CTRE - Review
CRTE - Certified Red Team Expert by Altered Security (Formally available at Pentester Academy) is a course directed towards pentesing Windows AD environments. The lab is created to simulate an Enterprise like network with multiple Domains, trusts and forests.
Currently, CRTE is available with 2 options-
After researching, I went ahead with the Bootcamp version, it included 4 x 3.5 hours of sessions, lab manuals (conquering the labs with and without C2) and Slide Decks. The sessions were conducted by Chirag Savla.
The labs consisted of a multi-forest environment. The lab covered "almost" all the concepts required for the exam. The builds upon the knowledge gained in CRTP. Topics like Introduction to AD and PowerShell were covered in the course, that being said, having hands-on experience with the CRTP lab helped me grasp things quicker. For a detailed syllabus, you can check the link shared earlier. The environment is a hardened environment with respect to CRTP in terms of AV and Firewall rules. The Course does touch on topics like bypassing CLM, WDAC and evading AVs. It does not cover advanced topics like dealing with EDRs, etc. The course covers an Assume Breached Scenario. The course doesn't cover gaining initial access. We are provided with a Student VM and a domain user to access it. The domain user does not have local admin rights. The course covers basic local privilege escalation. The course also focuses on Living Of The Land by abusing LOBAS. The entire course is based on feature abuse and not on exploiting OS-level vulnerabilities.
Huge lab environment to practice various topics covered.
Access over Guacamole and VPN (you can choose whatever you are comfortable with). Even with guacamole access, you can upload your scripts and tools.
The flag system acts as a guide to help you stay on the path.
Top-notch support team - If I faced any issue during my lab access it was almost always resolved within an hour or two. (I used to practice during late evenings 8 pm - 2/3:00 am IST) and the support was even active during weekends.
- Since the lab is a shared environment, simultaneous and continuous attacks on the DC caused it to crash multiple times, even at times it disrupted the trust between forests and domains. This usually resulted in me being confused if I was doing anything wrong or if something was wrong with the labs. The lab team would be upfront in telling if it were some issues with the lab solving the confusion.
The exam was a 96 hours exam with 48 hours of lab time (once started the exam cannot be paused). Post 48 hours of the lab access you are required to provide an in-depth pentest report with practical mitigations within the next 48 hours.
The exam was straightforward with a few twists. To be frank enough you cannot simply copy paste the commands to clear the exam.
The biggest Mantra for the exam is "ENUMERATION is the KEY".
I was able to gain access to the first machine within an hour, Just because I missed a small detail, I wasted almost 4-5 hours before I could move ahead to the 2nd machine the next 3 machines were pretty straightforward for me.
I completed the exam in almost 20 hours on the keyboard. I feel It could have been a lot quicker if I wouldn't neglect some minute details. Altered Security suggests that ideally the labs can be completed within 36 hours and the 12 hours can be used for reporting. This simply means that you do have enough time to complete the exam even if you are researching alongside your exam.
Once the report was submitted, I received a response from the Exam Lab team stating that I have successfully cleared the CRTE exam after 4 days.
What helped me to get through the exam...???
Create a cheat sheet and mind maps based on the labs you have practiced.
If you feel you are stuck, enumerate again.
Take naps and breaks.
Use of tools like Bloodhound is not prohibited, make use of it. Also, note that you can use custom queries in the Bloodhound GUI.
I was able to complete the exam without using any C2, looking back I would recommend the use of C2 as it makes it easier to handle sessions.