☕
Brinkles Pentesting Notebook
  • Introduction
    • My Journey to Pentesting
    • Twitter
    • Github
  • Certification Reviews
    • OSEP Review
    • CISSP Review
    • OSCP Review
    • RTJC Review
    • RTAC Review
    • CEH Review
    • CRTO Review
    • PNPT Review
    • eWPT Review
    • eJPTv1 Review
    • CCNP Security Review
    • CCNA Review
    • CompTIA Net +, A+ Review
  • C2 and Payloads
    • Sliver C2
    • Cobalt Strike
      • BOFs and Aggressor Scripts
        • Situational Awareness BOF
        • HOLLOW BOF
        • DLL_Version_Enumeration_BOF
        • InlineExecute-Assembly BOF
        • BOF.NET
        • C2-Tool-Collection BOFs
        • Inline-Execute-PE
      • Payloads
  • Tools
    • Internal Tools
      • BloodHound
      • Certi
      • Coercer
      • CrackMapExec
      • DCSync
      • DFSCoerce
      • DonPAPI
      • WMIEXEC
      • Kerberoasting
      • Lsassy
      • mitm6
      • Pcredz
      • PowerSploit
      • PrivExchange
      • Responder / RunFinger
      • Rubeus
      • Seatbelt
      • Seth
    • Web App Pentesting
      • Payload All The Things
        • Directory traversal
          • Deep Traversal
          • More Directory Traversal Payloads
        • SAML Injection
        • XXE - XML External Entity
        • XSS - Cross Site Scripting
        • XSLT Injection
        • XPATH injection
        • Upload Insecure Files
        • SQL injection
          • MSSQL Injection
          • MYSQL Injection
          • Oracle SQL Injection
          • PostgreSQL injection
          • SQLite Injection
        • Server Side Templates Injections
        • Server-Side Request Forgery
          • Payloads Included in Server-Side Request Forgery
        • Request Smuggling
        • OAuth
        • NoSQL injection
        • LDAP injection
        • Kubernetes
        • JSON Web Token
        • HTTP Parameter Pollution
        • GraphQL injection
        • CORS Misconfiguration
        • CRLF
        • Cross-Site Request Forgery
        • CSV Injection (Formula Injection)
        • File Inclusion
          • PHPINFOlfi.py
          • uploadlfi.py
  • Network Security
    • DMVPN GRE NHRP IPsec Profiles
    • Flex VPNs
    • GET VPN with Key Server
    • IKE Site to Site w/ IPSec
    • Point to Point GRE over IPSec
    • Remote Access VPN
    • Helpful Cisco Firewall CLI Commands
Powered by GitBook
On this page
  • Introduction
  • Study Plan
  • Labs
  • Exam
  • Overview
  1. Certification Reviews

CRTO Review

PreviousCEH ReviewNextPNPT Review

Last updated 11 months ago

Introduction

I started studying for the Certified Red Team Operator right after completing the PNPT. My goal was to dive not only deeper in AD, but to also learn / focus in Cobalt Strike as well. I have had some experience with cobalt strike before coming into this course, however I was still pretty new in understanding some of the basics such as profiles, masks, BOFs, etc. I have heard fantastic things about the CRTO and decided to give it a shot. The test and the course content did not disappoint!

Study Plan

The current study plan consisted of going over all the content and then hitting the labs to replicate what I have studied / taking notes on. Not going to lie, I was pretty lazy in terms of studying the first go around as things made sense while reading how to do a specific action however I didn't actually lab it up. Instead, I took notes on the whole course content and when I was done, I attempted the exam. I failed my first attempt due to the sole fact that my beacons were constantly being caught by AV. It was included in the course content on how to configure your profile as well as how to build your artifact/resource kits but because I never did lab anything up and prepare successfully, I ended up failing.

The second go around I decided to take things way more seriously. I re-went over all the content, this time labbing up every single section in snaplabs. I constructed my custom profile as well as built out the artifact / resource kit ensuring that these templates worked on bypassing defender so I could use them on the test. One of my greatest recommendations is labbing up every module you learned as you study it. This in return gives a good outline of work and helps with the flow of studying. After re-hitting the labs (I think I used about 15 hours of lab time) I was ready to take the exam again.

Labs

Do the labs with the course content! Trust me, you will want to lab everything out because Rasta explains every concept in a good way however while trying to replicate some of his actions, I learned there was extra steps that were missing or I was personally messing some things up. You want to get this solidifed in the labs before doing this in the exam.

Exam

Since I won't talk about my first attempt due to the immediate failure, the second attempt's story I will talk about. The exam consists of 4 days to get 6/8 flags. I started my exam on a saturday. From the course content and all the labbing I did, I already had a working profile and knew how to build my two kits that would bypass defender. After loading everything up which took less than a hour, I got to work. I received about 4/8 flags in the first 3 hours. I was on a roll, but it came to an abrupt halt there is the fifth flag was troublesome for me specifically. I did so much enumeration, I knew how to get the sixth flag and what to do to get the fifth, however things were just not calling back correctly.

At this point in time, I knew the exact section I was having trouble with. I replayed many of the situations taught in the module on what to do, but nothing was working. I spent hours and hours each day trying to figure it out, and barely did on the fourth day about 4 hours before my test was going to end. Once the fifth flag was captured, because my enumeration earlier on, I easily captured the sixth flag and officially passed the test. I did not go for flag 7 and 8, as I was so burnt out on getting stuck on the fifth flag by the time I was completed with six, my brain was mush. I put in about 10 hours saturday, 12 hours sunday, 12 hours (after 8 hours of actual work) monday, and finished out on tuesday after work. I also realized after the exam due to the intensity of hours I was putting in, I totally forgot there was two other easily solutions on getting the fifth flag that totally bypassed my brain. From this exam, I learned taking breaks are a must! Exercising is as well! If I would have eaten better, taken more breaks and exercised more, I would have came refreshed and probably would have remembered one of the easily solutions that I was stuck on for flag 5.

Another big issue that led to the incredible amount of burnout was that one mistake could cost your whole chain of beacons to die. This means anytime you made a mistake, you would have to start from square one on your initial beacon and work your way all the way back up to the beacon you previously crashed. Now here is the trick, sometimes defender would block your "working pivots" that you had previously did and switch it up. Without saying much so I DON'T break any NDAs from the exam, lets say you had a tool that worked originally with your initial pivot, but now it is getting blocked. You will have to try out another pivoting technique that could work or you have to restart the exam. I restarted the exam countless of times due to lateral movements working initially but not anymore after Defender was initiated on them. As well as this, I probably have gotten around 25-30 different beacon chain resets as one wrong lateral move and defender blows your whole beacon chain out of the water! With restarting again everytime as you can image, the burnout really becomes apparent.

I was extremely greatful when I saw that last flag come through, knowing that I passed I could finally get a good night of sleep.

Overview

Overall, the course content and labs were amazing and taught me alot more about cobalt strike and different red teaming techniques. The content was well explained, had pictures explaining the steps, and the labs helped portray the examples perfectly by recreating them in your own personal network.

The course was one of my favorites and even though the test was really challenging for me (That fifth flag specifically, the rest were textbook examples) I felt like I learned a lot more than other certs I have taken.

Positives:

  • Awesome course content

  • SnapLabs were pretty handy that goes hand and hand with course content

  • More Video course content has been put over time helping explain contepts even better when I took the exam

Negatives:

  • Exam platform crashed a few times while taking it, resulting in losing some beacons change. Unfortuantely that is just the environment being used and nothing could be done about it

  • Since its just RastaMouse, the support system is lacking. Even though Rasta does well on responding to everything, its a lot of work for just one man and support can be a little bit tougher to receive

I highly recommend this cert for anyone interested in learning more about red teaming, specifically the C2 infastructure of cobalt strike, as well as some more AD knowledge.

😄
Page cover image