Untitled

Introduction

If you are here means either you are thinking to enroll in Red Team Ops (CRTO) Course or already enrolled in the course. Before proceeding further with the review i will request to once go through the faq’s on the course website. If you have already done that we can start the blog …

Few weeks ago i passed Certified Red Team Operator (CRTO) Exam with 8/8 Flags which took me about 11 hours. Prior to CRTO , i have done CRTP and CRTE which are offered by Altered Security.

Both CRTP and CRTE are heavily focused on Active Directory (AD) attacks and methodologies, both uses Living of the Land attack style, while CRTO uses Cobalt Strike C2 and its mostly focused on Attacks Using Cobalt Strike C2. So it was new experience for me as i had never used any C2 and had no idea about them.

Before starting the course material, i had gone through many CRTO Review blogs and talked with people who have done the Course and passed the exam. I have asked them about their note taking strategies and lab solving methods and how they tackled the exam. I will share everything in this blog. I have also mentioned the links to various review blogs which i had gone through at the end of this blog.

I had purchased the Red Team Ops Course in March 2023 and attempted the exam in October 2023. I took more time than expected as i was busy with my University Exams for few months. And spend a lot time in learning.

Recently Rasta announced a new lab Environment on Snaplabs which is the clone of CRTO Lab without Cobalt strike but with a VPN , So you can play with your custom tools and various C2 frameworks. The exam is still based on Cobalt Strike. Go through the tweet comments to learn more about the new Lab Environment.

Untitled

Pre-Preparation

I will keep the blog short and concise , So will skip most of the common knowledge about the course content, lab platform and various setup guide.

Let’s break the pre-preparation part in points.

  • Go through the various review blogs (Mentioned at the end) to have a broad understanding about the course and exam.
  • Join the discord server and start interacting with other people.
  • I would highly recommend you to go through the Cobalt Strike Video Series by Raphael Mudge and its user guide manual.
  • Use Cobalt Strike Documentation and Various Cobalt Strike Notes for reference. You can use my List of compiled References from here.
  • Go through Basic Active Directory (AD) terms if you have no idea what forests, domains , delegations etc. means , Then a quick go through of this playlist may help you.
  • More tips/Guides i have mentioned here and also on github.
  • I have also compiled a cheatsheet which you can find here and also on github

Note Taking Strategy

Note taking is a crucial part in learning process and its very effective as well. I have used Notion mostly to prepare my notes as its base plan is free and accessible from other devices. whatever note taking app you are using , Just make sure to have the backup and its accessible from phone as well coz personally if i finds something interesting i quickly go back to my notes and add that stuff into the note , Coz we always have a lot to learn and things may always slip off from the brain sometimes but that may not be true for you.

Untitled

Untitled

Again, Let’s break the note taking strategies in points to get most out of the CRTO Course Material.

  • Whatever note taking app you are using just make sure its automatically backup to cloud and its accessible from anywhere (Phone etc..). My Recommendation is Notion.
  • For a particular topic , Go through the topic on CRTO Course material and try to understand it first, then check some blogs for similar topic and see if you improved your understanding of the topic. Then note down the main points or prerequisites to perform that attack and the attack steps by yourself in your own language.
  • Add all the references you have gone through to your notes , So you can quickly go back whenever needed.
  • Also create a separate cheatsheet topic wise and add the attack steps commands to quickly use them during your exam. You can use other peoples cheatsheet as reference but never rely on them completely.
  • I had used Nikhil Raj’s ( 0xn1k5 ) cheatsheet as starting point and improved upon that cheatsheet to create mine as per my understanding and requirements during lab solving.

Approach to Solve Labs

I am sharing the approach that i have used, Your approach may be different it always depends on individual’s learning methods. I had earlier did CRTP/E which are videos based content, So CRTO Text based content was new for me and i had used below strategy to absorb or learn most of the written content. I have also tried to get most of the lab time and made sure not to burn my lab time.

CRTO Lab environment is supposed to be purchased separately, You can check the current plan here. Also make sure to go through the Lab FAQ’s.

i have described my approach in below points.

  • i had first complete the course material, note taking and cheatsheet preparation and gone reading through various blogs/notes.
  • After that i purchased the lab environment and started working on it.
  • I had solved lab once but with Windows Defender enabled on all machines including all forest machines. And i tried to perform each attack twice and created various scenarios these attacks can be implement in Exam Lab.
  • During lab solving phase i had gone through with each course topic and tried to perform the attack/setup steps. And then improved my cheatsheet based on the lab environment.
  • As exam is mostly similar or need similar initial setup of Cobalt strike, its a good idea to take the notes of those common steps as you can find in my cheatsheet here and here.
  • Prepare you own Malleable C2 Profile during lab, So you can use the same profile during your Exam as well. You can use various guides , i have mentioned few here. You can also use my C2 Profile from here but its always a better to write your own.
  • During lab solving , prepare your own checklist at each step. It will help you during exam when you will be out of ideas. Check my checklist for reference.
  • Checkout these exam guide/tips and apply them during your lab as well.
  • Complete the Extra Mile Lab challenges that are mentioned by Rasta in course, You are supposed to do those challenges on your own. I will not recommend to skip anything that Rasta suggested to try in the course.
  • Once done with the CRTO Lab, You are free to try the Open RTO Lab with your own tools and C2. I will recommend to play with more C2 Frameworks like Havoc, Sliver etc.

Exam Attempt

Before staring the exam i had created a Exam infra Setup checklist , just to make sure i do not skip anything. You can find my Checklist here.

I scheduled the exam on 21 October at 3-4 PM and got my first flag after 90 minutes of starting the exam and submitted 8th flag around 2:30 AM. I got my CRTO Certification in 4 hours after submitting the 8th Flag.

Untitled

I took around 2 hours break in between the Exam after submitting 6th flag and i didn’t stop the lab environment, Coz i knew i have sufficient time to get remaining 2 Flags as well.

To pass the exam you only need 6 out of 8 flags in 48 hours which can be allocated on the span of 4 days. But somewhere Rasta mentioned that only some percent of people who passed the exam actually passed with 8 flags. So may be take that as a challenge.

Untitled

Few Exam Attempt Tips

  • If you do not find flag on compromised machine, Just reset the Admin Box, No need to reset whole Exam Environment.
  • Take notes in your local machine during exam, So if in case you have to revert the environment you can just quickly repeat the attack steps.
  • If you stop the exam in between for whatever reason , Make sure to setup persistence on compromised machines. So make sure to try this in lab as well to see how effective your persistence methods are. Check few of my tips here.
  • Everything in Exam is covered in the Course, Lab and Extra Mile Challenges.
  • Do not overcomplicate things. And make sure to not skip meal, take rest and stay hydrated.
  • You have more than enough time to Compromise all 8 Flags.
  • Also , You don’t have to submit the exam report.

Exam Tips :

  • By NoSecurity

    Untitled

    Untitled

  • By @RastaMouse and others on discord

    IMG_3563.jpeg

    IMG_3564.jpeg

    IMG_3565.jpeg

    Untitled

  • By @0x1uke on discord.

    As far as general tips go: 
  
1. I’d recommend copy/pasting a cheat sheet containing the various commands or other information you’re likely  to copy into the environment into your attack machine when you start so that you can copy/paste from that sheet and not have to worry about copy/pasting into the VM too much throughout the exam. The copy/paste with Guacamole can be hit or miss. 
  
If copying into your VM isn’t working, I found an earlier message on the Discord that helped too:
    1. copying something to your clipboard in the VM
    2. Copy the desired text into your clipboard from your host machine
    3. Paste the text from your host machine into the VM
That helped get copy/paste working again.
  
2. Keep things as simple and as close to the course as possible, e.g. use what’s recommended in the course of the c2 profile, the course has the techniques you need to succeed, etc.  
  
3. You may also find the following blog post useful at some point which has been shared previously in this Discord: https://rastamouse.me/getdomain-vs-getcomputerdomain-vs-getcurrentdomain/
  
4. If the tool isn’t on the attack station, you don’t need it for the exam. This tip has been shared several times, but it’s helpful to keep in mind.
  
5. Try your best to enjoy the exam in the midst of the pressure of completing it. It’s challenging, but I found it to be a very rewarding experience beyond just getting the cert.

  • By @InfoSecJohnDoe on twitter.

    Untitled

Various Review Blog