queries (consider UK time zone).

• If you are planning for the course and certification near Black Friday, then lookout for any ongoing promotions to save some bucks.

II. The Course & Lab

• There two tracks for obtaining the certification, one comes with course + certification while other is only certification (requires you to have other industry cert like OSCP as prerequisite).

• I would personally recommend to go for the Course + Lab (bundle), which comes with Lifetime access to course (including future updates) + 40 hours of Lab time (sufficient on an average, can be additionally purchased here) +  1 exam attempt. 

• The Lab is served via SnapLabs and is dedicated to you. The machines in lab can be accessed via Apache Guacamole web interface only, no VPN+RDP access is allowed.

• I would recommend you to use Microsoft Edge for access the Lab machines as clipboard sharing (Host to Guest only) works pretty smooth.

• It is also recommended to go through the course material first, do some side reading, prepare your notes and cheat sheets before starting the Lab.

• Once you complete the course, you are rewarded with something like this

III. The Exam

• The exam is also served via SnapLabs and has similar setup. You get access to Attacker Machines (Windows & Linux) + 1 workstation in target domain (Assumed Breach Scenario) 

• It requires you to solve minimum 6 out of 8 flags to pass the exam over period of 48 hours which can be allocated on the span of 4 days (calculated from the hour you start the exam). The exam gets added as additional event in you SnapLabs account and starts on scheduled time.

• You can pause the exam like your lab machines and start it again on demand. The time allocated is more than sufficient, you will run out of ideas long before you run out of time.

• Course has pretty much everything you need to pass the exam. However, that being said don't take it easy, its not going to be copy-paste. You really need to understand the concepts taught in the course to be able to apply it in the exam.

• The exam labs were pretty stable and didn't faced any major issues. The only issue I faced was that one of machines in exam was not accessible to due to some vpc misconfiguration, which was fixed by @_RastaMouse literally within 2 minutes of reporting it...Kudos!!

• I had started my exam at 10 AM and was able to secure 6 out of 8 flag by 10 PM on the same day. Next day, I started a bit late and got my 7th flag by 5:30 PM after some hustle as I was able to see the attack path but not able to exploit it. For the 8th flag, It felt like hitting a wall, I had enumerated everything but didn't saw any vulnerability to be exploited.

• There is no requirement of submitting the Exam Report. Your score is evaluated the moment you submit the flag found on each machine and the Badge is generated after the exam is over.

[Update]

• Received the CRTO Badge 

Exam Tips:

• TIP #1 First and foremost, even before you start your exam is to be ready to face the Defense. Here is the tip shared by @_RastaMouse himself. Nothing is more painful than seeing your beacons die!!

• TIP #2 Create a comprehensive notes and cheat sheet (used Obsidian here), which will provide you quick step-by-step reference of what needs to be executed to exploit a given vulnerability. Here is a link to my cheat sheet for CRTO Course

• TIP #4 When you restart your exam, all the sessions created would have died and you have to again follow the attack chain to resume your exam. To avoid the hassle, make use of persistence either by Dumping Credentials (preferred) or by planting the backdoor.  

• TIP #5 Enjoy the exam! No need to be stressed out, you have more than sufficient time so take a break if something is not working, don't skip your meals, stay hydrated, take a nap if needed.