Hello dear ethical hackers, welcome to this new blog post about red teaming. Today, I will give you my honest review of CRTO (certified red team operator certification) from Zeropoint Security.
A brief context
In the middle of this year, I tackled the Rastalabs Pro lab on hackthebox.eu. Like the Offshore lab, my biggest complaint was that many students shared the same lab, which opened unintended attack paths. Prior students weakened the boxes throughout their progress, which made it dramatically easier for later students. So, as feedback, I reached out to Daniel Duggan, known as _Rastamouse on Twitter. However, I came to see that he no longer supports the lab.
Shortly after that, Daniel reached out to offer me his second version of the certified red team operator certification, which contains a dedicated lab. I was humbled and honored at the same time. I certainly didn’t plan to pass that certification, but when the opportunity comes, one should seize it.
After a few months, I finally found the time to go through the course and tackle the exam. Here is my honest review.
What is CRTO?
The certified red team operator is an entry-level to intermediate security certification for penetration testers who want to advance their career and become red teamers. The candidate will explore the tactics, techniques, and procedures that threat actors use to infiltrate IT systems and stay under the detection radar. It also mentions some opsec considerations and allows practicing and bypassing detections. Throughout the hands-on experience, the students will apply their knowledge to a live lab.
CRTO order process and onboarding
Since I didn’t pay for the certification, I only gave my email to Rastamouse. The order process can be accomplished via this URL.
The course costs 349 pounds, including lifetime access to the course material and its updates, one exam attempt, and 1 hour of lab time.
Shortly after rastamouse registered my accounts, I received two emails in my inbox. The first was an invitation link to the online course. The second email came from snaplabs.io, the platform that hosts the practice and the exam labs. Once I set up my account on both platforms, I was ready to start learning.
CRTO course content
The course content is one of the key strengths of the certification. I think it covers plenty of concepts related to Red teaming. It is divided into several modules, and each one corresponds to a tactic used by threat actors. For instance, the lateral movement module explains in great detail the techniques used to move from one computer to another.
There’s also a search feature that allows you to quickly find the relevant parts of the course, which is particularly useful during your revision for the exam.
Because you have lifetime access to the course material, it is a treasure trove for students during their red team journey.
Some modules come with videos demonstrating the concept in the practice lab, which is the other pillar of this certification.
It took me about two weeks between my day-to-day job and family to go through the course. I wish I could track my progress within the course dashboard. Instead, I had to revise my notes to know where I left.
The CRTO lab
The different CRTO lab components
The lab is an active directory infrastructure composed of three forests. The first Forest has a child domain and a root domain, while the remaining forests are configured with inbound and outbound domain Trust, respectively. Cobalt strike is now the command-and-control server of choice in the course.
The lab was designed to allow students to explore the different vulnerabilities explained in the course material. The goal is to apply what you learn in the course material to gain domain admin on all forests. There’s also a Splunk instance to go through the different logs you leave behind. The course mentions some of these detections and invites you to experiment with them and find ways to bypass them. I can clearly see the effort and care dedicated to building this lab.
To connect to the lab, you need to use your account on Snap labs. Once logged in, you can start your dedicated lab and connect to a Kali machine on your web browser through Guacamole. Even though you see a green status, you’d have to wait a bit more. This was frustrating at first, but I got used to it. In fact, I realized that the lab was running fine; it just needed a few more minutes to be reachable through Guacamole.
You get access to two attacking machines, among several others. The first is a Kali box, and the second is a windows machine. I personally used the Windows machine for all my Red team operations. I used Putty to SSH into Kali and spin up the Cobalt strike Team server. Then, I connected to it using the Cobalt strike client. Additionally, I used the Windows box to compile the tools I needed.
Some limitations I encountered in the CRTO lab
At the time of the writing, there is no VPN connection possible. The Guacamole interface takes some time to get used to. In fact, the most annoying experience was the copy-paste. Every time I wanted to copy some text from my host machine to the lab, I had to type Ctrl+Alt+Shift, paste my text, hit the shortcut again, and paste my payload on the lab machine.
Since you have a limited number of hours, Snap Labs allows you to pause and resume the lab at will. Unfortunately, you would have to relaunch the team server whenever you restart your lab. I recommend you define an alias to quickly spin up the team server. I also recommend you persist your access on the compromised machines. Otherwise, you would lose your progress in the lab.
You can’t upload your own tools to the lab. However, the tools available in the student’s boxes were enough for me.
Although I have a stable fiber internet connection, I experienced several connection losses in the lab. They typically lasted a few seconds.
The CRTO exam
Once I went through the course material and compromised all the forests, I booked my exam for the next weekend. I didn’t struggle to find a suitable time slot. I added the event to my calendar and received a notification about an hour before the exam due time. Meanwhile, I downloaded the threat profile from the Snap Labs dashboard, which is a document that explains the different techniques that I needed to emulate during the exam. Therefore, I prepared a customized C2 profile using Cobalt Strike’s malleable C2 feature.
The exam is a new lab added to your Snap Labs dashboard. I had 48 hours to capture 6 out of 8 Flags From the different machines. Each flag can be sent for verification on Snap labs’ dashboard. You don’t have to send any report at the end of the exam.
I liked that I could pause the lab whenever I wanted in a four-day window. This meant that I could take longer rests without consuming the exam hours. The lab stops when you exhaust your lab time or 4 days, whichever comes first. I personally didn’t use this feature myself, but I certainly see its benefits.
From my own experience, I think that the exam was the most fun; compared to my previous certifications, this lab was the biggest, hence more vulnerabilities to exploit. I don’t want to spoil it for you, but it somewhat resembled the practice lab.
Like the practice lab, I experienced some connection problems from time to time. They didn’t last more than a minute, but the experience was quite frustrating.
I was able to compromise the entire exam. Unfortunately, I only got six out of eight flags. The remaining two were not properly deployed. This would have been a serious problem if I hadn’t compromised the whole lab. Which makes me think of the support.
Support and community
There is a Discord server for Zeropoint Security where students can hang out and discuss several topics related to the course and other subjects. It is also a place where you can ask support questions.
I didn’t need that much support; the course concepts were explained very well, and the videos that supported them were clear. However, I did need technical assistance during the exam. From what I can tell, Rastamouse is the only one who can help you with technical issues. The other members are either moderators or students like me.
Daniel does what he can, probably even more. He replies during the weekends as well. However, it’s not enough. There should be a support team for the very use cases I encountered during the exam. In fact, I only found the lost flags on Monday, more than 24 hours since I started my exam.
Should you take CRTO? And how to pass the exam?
By now, you should have a clear overview of the CRTO certification. If you’re still not sure whether to take it or not, let me try to help you.
If you are totally new to Penetration testing, especially active directory hacking, I suggest you take other certifications like CRTP. For me, CRTO is meant for intermediate penetration testers who would like to get exposed to Red teaming. However, if you are familiar with active directory hacking, you might give it a try.
The course is rich and heavy. If you rush it, you will certainly miss many interesting concepts. I suggest you focus on each module, apply your knowledge in the practice lab, and take relevant notes to help you quickly reproduce the attack. You will thank me during the exam.
Key benefits of CRTO
I find that this certification contains several benefits. First of all, I appreciated the lifetime access to the course content. The course itself is exhaustive and rich. Secondly, both the practice and the exam labs allowed me to extensively apply my knowledge. Thirdly, you get a badge from Badgr.com as proof that you successfully passed the exam. For the price, I think that this certification is a great value for your money.
All in all, I think that the content is top-notch. However, the delivery requires more effort. Several improvement points would make this certification even more interesting. Firstly, a support team is mandatory. Secondly, It would be great to reach the labs through the VPN using RDP, with the possibility to copy the students’ own tools on the lab. Finally, I recommend implementing a progress feature to help students track their progress in the course.