Having completed the CRTP and CRTO Red Team Certifications, I was eager to pursue the next level of certification in the league from Altered Security. The Certified Red Team Expert (CRTE) course and certification offered by Altered Security (formerly by Pentester Academy) is the advanced level of Red Team certification in the series, following the Certified Red Team Professional (CRTP).
It builds upon the concepts taught in the CRTP and uses a similar assumed breach methodology to exploit a fully patched Multi-Forest Environment using PowerShell and .NET-based tools.
As usual, I will be dividing my review into three parts:
I. Preparation
Red teaming is a simulated attack scenario that is conducted to test an organization's security systems, policies, and procedures. The CRTE course is a advanced course and I would highly recommended to start with CRTP if you are beginner in the world of Red Teaming.
You may also set up your own Home Lab by following the below tutorials to get your hands dirty before purchasing the course:
II. The Lab
The CRTE course is offered in two formats:
1) On Demand, which can be purchased and started immediately and includes a pre-recorded video tutorial of 8 hours in duration. The On Demand Labs are designed as a challenge, with no accompanying Lab Manual, and students are expected to solve the challenges on their own. 30 Day labs is priced around 299 USD.
2) Bootcamp, which is held approximately every month and requires pre-registration before enrollment closes. The Bootcamp is a 4-day workshop organized on weekly basis of approximately 3.5 hours each, where the course instructor teaches concepts and demonstrates objectives in live sessions. Students receive a copy of the Bootcamp recording, PDF slides, access to student Discord Channel, a Lab Manual for manual approach, and another one based on the Covenant C2 framework. The Lab access is granted for a period of 30 days, and costs around 399 USD.
The lab access for both courses can be extended by contacting support, though it usually comes at the cost of the original price for 1 month of lab access. It is recommended to prioritize your time wisely during the lab access and to allocate a sufficient amount of time for learning and practice. With that being said, a 30-day lab access should be sufficient if you have some prior experience and can dedicate 3-4 hours daily during weekdays and 5-6 hours during weekends.
I purchased the bootcamp version of the course, instructed by Chirag Savla, and I highly recommend it. The bootcamp offers the opportunity to learn with a group of students, collaborate and ask questions during the course via the Discord channel, resulting in a faster response time.
The bootcamp lab consisted of 22 systems spanning 8 forests and covered advanced attack scenarios, including Kerberos Delegation abuse, ACL abuse, LAPS, gMSA, MSSQL DB Abuse, Certificate Services, and Cross-Forest attacks
III. The Exam
Like the CRTP, the CRTE exam does not require advance scheduling and can be started on demand. The exam setup takes approximately 10-15 minutes and you are given an additional hour of lab access, making the total time for the exam lab 48 hours + 1 hour. After the exam, you will have an additional 48 hours to submit a detailed report that includes screenshots and tool references for each attack used to exploit a particular machine. To pass the exam, you must solve at least 4 out of 5 machines (excluding the student exam vm) with a high-quality report, or you must solve all 5 machines.
I took the exam on Thursday at 3 PM and was able to gain privilege escalation on the Student VM within the first hour of starting the exam. The first server in the domain took a little bit of enumeration, but I was able to get a reverse shell within the next two hours. The second server required more than six hours of figuring out the attack path, as it was not directly covered in the course material and required additional research and creative thinking. The third machine seemed straightforward to exploit, but the system was unstable during this part of the exam and I had to restart the individual server from the exam dashboard. The fourth machine was relatively easy, unless you miss the reconnaissance part like I did, and spend hours trying other ways to break in. The fifth machine is a formality once you have managed to get on the fourth machine. By the time I finished the exam lab, it was 7 PM the next day. I took the rest of the day off and started working on the report on Saturday, taking approximately 8-9 hours to complete (Yes, I like to deliver high-quality reports :-) )
Upon submitting your report, you will receive a confirmation email, and you need to wait for 7 business days (excluding weekends) for the evaluation and final outcome.
Exam Tips:
- Before taking the exam, it is important to prepare a comprehensive cheat sheet that summarizes your notes and methodology. Here is a link to my cheat sheet for CRTE Course.
- Schedule the exam during the working hours of Altered Security Support staff (Monday to Friday, 9am to 6pm), so that prompt assistance can be obtained you encounter any issues with exam lab setup.
- Enumeration is key! The phrase "Give Me Six Hours To Chop Down A Tree, And I Will Spend The First Four Sharpening The Axe" is a good reminder. If you miss something during the enumeration phase, you may spend hours trying out things that might not be relevant and end up wasting time and energy.
- During the exam, pay close attention to the names of machines, user accounts, and group names. Try to make correlations and create a mind map of how you plan to move laterally in the exam. This will help you stay organized and focused.
- If you encounter issues with the stability or behavior of a machine, you have the option to restart it individually.
- Make sure to set up Bloodhound on your base machine and use the same version of SharpHound Collector to prevent any inconsistencies. Remember to gather information from all forests and upload it into the same Bloodhound instance, as this will automatically merge the two sets of data and reveal cross-forest attack paths. Additionally, it is advisable to practice a few techniques for transferring files between machines in a Windows environment, as relying solely on HFS and Powershell iwr module may not be sufficient.