Category: Certifications

Certified Red Team Operator (CRTO) Review

Intro

Having recently passed the CRTO course by RastaMouse, I felt it was only right to write a little review on it. Typically, the course has changed slightly since I sat it, with the labs now using Elastic Security in place of Splunk. Aside from this I believe the course is practically the same.

TL:DR

Go and buy it now! It is the best qualification out there if you are looking to break into offensive security. The labs & coursework are great and will teach you a range of techniques used in real-world red teaming.

In the past few days since writing this, CRTO has been listed as a ‘Trusted Training Partner’, showing how good this course is.

Labs

The course works via Apache Guacamole, in a very similar way to ImmersiveLabs and a few other online training providers. All of the labs can be spun up on request, but you only have a limited amount of lab time.

I went for the 120 hour option, which I felt was just right, though I would recommend reading through the material first and then approaching the labs. This will reduce the amount of time the labs are running whilst you try to understand the more complex attacks (cough cough resourcebased constrained delegation).

I believe CRTO is the cheapest way you can legitimately use Cobalt Strike, without having to pass the licencing checks or use a cracked version. This is really handy as Cobalt Strike is used so widely for red teaming.

Lab Issues

Running the labs through a browser does have its limitations, with no drag-and-drop and less keyboard shortcuts available. I would say this is preferable to having to create your own VMs and VPN into a network, as you can begin learning straight away.

The labs I had came with a version of Office and Splunk, both of which reverted to a trial mode after a few uses, whilst there was a fix for that issue, it did feel a little hacky to me.

Importantly, these are dedicated labs and you wont accidentally get any spoilers from other users. As with most online labs, it is worth giving them 5-10 minutes to fully load before beginning any testing or activity.

Learning Material

As mentioned previously, the content of this course is EXCELLENT. It covers a wide range of different attacks, as well as covering off the paperwork & reporting side of red teaming. The material is written in the style of a technical blog post, with code snippets throughout. Handily there are some videos included for the more complicated techniques, which helped to solidify my understanding. There are also hints and tips for OPSEC considerations, which is a nice touch.

A significant part of the material focuses on Active Directory-based attacks, such as kerberoasting or AD permission abuse. There are also sections on attacking SQL Server and GPOs which I personally found really interesting.

Exam

The exam gives you 48 hours of lab time over a span of 4 days, with a mock network for you to break into. This basically the same format as the labs, with the ability to reset your Kali and Windows boxes.

Scoring is structured like a CTF, where you only have to obtain a flag on the machine to prove you have compromised it. There are 8 machines, and you need to obtain 6 flags to pass. Importantly there is no reporting requirements, which makes this exam feel far less stressful than OSCP.

The exam can be booked at really short notice – I booked mine with only 6 hours of notice. When your exam starts, you will have another course option within SnapLabs which contains the lab environment.

One thing which surprised me was the smaller toolset available in the exam – something which I hadn’t seen anyone else mention in the other reviews. Effectively you have a subset of the tools from the training labs, which required me to think on my feet a bit! Whilst it pointed out some gaps in my knowledge, I think it would have been handy to have the full toolset for the exam, or at least have knowledge of which tools wouldn’t be provided in the exam.

The exam lab was also really well laid out, allowing you to easily regain your access without having to recompromise every machine in turn. There are some quirks with the exam labs though, with one of my flags failing to generate. This can be resolved by chatting to RastaMouse on the dedicated Discord channel.

CRTO vs OSCP

OSCP has been a fairly ubiquitous qualification within cyber security for a number of years. I would personally say that OSCP does have its place, and is still worth the effort if you are wanting to pursue a penetration testing route. Despite that, I feel that there is more to be gained from completing CRTO and paying for VIP+ on HackTheBox, than shelling out for OSCP.

OSCP was a great learning experience for me, but most of the machines were severely outdated and used exploits from the 00’s. In comparison, CRTO uses Windows 10/Server 2016+ everywhere, making it far more representative of the real-world. The majority of CRTO is misconfiguration-based, whereas OSCP is vulnerability-based.

The exam experience for CRTO was also significantly better, with far less lead time and a less stringent approach. There is no proctoring or report writing, and the 4 day timespan means you can still have a life whilst taking the test.

Improvements

I would change very little about the CRTO course personally. I think VPN access would be handy so that you can bring your own tooling, but it isn’t a big issue at all.

Update 23/2/22: RastaMouse confirmed that the lack of VPN access is a requirement of the licencing with Cobalt Strike (HelpSystems). Therefore the lack of VPN makes total sense in order to get a CS licence in this training!

As mentioned about 10 times a day on Discord, RTO 2.0 would be the main improvement I can think of. A course focused more on AV/EDR evasion or simply more advanced/complex attacks would be a great addition to this course. I think a greater focus on maintaining long term access to the target network would also be a nice improvement, as CRTO only briefly touched on it.

I also think a course which required you to use Splunk/Elastic in combination with Cobalt Strike would be quite interesting and could be aimed more at threat hunters or SOC analysts.

Overall

As you have probably guessed, I really enjoyed this course. I am not aware of any other courses which offer the combination of great labs and content like CRTO does. I think it is a great introduction into red teaming methodology, and will help many people to up their skills.

Below are some other blog posts I found handy before taking my exam, which are also worth checking out:

My OSCP Exam Experience & Tips

Here is a write up of my OSCP exam experience – from studying through to passing the exam. Overall, it was a worthwhile experience and I would recommend it to anyone interested in infosec!

TL:DR

  • Practise!
  • IMO, the OSCP exam manual is too large and not worth the effort
  • Proving Grounds is far better than PWK Labs (And its much cheaper!)
  • You don’t need to know *everything* in Kali or Linux to complete the course/exam
  • ‘Try Harder’ is a good mentality, but it has its limits
  • There are some excellent resources out there, in particular:

Start

I started my 3 month lab access at the end of 2020, to coincide with the start of another lockdown in the UK. When you first get access to the OSCP/PWK labs you have a short window (2-3 days) to download the various content you will need to study from. You get:

  • A set of videos walking you through the course
  • The OSCP exam manual (Only 853 pages long!)
  • VPN credentials to the lab machines

Early on, my plan was to complete the manual, and finish all of the exercises. I quickly realised this was pretty futile, as the exercises alone would likely take a month or longer to do. I felt that I could ‘learn’ at least 5 points from the machines in the time it would take to complete the manual! However, I did read through the entire 853-page manual. This was worthwhile, but in hindsight this didn’t teach me anything above what I learned from the lab machines.

Practise

Over the first 2.5 months I focused on the PWK labs, completing around 35 of the 55 machines. The machines were generally pretty well made, although most were unpatched – so dont rely on kernel exploits! I would consider them to be around easy/medium difficulty when compared to HackTheBox. The kicker for the OSCP exam is that there is such a wide array of potential exploits to be used! IMO, you should be able to spot basic misconfigurations and vulnerabilities not only in HTTP, but SMB, NFS, SQL, SSH and so on.

One major bug bear of mine is that several machines in PWK rely on data gathered from previous machines. For example, pivoting via RDP/SMB or reusing credentials. I personally found this incredibly frustrating as I couldn’t find a way of seeing if a machine relied on another. Generally, if only RDP is exposed then I found that to be a good indicator of it being reliant on another. I would recommend performing post-exploitation activities on any machine you compromise, as it can help sharpen your skills when trying to run Mimikatz or dump /etc/passwd if the shell you are reliant on isnt very stable!

A widely held view is that if you can complete the ‘Big 4’ in PWK, then you should be able to pass the exam. I would have to agree here, and one regret I have is looking at the forums before I had exhausted *every* avenue on the machines. If I were to do it again, I would treat these 4 as mock exam machines and not use any hints, even if it takes days.

After those 2.5 months, I decided to give Proving Grounds a trial. I had heard good things from the OSCP subreddit about Proving Grounds. This turned out to be the best decision I made during my studying. In hindsight, I should have spent my 2-3 months on Proving Grounds instead of PWK labs. For £14/month, you get access to around 40 machines of varying difficulty (These are rated as easy, intermediate or hard). I would say they very accurately reflect the points assigned in the OSCP exam (10 points = Easy, 20 points = intermediate, 25 points = hard).

These machines were really good, and were much more modern than the PWK labs, ruling out most kernel exploits. Overall, I would thoroughly recommend it, I feel PG has more relevant machines than PWK does.

OSCP Exam

I went for a 1pm start time, which I found to be just about perfect. It gives you a substantial amount of time on day 1 to complete the majority of the machines, and some time the next day to get any additional points if needed. I would definitely advise getting a normal nights sleep during the exam, so you are able to do the report! I would also ensure that you have some decent food in ahead of the exam.

At 12:45 I was able to log into the VPN and proctoring software. I would recommend getting an old-school webcam on a cable, rather than relying on the built in machine camera. This is because you have to show around the entire room, which can be hard when your laptop is docked! The proctors wanted all of my electronics out of the room. This included monitors which were not connected to a device – so clear your room down ahead of the exam. Additionally, you need to sign into the VPN via the openvpn CLI, rather than the new wizard which has been in recent versions of Kali. Clearing the room and downloading openvpn took a long time, and ended up using 30 minutes of my exam.

The first thing I did in the exam was the buffer overflow, this only took an hour after using Tib3rius TryHackMe room, and was a great way to settle my nerves and get 25 points sorted. Following this I started scanning all of the machines, just in case they took a long time! I then managed to get user on one of the 20 point machines, leaving me at 35 points.

Through the rest of the day I worked my way through the machines, getting up to 55 points by 7pm. At this point I fell down a major rabbit hole, trying to get an exploit to compile on the machine. I put way too much time into this, which nearly jeapordised my whole exam. This was a major lesson learned, and I should have moved onto another machine or exploit much sooner!

By 11pm, my brain was of no use, following a decent first day on the 5 machines. I spent a further hour and a half doing some very poor scanning of the machines. After this I decided (correctly!) that it was time for some sleep.

In the morning I started at 7am, and it took a while for my brain to get going again. I should have stuck to waking up at 9am as I usually do – another lesson learned!

Throughout my practise, I tried to avoid using MetaSploit for any machines, as I am personally not a fan of how point-and-click it is. That being said, I did end up using it on my final machine. I waited until I had around 1-1.5 hours left, which I felt was enough time to make full use of MetaSploit. This was a great decision, allowing me to root the 25-point machine with 30 minutes left.

Finally, I checked to ensure I had screenshots for all of my proofs, as the requirements are fairly strict! I then took a 2 hour break to clear my head, before I started the report.

Report

In the end, the report took a huge amount of time to write up! Mine was around 50 pages in the end, and took about 7-8 hours! This was longer than I expected, but I wanted to ensure I didn’t lose any marks for a bad report. I didn’t use the OSCP example template as I wanted to use a different structure and a less Offensive Security themed document, this turned out to be fine in the end!

Something I had not noticed before, was that you need to include evidence of any artefacts of testing being removed. To avoid any tools or exploits remaining on the machine, I consciously only stored data within /tmp, so that I could easily clear up at the end of any machines.

I would recommend ensuring you have enough time for the report. You definitely don’t want to pull an all-nighter to complete it! Another benefit of the 1pm start time is that you can write a decent draft on day 2, and then review it on day 3, before the 1pm deadline.

Results & Summary

Results are supposed to take up to 10 days, but I heard back in a day – passing with 70 points! You can then order your certificate pack, which takes several weeks to arrive.

Overall, I learned a lot from OSCP, and I now understand why it is considered as entry level by some. You wont become an expert at pen-testing *everything*, but you will have a great basic level of knowledge. Think ‘jack of all trades, master of none’! One area I have a bug bear with, is the ‘Try Harder’ mantra. I would fully recommend ensuring you explore every avenue of attack for a machine, but ultimately, I found I learned most when I had a small hint for some machines. (This is something you can do on Proving Grounds, which is why I am a fan!) Just telling a learner to ‘Try Harder’ whenever they ask for help is a little pointless in my eyes.

Every machine in my exam was Linux based, and I should have spent longer on my Linux privilege escalation. I found this a little unusual, as most enterprises rely heavily on Windows. But this does match up with the distribution of machines on Proving Grounds and PWK.